Security advisory regarding AMX Mod 2010.1
 

AMX Mod X security advisory
amxmod.net distributing malware with backdoors

Important note

This special news should only concern server operators who have AMX Mod 2010.1 installed or plan to install it. If you know server operators that use AMX Mod 2010.1
please consider making them aware of this post. This is an important matter that is worth to be mentioned on the official AMXModX site.

AMX Mod

AMX Mod has been officially abandoned years ago, but recently one of its users (Stéphane "Flatounet" Vigne) is attempting to update it.
Development unfortunately progresses behind closed doors and nobody really knows what's happening.

Context

Some days ago I've been asked to provide help in migrating an AMX Mod 2010.1 installation to AMXModX for various reasons. Oddly enough the server got attacked a few short hours later
by someone who got a hold of the servers RCON password, and it was unclear how the attacker obtained it.

Symptoms

If you are experiencing any of these problems on your server it might be an indication that someone exploited your AMX Mod 2010.1 installation:

• One or several players are suddenly admins
• Server performance seems to fluctuate unexpectedly
• Server appears to crash or shut down randomly
• Ban lists have been wiped or altered
• Server files have been altered or deleted

Log analysis

Usually the log does not contain useful information if the RCON password is not yet known (explanations below).
In this specific example however, the password was already known. If you are in this situation you would find similar logs:

His first attempt to check RCON validity:
L 12/04/2015 - 10:58:09: Rcon: "rcon 1627405150 "xxxxxx" echo HLSW: Test" from "2.3.87.69:7130"

Adding a SteamID to the admins list, likely via a VPS IP:
L 12/04/2015 - 11:02:10: Rcon: "rcon 1779953110 "xxxxxx" amx_addadmin "STEAM_0:0:13923116" abcdefghijklmnopqrstu" from "195.154.177.107:7130"

Disabling the server log to hide the following commands:
L 12/04/2015 - 11:04:38: Rcon: "rcon 873211125 "xxxxxx" log off" from "195.154.177.107:7130"
L 12/04/2015 - 11:04:38: Log file closed
Server logging disabled.


Malicious activity after this point may include clearing ban lists of SteamIDs and IPs or changing server variables like sys_ticrate in an attempt to disrupt server functionality.


The hidden commands

Since the RCON was already known in this case, the log doesn't help us understand how it has been found.
Assuming the RCON password is unknown and has not been compromised, a possible threat is a malicious server plugin that allows unauthorized clients to get a hold of this information.

Unfortunately my investigations have found that AMX Mod 2010.1 itself is that malicious server plugin. Naively checking the provided source code on the official website did not lead
to anything. Checking the compiled binaries however revealed some interesting things!

So let's look at what our disassembler/decompiler shows us. We want to find the ClientCommand() function which is used by the engine to receive input from a client console. The decompilation shows us an unwelcomed surpise:

https://i.imgur.com/diPvIVO.png

What do we see here?

Mostly a silly attempt to hide specific commands (by checking a string character by character) doing some nasty things:

• silenmod: Suppress server log temporarilyy when cmdr and cmdc commands are used
• mrp: Get/change the servers RCON password
• setaccess: Modify a users admin access flags
• cmdr: Execute arbitrary console commands on the server
• cmdc: Execute arbitrary console commands on a specified client
• cfile: Check whether a specified file exists
• wfile: Append data to a specified file
• dfile: Delete a specified file
• uptime: Check server uptime
• slog: Disable server logging completely

Access to these commands is restricted to clients marked as AMX Mod 2010.1 devs. This client authentification happens during client connection, and we find is_dev_authid() in the binaries:

https://i.imgur.com/gg3OHQ6.png

https://i.imgur.com/Oq99nEU.png

We can see three hardcoded SteamIDs, checking character by character but not verifying two digits. Two of the specific SteamIDs matching these "wildcards" have been confirmed by the logs and IPs:

