1. Post #161
    Horrible Username Connoisseur
    Pw0nageXD's Avatar
    September 2009
    1,203 Posts
    Thanks for the support guys, I've removed the download links to TF2C and posted a blog post while we work things out. We are hoping to be able to get back up and online as soon as possible.

    Please take care and virus scan if you've joined the server or if you are paranoid at all.
    Deleting svchost.exe out of the game's directory isn't enough. It would likely drop files somewhere else. If anyone who knows for a fact had it could add me on Steam I can verify if it dropped somewhere else (extremely likely) and help clean it up. I can also analyze it (pls someone i'm bored give me something to do)

    Also, the IP 68.180.230.169 from 404's logs is a Yahoo crawler and 84.39.116.180 is likely a VPN.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Informative Informative x 2Agree Agree x 1 (list)

  2. Post #162
    Dr. Kyuros's Avatar
    June 2014
    3,003 Posts
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events

  3. Post #163

    September 2015
    12 Posts
    I searched my directory but it's not there before and after I unistalled Source SDK
    Reply With Quote Edit / Delete Windows 8.1 Chrome United States Show Events

  4. Post #164
    Horrible Username Connoisseur
    Pw0nageXD's Avatar
    September 2009
    1,203 Posts
    Might be virustotal hasn't updated their site yet to show that malwarebytes detects it, but anyway glade daniel & I could help ya.
    Scantime vs Runtime. It's much easier to get a file FUD on scantime than on runtime.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Agree Agree x 2 (list)

  5. Post #165
    Inkling Girl's Avatar
    September 2015
    3 Posts
    Haskell has confirmed this is 404's work.

    Haskell posted:
    It's clearly 404s server hosting the server, you cannot "tie an IP address", you cannot "fake an IP address". CLEARLY the server is being hosted from the same server as his website, which is also hosted under 198.245.49.206:80.

    Unless a game exploit was discovered, which allows you to fake server information ( still would not fake the IP ), there is no way to truely to fake IP information, as well as that, I was also able to ping the server from 198.245.49.206:27085
    Reply With Quote Edit / Delete Windows 8.1 Firefox United States Show Events Disagree Disagree x 10 (list)

  6. Post #166
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    I think its pretty safe to assume its not 404 that is responsible for this:
    " I am the owner of the dedicated server that the IP is tied to and I can assure everyone that no TF2C server has ever been installed on my dedicated server.

    The dedicated server runs Ubuntu 12.04 and TF2C does not have a proper way to set up a Linux-based server. If I were to want to run one, I'd have to install Wine and that Xvfb thing and jury-rig those two together to make things work.

    Somehow, someone has created a server hosted elsewhere and tied my dedi's IP address to it in some kind of silly effort to frame me for hacking a bunch of people."
    Sorry, but I'm having a hard time believing you can 'frame' and IP. Nothing is stopping him from running a virtual machine to make a server, additionally.

    To quote Haskell
    8:30 PM - dialtone: well he's bullshitting.
    8:30 PM - dialtone: the IP does not lie...
    8:30 PM - dialtone: 198.245.49.206 IS THE IP for the server
    8:30 PM - dialtone: and 198.245.49.206 IS THE IP for this website,
    8:31 PM - dialtone: thus concluding, they are hosted on the SAME SERVER!
    8:31 PM - dialtone: call that guy out big time.
    8:31 PM - dialtone: you can't "FRAME" an IP
    8:31 PM - dialtone: you can't "Tied a dedis IP address"
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Disagree Disagree x 2Zing Zing x 1 (list)

  7. Post #167
    Inkling Girl's Avatar
    September 2015
    3 Posts
    Sorry, but I'm having a hard time believing you can 'frame' and IP. Nothing is stopping him from running a virtual machine to make a server, additionally.

    To quote Haskell
    you were ninja'd
    Reply With Quote Edit / Delete Windows 8.1 Firefox United States Show Events Dumb Dumb x 1Informative Informative x 1 (list)

  8. Post #168
    Dennab
    July 2013
    1,996 Posts
    So who the hell is responsible? 404 or RubberFruitFace?
    Reply With Quote Edit / Delete iPhone Safari Singapore Show Events Agree Agree x 1 (list)

  9. Post #169
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    8:54 PM - dialtone: i know what exploit they used
    8:54 PM - dialtone: they used the .dll exploit of when you join a server, you download a .dll
    8:54 PM - dialtone: which is then ran as a module,
    8:54 PM - dialtone: i'll roll out a patch to TF2C
    8:55 PM - dialtone: let me clone github
    Edited:

    Apparently its the same thing as what hit TF2 and GMOD a while back.
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Friendly Friendly x 2Informative Informative x 2Winner Winner x 1 (list)

  10. Post #170
    Horrible Username Connoisseur
    Pw0nageXD's Avatar
    September 2009
    1,203 Posts
    -snipping this part because invalid check update below-

    Theoretically, the person could drop a detected hack onto your computer and make it load and get you VAC'd which is why I said be careful. Malwarebytes will probably have it scantime detected soon (if not already) as it was submitted to Virustotal, but that doesn't mean the person couldn't refud it and update it on you so I would suggest anyone who had it keep a very close eye on your computer.

    Seeing that ESET detects the version posted here, I'd HIGHLY suggest you run the FREE ESET Scanner even if you think you're clean.
    http://www.eset.com/us/online-scanner/


    Still though, if anyone has a sample send it my way please.

    Edited:

    Sorry, but I'm having a hard time believing you can 'frame' and IP. Nothing is stopping him from running a virtual machine to make a server, additionally.

    To quote Haskell
    If you root the server you can. If 404 used a shitty SSH password bruting it is surprisingly easy.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Useful Useful x 1Agree Agree x 1Friendly Friendly x 1Informative Informative x 1 (list)

  11. Post #171
    PhoenixLuigi's Avatar
    August 2015
    30 Posts
    Who owns the Virus server?
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Funny Funny x 4Dumb Dumb x 1 (list)

  12. Post #172
    Gsilverleaf's Avatar
    November 2014
    382 Posts
    From the tf2 classic website:
    Hi there everyone! Former dev 404 here. I just got home from work to find that someone created a rather nasty server using the IP address of my dedicated server, and hacked several Steam accounts as a result.

    At first I was confused, as I've not ran a TF2C server from my dedi, nor have I installed Wine (as I later found out, Wine1.5 is preinstalled and I can't seem to uninstall it because it's a "virtual package").

    After checking my dedi's system logs, I discovered that someone had remotely ran srcds.exe and Wine to launch a fraudulent TF2C server. I obtained two IP addresses from the logs; the first IP address being 68.180.230.169. It was used to try to run a ptrace which was denied. Shortly after, more ptraces and all the malicious activity was run from 84.39.116.180.

    I do apologize to anyone who was affected by this security breach, and I have checked in on the Facepunch thread and I did see the two Pastebin'd chat logs where some people conspired to "confront" me with the information they had found to try to get me to confess to this and give back the items that were stolen from their accounts.

    Sadly, I am not the person behind this, nor do I have your items. If I could get them back for you somehow, I would. Your best bet is to contact Valve. Again, I do apologize if you have been affected by this.

    This all seems to be some sort of plot to put more negative attention on me, despite me recently coming clean about my alcohol/substance issues, apologizing to the dev team of TF2C and showing my support for them despite my many alcohol and drug-influenced screw-ups during my time on the dev team.

    Some of you may be wondering what I plan to do about this breach in my security. Well, I've pastebin'd the log file and hit up AskUbuntu to find out how this all happened and how to prevent it from happening in the future.
    Its not 404 guys.
    Reply With Quote Edit / Delete Android Safari United States Show Events Friendly Friendly x 4Dumb Dumb x 1 (list)

  13. Post #173
    Cpt. Cakes's Avatar
    November 2014
    981 Posts
    Should I run the scanner? I haven't even launched up tf2c in the past 3 days and I pretty much only play on the 24/7 classic server when it has tons of people on it.
    Reply With Quote Edit / Delete Windows 10 Edge United States Show Events

  14. Post #174
    Dr. Kyuros's Avatar
    June 2014
    3,003 Posts
    Who owns the Virus server?
    If you haven't been paying attention for the last few pages: nobody knows.

    It's either 404, RubberFruitFace, or some random asswipe who thought it was real funny idea to fuck many people's lives and pin the blame on a guy who already has a rough, troubled past and doesn't even want to deal with this project anymore.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events

  15. Post #175
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Winner Winner x 10Friendly Friendly x 6 (list)

  16. Post #176
    _charon's Avatar
    May 2013
    6,305 Posts
    If it was 404, he'd say so. No point in an attention grab if you're going to try to deflect attention.
    I feel really bad for him, that's an awful thing to do.
    Reply With Quote Edit / Delete Windows 8.1 Chrome Canada Show Events Agree Agree x 9 (list)

  17. Post #177
    Horrible Username Connoisseur
    Pw0nageXD's Avatar
    September 2009
    1,203 Posts
    All right, started reversing it and found out it's not njRat but it's LuminosityLink. LL is generally considered the best RAT on all the skidforums at the moment .