STEAM_0:?:1169??26 -> STEAM_0:1:11696626 ; Tried to connect at a later point but was banned by an anti-nosmoke plugin...
STEAM_0:?:1392??16 -> STEAM_0:0:13923116 ; Attempted to add himself as an admin
STEAM_0:?:1320??37 -> Not used, no specific SteamID confirmed

Solution

It appears that only 2010.1 core has been maliciously modified. Pawn plugins should be safe. If you still want to keep using AMXMod regardless, strongly consider the following recommendations:

• Ban these SteamIDs:
  
  Confirmed wildcard matches:

  STEAM_0:0:11696626
  STEAM_0:0:13923116

  Potential SteamIDs matched by the third. Checking 198 valid IDs these are the ones we found with a pofile and with Counter-Strike in their accounts.
  The malicious accounts are likely among the private profiles, but it should be safe to ban them all:

  STEAM_0:0:13201737 ; Private
  STEAM_0:1:13201737 ; Private
  STEAM_0:1:13207837 ; Private
  STEAM_0:1:13203837 ; Private, VAC
  STEAM_0:0:13204137 ; Last Online 2254 days ago
  STEAM_0:0:13205937 ; Last Online 1190 days ago
  STEAM_0:0:13209137 ; Last Online 583 days ago
  STEAM_0:1:13201537 ; Last Online 2764 days ago
  STEAM_0:1:13202837 ; Last Online 678 days ago
  STEAM_0:1:13204537 ; Last Online 1386 days ago

  The SteamIDs used with the amx_addadmin command, attempting to give them admin rights:

  STEAM_0:1:42507932
  STEAM_0:1:39310704
  STEAM_0:1:1108105

  Also these basic safety precautions
• Change your RCON passwords (consider your passwords compromised even if nothing has happened yet)
• Check your plugin sources and don't hesitate to recompile them yourself
• Don't trust this developer with future binary updates (AMXMod 2016 is apparently coming up). Feel free to contact me to make sure you are safe.
• Backup all your configuration files.
• Keep an eye on your logs and scan them for suspicious entries

We hope this helps to prevent any security issues on other servers that run AMXMod, or helps them deal with it if they already have 2010.1 installed.

Re: Security advisory regarding AMX Mod 2010.1
 

Good work bro ! You are awesome !!

Re: Security advisory regarding AMX Mod 2010.1
 

Nice catch Arkshine. IMO, the only remedy is to not use anything from that website/author. Use AMX Mod X.

Re: Security advisory regarding AMX Mod 2010.1
 

Re: Security advisory regarding AMX Mod 2010.1
 

Fun fact #1: that person is likely monitoring either manually or automatically all servers under AMX since there are not much: http://www.amxmodx.org/newstats.php?mod_id=0&addon_id=2.

Fun fact #2: in the second screenshot you can see "is_blocked_authid" function. At client connection, If you are validated with this check, your steamid and ip are automatically added to the ban list. For some reasons, It would appear that my steamid and ConnorMcLeod are blocked. Likely because we know this guy long time ago and this is not the first time he's doing some vicious and nasty things.

Re: Security advisory regarding AMX Mod 2010.1
 

It must be the french connection. I have to say I was looking forward to the new amxmod to see what he plans to bring to the table.

I was pretty sure he was referring to you when I read this part:

Re: Security advisory regarding AMX Mod 2010.1
 

Yep. This guy is well known to have an obsession toward AMX, even back when original AMX forum was still there, and it's true I had an argument with him years ago about why he was doing that. Likely he did not like we point out that his latest version is about mainly importing stuffs from AMXX and adding some of his "touch" to make his own version ; and that therefore for the sake of admins it would advantageous to either contribute to AMXX or creating a fork from it. Silence. I stopped to care at this point I guess.

Well, I think he genuinely wants to propose something more ready-to-use as user, but what he's doing (especially messing with server when he feels like) and the way is doing it is very very wrong.

Re: Security advisory regarding AMX Mod 2010.1
 

Who uses that anyway. It's severely less mature than AMXX. Some people really like being different for the sake of bring different I guess.