    This means yes it installed on your computer. LuminosityLink defaults to dropping in C:/ProgramData inside a hidden folder. Anyone who was infected is probably still infected even if you uninstalled the SDK and deleted the file. If someone who was infected could add me on Steam it'd help as LL actually has decent virtualbox detection and it's not quite as simple as finding the terminate function in a debugger so this is gonna take longer than I originally thought.

    If anyone who was infected could add me on Steam it would help a ton.
    https://steamcommunity.com/id/NarryGewman/

    Also can someone who was infected pastebin me a DDS log?
    http://www.bleepingcomputer.com/download/dds/


    LL feature list just so you guys know:
    Luminosity Features:
    Incredibly Stable, Effective and Reliable!
    [+]Remote Desktop, Remote Webcam, and Client Manager
    [+]Fast Reverse SOCKS 5 Proxy
    [+]System Wide Ring3 Rootkit (x86 Processes) With Process Watchdog
    [+]Advanced Process, File, and Startup Persistence
    [+]Powerful Heuristic-Based Bot Killer (Anti-Malware)
    [+]Blacklist Software and Processes. Luminosity removes them!
    [+]SmartLogger (Logs all Keystrokes, - Specify certain programs to record separately)
    [+]Download Manager - Resume/Pause/Cancel Transfers, Proper File Queue, Organized well
    [+]File Grabber - Search for file on client, and queue it for download. Can search certain process directories and much more!
    [+]Google Chrome, FireFox, IE, Opera, Safari, FileZila, and Win Serial Key Recovery
    [+]Outlook (all versions), Windows Mail, Thunderbird, Yahoo Mail, and more Recovery
    [+]File Guard - Guard Executable Files (Other RATs, keyloggers, etc) - Takes care of Undetection, Persistence, and Startup!
    [+]Easy-to-Use Crypto Currency Miner - Injects miner files.
    [+]Website Visitor - 4 View Methods - Mute Audio
    [+]Client Info - Manage and Grab Info Regarding Clients
    [+]Torrent Seeder
    [+]Extensive On-Join Commands | Client ID/Version/Client Name |
    [+]HTTP Control - Send Commands via Webpage Encrypted
    [+]Remote Scripting (HTML/VBS/BATCH)
    [+]Block installation and use of any specified software
    [+]Tons more features...And more being added!

    Also it grabs all FTP info from Filezilla since filezilla uses plaintext so you should probably look into your servers being rip.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Informative Informative x 4 (list)

  18. Post #178
    Horrible Username Connoisseur
    Pw0nageXD's Avatar
    September 2009
    1,203 Posts
    That video is from 2006 is this some kind of retro spambot?

    Also the sample I was given may or may not actually be it as it doesn't match in terms of hash so if anyone knows for a fact they have it can they send it my way?
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events

  19. Post #179

    September 2015
    12 Posts
    All right, started reversing it and found out it's not njRat but it's LuminosityLink. LL is generally considered the best RAT on all the skidforums at the moment .

    This means yes it installed on your computer. LuminosityLink defaults to dropping in C:/ProgramData inside a hidden folder. Anyone who was infected is probably still infected even if you uninstalled the SDK and deleted the file. If someone who was infected could add me on Steam it'd help as LL actually has decent virtualbox detection and it's not quite as simple as finding the terminate function in a debugger so this is gonna take longer than I originally thought.

    If anyone who was infected could add me on Steam it would help a ton.
    https://steamcommunity.com/id/NarryGewman/

    Also can someone who was infected pastebin me a DDS log?
    http://www.bleepingcomputer.com/download/dds/


    LL feature list just so you guys know:



    Also it grabs all FTP info from Filezilla since filezilla uses plaintext so you should probably look into your servers being rip.
    How do we we're infected? I can't tell if it installed those things or If I even have it.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United States Show Events

  20. Post #180
    Horrible Username Connoisseur
    Pw0nageXD's Avatar
    September 2009
    1,203 Posts
    How do we we're infected? I can't tell if it installed those things or If I even have it.

    Run DDS and send me a PM with the logs. You can put them on pastebin and I can take a look for you
    http://www.bleepingcomputer.com/download/dds/
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events

  21. Post #181
    The Mullock Project
    OneFourth's Avatar
    June 2011
    3,057 Posts
    The 2.00 Beta Test is suspended until further notice.
    The RAT was administered through an exploit with the sv_upload function.