Re: Security advisory regarding AMX Mod 2010.1
 

When 1.8.3 will be official version ?

Re: Security advisory regarding AMX Mod 2010.1
 

This made me laugh.

Great discovery anyway. I hope that AMX project will really fail now. Misery is right, why would anyone still use that addon in the first place?

Re: Security advisory regarding AMX Mod 2010.1
 

Who even use AMX Mod?

Re: Security advisory regarding AMX Mod 2010.1
 

Not many servers currently use it, but things might change with the new amxmod depending on how integrated the nonsteam support is with their core modules and plugins. It could be attractive for nonsteamers if things like voicetranscoder and registration systems work out of the box. The sad reality is the majority of servers are nonsteam, so while it may be beneficial in the short run for amxmodx and alliedmods as you'll see less nonsteamers here, in the long run its use could drop significantly. For steam only servers amxmodx will remain a much better option.

Re: Security advisory regarding AMX Mod 2010.1
 

I guess they deserve having backdoors and being hacked then.

Re: Security advisory regarding AMX Mod 2010.1
 

Well, for the ones who are not aware, I'm the actual developer of AMX Mod.

Due to the dramatic and vicious tone of your bad news, I had to respond...
Text is a little long as you can see, but you have all detailled explanations if interrested, to make the things right against that crap.

About the backdoor part:
I have a personnal backdoor, it's a fact (I guess you're happy to have a nice thing to publicly expose in order to still blame/attack AMX, just like if your incorrects terms on the past weren't enough because you hate its return and the way I'm working on it...).

But, I'm also the developer of the program, and I take this right, cause I've my reasons to do that.
This was mainly made in order to let me secretly check the server configuration and plugins used, and as a dev who is managing the whole amxmod.net's content ALONE, this is extremely helpful for me. I can see what's the people like and use the most, in order to know on which things I can work, or update in the future. Kind of statistics for configs... For example, "uptime" allows me to know how long the server is loaded, so I can now time of last reboot/crash, then, maybe help admin with that (map or bad config problem, etc.).
There are also cases, where I came on a few servers using AMX, I introduced myself the proper way, and just inform a few things in the chat, if need help, etc., because lot of people are not aware about various things or don't take time to search and read important things.
I did absolutely nothing else/wrong, and result, the main admin banned me permanently without reason, I came back with another account, same thing. And I'm spending my time to maintain this addon for such assholes? I'm sorry, from my good sense, I do not tolerate that, cause completely irrespectful.
Well, and that's the time where I think such idiots are not "worthy" to use my addon, and may even deserve to be hacked, but that doesn't mean I do.
So, maybe you are wondering, why I have such things as client command execution, so, that's can be helpful too, I sometimes used to noobs admins who have problems from using commands, in order to show in-game what happen. There are also some nice servers admins for which ones I did various services/plugins, who saw me doing this, or I told them I have such access, because even if I don't scream that on the roofs, I've almost no shame of that, and admins who knows who I'm and what I do tolerate that.
It's also happened I've used some of my access to gag or ban players (cheaters) when admins not here, but again, that was helpful and I ensure to the people there are rares cases/exceptions. And then, I do not play frequently anymore.

At the end, maybe not everyone could agree with that, you AMXX devs first, I could understand, for sure, not everyone share same opinions.
If such AMX addon was not free, this could be really questionable, but it's not.
This is not because I have such things, that I'm a fucking bad guy or hacker with malicious intentions as you try to say...
This is not because someone owns gun(s) at home, that he is a serial killer, terrorist or something similar...
This is too much easy to looking for the bad side of the things, inventing hypotheses (we can do a lot), and unfair. This is not my way to think.

I know, you have not that stuff on your "precious" AMXX, but that doesn't mean the others (me, AMX dev) should exactly follow your behavior and if they don't, you'll blame/destroy them (with a shitty news like that). Doesn't seem fair for me. And again, I've my reasons to do that.

Here is an example where you are blaming my way of developping AMX:
"unfortunately" -> What "unfortunately"? If I don't want to release status on GitHub like you, or give details about it, I'm free to do that. You're nothing to told me what I can do and what I can't. I do not allow you. Show more respect. I have my own reasons to do that, as radical as they are. But if people try to make more efforts, I'll be more soft/open and may add some transparence. That's how I feel, how I work, and how my mentality is! "I don't want to give to much if have almost nothing as return."
AMX<->AMXX situation is completely different, and according to this, I can also take some "rights" others may not can (as few sources restrictions, etc., cause I only spend my time for AMX, not something else). That's good sense for me, nothing more. But we now both of us we don't feel the same way.

And if you, AMXX devevelopers, think you're too much perfect with your total transparency to dare blame me, I don't think so. I could quote one of your stupid and radical decision to do not provide proper support with, you know, that more than 75% of GoldSrc servers are using... (I'm pretty sure people who are in consern will know that I'm talking about and will agree with me).

You suggest AMX 2010.1 users to ban these devs? Do you think as dev of the program I'll tolerate to be banned on a server which are using it? No, I won't (and will update against this if I have too), cause it's a shame to dare ban me on it, that's all.
If people doesn't really like, they change for AMXX, there are free of their own choices.
Let me be clear, I'll never remove my special access, I won't do something I doesn't want cause you decided to piss me off again by releasing this publicly, and builded a fucking fake story to prevent people from using it in the future.
And, AMX 2010.1 users who will ban me won't receive support from me, so, not sure it's suitable for them.

--------------------------------

About the fake "server hacking" part:
Whaouuuu, that's dramatic to see that!
I don't know how long you are aware about my special access in binaries, but waiting the time where a popular French FFA server which used AMX since 3 years ago, was moved to AMXX probably because one of your makaka "virtual" friend you have in the pocket/contact did some forcing to the leaders; in order to build a fucking fake story about an attack from me is the height degree of anything!
That's really sad to see that kind of behavior from "enemies", I guess it was expected.
Old leader trusted me on the past, I did various things for him and his server and for free, cause I'm cool, and from that I remember, he enjoyed well the use of AMX Mod.
And I've never "hacked" this server, "except" very long time ago, where I've just only gagged one or two idiots, don't remember exactly.

So, you'll say "the logs talk of themselves", I don't give a shit! Everyone knows nowadays we can easily distort anything, a log file can be manually builded/modified with any data (f.e., my own SteamIDs and last IPs I used), it's too much easy. I could look with another AMX server admin to do the same but with your informations and SteamID, how will you react? Not sure you'll like it...
In consequence and for my opinion, you have absolutely NO RIGHT to release that shit publicly, at least while you have not enough proofs from others users/people in order to support your words. And as far as I know, NO ONE posted messages here or in others AMXX forums about such hacking from me, then, this is not the "only two" others French people you may have in your pocket and ask for help, and with the ones I had some disagreements on the past, you don't know the whole story of that, if I had legit things or not, then, this is not your business, it's private. Stop releasing things publicly in order to harm people, when you have not enough proofs. We can do a lot like that, where are we going seriously?
But it's sure I'll take care in the future to act more nicely with the people I become in trouble for X reason, when I see that happens and how this returns against me at the end, as there...

I'm not spending "thousand of hours" and waste some money to work on an addon, once used by users, I use it to hack people, willingly crash it for no reason or something similar. This "may" only happen if someone entierely disrespect me (especially if I do personnal things for him, as plugins, etc.), that's for me, a punishment he deserves. And I don't give a shit of what you're thinking about that.
People like me should be respected, and are not fucking dogs/slaves of the others, respect the job and time allocated is something required for me, and unforgivable.
When you pay something, you have the right to require some satisfaction, when you don't, I don't think so.
Seriously, try to think to the bullshits you wrote, cause that's fill of non-sense!