    All server owners are advised to immediately pull servers until a patch is released.
    If you would like to keep your server up, please change sv_upload to 0.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Winner Winner x 4Friendly Friendly x 2Informative Informative x 1 (list)

  22. Post #182
    MiyuLynx's Avatar
    December 2014
    24 Posts
    this whole situation is completely fucking ridiculous
    Reply With Quote Edit / Delete Windows 10 Firefox United States Show Events Agree Agree x 25 (list)

  23. Post #183
    Cpt. Cakes's Avatar
    November 2014
    981 Posts
    I joined one server that WAS NOT the server that had the virus to play a bit of deathmatch, should I scan my computer? By the way, I don't see a hidden file or folder where the source 2013 is installed, and where the virus normally installs.

    Is it safe to launch up the game so I can see which servers are still up and so I can contact the owners?
    Reply With Quote Edit / Delete Windows 10 Edge United States Show Events Agree Agree x 1 (list)

  24. Post #184
    The Mullock Project
    OneFourth's Avatar
    June 2011
    3,057 Posts
    I joined one server that WAS NOT the server that had the virus to play a bit of deathmatch, should I scan my computer? By the way, I don't see a hidden file or folder where the source 2013 is installed, and where the virus normally installs.

    Is it safe to launch up the game so I can see which servers are still up and so I can contact the owners?
    Any server with sv_upload at 1 could be compromised. Scan and rescan.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events

  25. Post #185
    Gold Member
    danielmm8888's Avatar
    November 2010
    555 Posts
    I joined one server that WAS NOT the server that had the virus to play a bit of deathmatch, should I scan my computer? By the way, I don't see a hidden file or folder where the source 2013 is installed, and where the virus normally installs.

    Is it safe to launch up the game so I can see which servers are still up and so I can contact the owners?
    Do a virus scan anyway to be safe.


    Basically: The virus is transmitted through sprays. You take an image, leave the file header in, and put whatever you'd like to be executed to the rest of the file.

    No, it wasn't 404's fault. 404 got hacked via the spray exploit. By the way, yes, it's RubberFruitFace and a couple of his friends.


    My best advice right now is to NOT play tf2cc or any other s2013 MP mod until Valve sorts this out, as this is an EXTREMELY huge security risk.

    Basically, stop playing tf2c and if you've been in a server in the past few days, DO A VIRUS CHECK. The fake server thing was a diversion by RubberFruit and his friends to basically blame 404.
    Reply With Quote Edit / Delete Android Chrome Croatia Show Events Winner Winner x 2Informative Informative x 1Agree Agree x 1 (list)

  26. Post #186

    December 2011
    828 Posts
    Do a virus scan anyway to be safe.


    Basically: The virus is transmitted through sprays. You take an image, leave the file header in, and put whatever you'd like to be executed to the rest of the file.

    No, it wasn't 404's fault. 404 got hacked via the spray exploit. By the way, yes, it's RubberFruitFace and a couple of his friends.


    My best advice right now is to NOT play tf2cc or any other s2013 MP mod until Valve sorts this out, as this is an EXTREMELY huge security risk.

    Basically, stop playing tf2c and if you've been in a server in the past few days, DO A VIRUS CHECK. The fake server thing was a diversion by RubberFruit and his friends to basically blame 404.
    Wait, the Rubberfruit? What the hell happened to him from making his Gmod vids to this?
    Reply With Quote Edit / Delete Windows 7 Chrome United States Show Events Dumb Dumb x 6Funny Funny x 3 (list)

  27. Post #187
    Cpt. Cakes's Avatar
    November 2014
    981 Posts
    I have sprays disabled I think, and have also never seen a spray in tf2c before except the default

    I'll do a scan with ESET NOD32 antivirus

    Wait, the Rubberfruit? What the hell happened to him from making his Gmod vids to this?
    No, this is a different guy named TheRubberFruitFace.
    Reply With Quote Edit / Delete Windows 10 Edge United States Show Events Agree Agree x 2 (list)

  28. Post #188
    iiboharz's Avatar
    December 2014
    138 Posts
    Wait, the Rubberfruit? What the hell happened to him from making his Gmod vids to this?
    Not RubberFruit, it's TheRubberFruitFace, completely different person.
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events

  29. Post #189
    Cufflux's Avatar
    April 2013
    1,199 Posts
    Wait, the Rubberfruit? What the hell happened to him from making his Gmod vids to this?
    TheRubberFruitFace, general asshole who's been hanging around the TF2C mod and drama for a while now. Not RubberFruit.