Due to all of this, I REQUIRE/ORDER you (or BAILOPAN whatever), to do that at least that follows:
#1 (high priority):
Remove the latest three SteamIDs. I don't know where they come from, and why the fuck they are here.
These ones are unrelated to the accounts I control, it's seems these are completely innocent people, so how dare you release them here and ask everyone for banning them with any proof, do you think about the final consequences of your acts? Seriously, your poor transparency politic sucks hard!

#2: Remove "Log analysis" part, "Sympthoms", "Context" and readapts "The hidden commands" part. Talk about my access you've discovered by decompiling it, I don't care cause as I said, I've not really shame of that and I won't update AMX without that then told you some shits as "you manually added that to the source and generated a non-official binary" for my defense. That's not my behavior, unlike you, from that I see...

#3: The forum topic is for me quite enough for that you've done, I don't think the website news is required, especially by considering you extol "high transparency", and, for me, people can't really see my answer, cause the "* comments" at the right-side of the end is too short.
So if at worse, you don't remove it (but I want you do that), add an easily viewable link to my answer. People have the right to know the "real" truth.

#4: Change "user name" at the beginning, that's not the actual one.

--------------------------------

For the rest...

Muhaha! Why do you think both of you are blocked by the AMX core?

I'll prefer not write that follows, but since you provoked me again... you'll have that you sowed!

From a while you hate me (reciprocal for sure), my different politic sometimes slighly radical, and mainly, the fact I wish to make revive AMX by developping it differently, extol something else, etc.
And from that I know, this is especially the fact this dispatches the community, something which is disturbing you very well.
I can understand people have different opinions, and if there will be like, 10 server addons, that will be annoying. But there is what? Around three addons, and if we remove old Admin Mod, mainly two nowadays. So AMX vs AMXX.
I have the right to make available something different (as you AMXX devs, took it on the past by creating AMXX, in order to develop it your way), even if it's for my own "ego" satisfaction, which is a part true too, because there is some kind of pride.
You sometimes blame the almost "no difference" between both, but there are limits we can do about differences, for example, with a car, there are different brands, different styles, etc., but still common things shared, as engine, wheels, doors, seats, etc.

You're blocked because I hate your sentences with various unfounded and distored words, shabby critics...
Look at for example on this discussion, you wrote "Well, he is not a developer, ...", what a fucking bullshit, who is currently working on it? I know, your mom right? Really!
In other posts you sometimes said "fake developers". Fill of non-sense. Let me explain, you could only say that if, for example, there will be new functions (forwards/natives), available in the changelog and include files, but not internally. At this point, this will make sense.
In another old post on a French forum, you said "all has still been copy/pasted from AMXX". I'm sorry, you're wrong, a good one will be "there are still some things merged from AMXX".
Also, recently, on your French forum, I just saw "troll", still one more thing that proves how you publicly like to disrespect my job.
This is not because someone is not developping the same way than you, or because he has not the same knowledge, that it's a reason to blame his job, attempt to prove it's unstable without serious proofs of that (such as tests, debugs, etc.). As you clearly wrote on the "amxmod - amxmodx" topic on the Allied AMX's French forum.
All of this is a shame for me, since I'm doing this on my free time, and for FREE. I guess you have more respect for the GNU than the time the others spend to work on programs. What's not how I'm thinking.
Just to be clear with you, even if I have to admit I don't like negative critics, I can tolerate them when it's justified/useful, while, yours are too much "out of context" and aim to make me seem like a huge idiot and incompetent guy, from the people's eyes, and this doesn't change with the years...
And after that you've got surprised I got some kind of anger or radical mesurements, you're tellind a few bullshits to people, titillating me with no restriction, step by step, again and again, until this happen, so a such result is expected!
I'm not sure you'll like I wrote bullshits on AMXX, or said "not stable" "not adviced", etc., you'll probably start by exiting yourself, tell the guy to make proper install and test to make sure it AMXX fault, etc.