    Edit: Wow, second late. Oops.
    Reply With Quote Edit / Delete Android Chrome United States Show Events Agree Agree x 1 (list)

  30. Post #190

    December 2011
    828 Posts
    Not RubberFruit, it's TheRubberFruitFace, completely different person.
    That's even worse, cause I know a guy who's friends with that guy.
    Reply With Quote Edit / Delete Windows 7 Chrome United States Show Events

  31. Post #191
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    On the bright side, we learned that 404 isn't being petty anymore, and he's trying to get on this mods good side again.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United States Show Events Friendly Friendly x 11Agree Agree x 1 (list)

  32. Post #192
    BarJarHinks's Avatar
    November 2014
    262 Posts
    Do a virus scan anyway to be safe.


    Basically: The virus is transmitted through sprays. You take an image, leave the file header in, and put whatever you'd like to be executed to the rest of the file.

    No, it wasn't 404's fault. 404 got hacked via the spray exploit. By the way, yes, it's RubberFruitFace and a couple of his friends.


    My best advice right now is to NOT play tf2cc or any other s2013 MP mod until Valve sorts this out, as this is an EXTREMELY huge security risk.

    Basically, stop playing tf2c and if you've been in a server in the past few days, DO A VIRUS CHECK. The fake server thing was a diversion by RubberFruit and his friends to basically blame 404.
    By "in the past few days", how long ago do you mean? I currently do not have access to my computer with TF2C on it, and I'm getting paranoid about it (last time I played was either Sunday or Monday)
    Reply With Quote Edit / Delete Android Chrome Canada Show Events

  33. Post #193

    September 2015
    1 Posts
    Apparently there is more than one culprit involved: (404's post from the tf2c forums)

    "Further update. It seems that the keylogger/Rat was delivered via the spray exploit that was patched in Garry's Mod.

    The deliverer?

    Friend of RubberFruitFace named Sikes. Here are Sikes's two friends (Roy and RubberFruitFace) if you want to block these three goofs from your servers:

    http://steamcommunity.com/profiles/76561197964899068 - Sikes (aka "Ryu", fellow who was mentioned in the chat logs. He also has all of The Yiffy Fox's items, so that's damning evidence right there)
    http://steamcommunity.com/profiles/76561198031372221 - Roy
    http://steamcommunity.com/profiles/76561198136391192 - TheRubberFruitFace

    Please note that I am not friends with any of those three stooges. I used to be friends with Rubber until he fucked around and screwed up my server by banning half the players permanently for no reason after hacking my RCON."

    *EDIT* Apparently everybody is now saying that this guy is the one responsible - http://steamcommunity.com/id/TheAlucardFromHell. It's been pretty much confirmed that it involves both something to do with sprays and sv_upload. These two functions seem to coordinate with eachother in some way making this exploit possible. I would highly suggest shutting down your servers for the night, as several people are reporting strange files and slight changes showing up in their server configuration and file system in general.
    Reply With Quote Edit / Delete Windows XP Professional x64 Internet Explorer 6 United States Show Events Informative Informative x 1 (list)

  34. Post #194
    Trech's Avatar
    March 2012
    180 Posts
    Any server with sv_upload at 1 could be compromised. Scan and rescan.
    Shouldn't it be sv_allowupload?

    Reply With Quote Edit / Delete Windows 8.1 Firefox Germany Show Events

  35. Post #195
    Doctor Hunt's Avatar
    January 2012
    893 Posts
    Was it only DM servers? I haven't played since yesterday afternoon, and it was just on a regular CTF map
    Reply With Quote Edit / Delete Windows 8.1 Firefox United States Show Events Disagree Disagree x 1 (list)

  36. Post #196
    iiboharz's Avatar
    December 2014
    138 Posts
    Was it only DM servers? I haven't played since yesterday afternoon, and it was just on a regular CTF map
    Any server can be affected.
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events

  37. Post #197
    DrMedicVG's Avatar
    November 2014
    124 Posts
    Oh gosh not another conspiracy
    I hope it goes alright this time
    Reply With Quote Edit / Delete Windows 10 Firefox Australia Show Events Agree Agree x 2 (list)

  38. Post #198
    darkspire17's Avatar
    October 2013
    116 Posts
    im abit late to this hole SDK exploit, can someone give me a quick recap?
    Reply With Quote Edit / Delete Windows 7 Firefox Australia Show Events Agree Agree x 2 (list)

  39. Post #199
    Pastel's Avatar
    June 2014
    985 Posts
    Can someone who only has TF2C installed be impacted by this? I have it on my computer but never really play it...
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Disagree Disagree x 3 (list)

  40. Post #200
    BarJarHinks's Avatar
    November 2014
    262 Posts
    im abit late to this hole SDK exploit, can someone give me a quick recap?
    A certain server has a virus that can download on your computer via spray images, and can block your steam and fp accounts, steal your items, and many other undesirable things. Moral of the story: stay off of TF2C until further notice.
    Reply With Quote Edit / Delete Android Chrome Canada Show Events Agree Agree x 1 (list)