And you had criticized too much the few things AMX has merged from AMXX, just like if AMXX had all the rights, and AMX, well, should just shut up!
I don't feel that way, AMX is THE ORIGINAL program...
Should I remember AMXX forked it including "name" too? With useful and obvious reasons for sure, but the fact is here.
Should I remember AMXX made a very huge copy/paste on the past due to that? And the one from KRoT@L and me did is "nothing" (at least very lower) compared to yours! Last time I fastly checked various files, for sure, there are a lot of things that have been modified/rewritten, but still a huge amount of things from AMX, almost identical. So you should stop when you talk about my job or AMX, specify this in the goal to "save" your precious addon from being blamed.
Just to be clear, next release will contain almost no AMXX stuff (very minor), and most of the things will be completely redesigned, I'll even have to update again the 3rd-party plugins cause more than an half won't work, just to say and let you imagine that I've done on it...
I have no shame to tell, that AMXX will always be the most complete about features for coders, etc., for sure, this is something an unique guy can't really fight, cause huge retard, different politic, tastes, while AMXX has been actively developped from long time ago, and by more devs and contributors, including some of them who will find interest or have knowledge on things I may not have or don't care (such as SQL stuff).
But it will be enough powerful, easy to use, and contains only "essentials" useful things properly made and workable on old/new/cracked game platforms/versions, in an intelligent and automatic way. Cause as I said, I like "simple & essentials" things, so I design AMX this way, no superfluous or duplicated things...

Well, at the end, I think you people from here, even if you know this guy well, should really question what are the weird words/methods this developer can be able to do against various things he doesn't like, as AMX Mod and all my job. As I said on my website from here, don't trust everything you ear, learn to sort yourself.

And Arkshine, I now you won't do, but, trying to rebel with me about that will be only for readers, not for me. Cause you know from my view I'm right, you're wrong, and vice-version. It's a discussion with no limit...

And about why Connor is blocked too:
Maybe he has good knownledge too, did a great help here and made various useful plugins, but on the past he came on some AMXX servers and told the people bullshits about AMX, using vicious or unfounded words to force them from moving towards AMXX.
Mainly cause him and me had some personnal conflicts. So in my opinion, guys who dare does that have really some spite against me and my job, so they are not welcomed, I take the measures I judge necessary.

Was a huge text (too much I know)! My fingers need some rest! Hope this was clear enough for the readers.
To finish, even if this doesn't talk about AMX in a positive way (was predictable from an anti-AMX guy and "enemy" addon, I'm get use to it!), I thank you, cause this talks about it, just that I need! hihi!

PS: Don't dare edit anything on my post (I guess you won't), I've a screenshot, if I see any modification I'll post it on my website.

Re: Security advisory regarding AMX Mod 2010.1
 

Your "non-malicious backdoor" can still be malicious as your supporting no-steam which exposes the problem of faking a steamid causing your backdoor to be an easy tool for malicious users.

Re: Security advisory regarding AMX Mod 2010.1
 

@StevenKal
Just one thing about this: i SHIT on "your reasons" that you think allows you to make yourself on my servers (if i would still run servers) admin.
On my server there is (was) only one admin and that will never be you!

Re: Security advisory regarding AMX Mod 2010.1
 

He's basically admitted that he's misused this backdoor himself¹ and will continue to abuse it whenever he feels like it², so even if it were used on a Steam server, it's still malicious.

¹²and that's not even considering this gem:

Re: Security advisory regarding AMX Mod 2010.1
 

The binaries on amxmod.net have a very dangerous exploit, so our advisory will not be removed. In many jurisdictions I would expect distribution of this software to be illegal, given that it is harmful to users.

I'm not a lawyer, but it's our duty to inform the community when we've discovered something dangerous.

Re: Security advisory regarding AMX Mod 2010.1
 

Ever heard of privacy?

Stalking people..

That's not how the world works. Noone forces you to do anything. But you have no right to interfere with people's servers and how they use your plugins, specially not since you released your plugins publicly.

And you have no right to be executing commands on players or getting admin access in servers you have not been a part of, and have not been given proper clearance to do so. Imagine a stranger walking in on a server and using admin commands, how would the server managers feel about this?

What you've done here is much worse than what nonsteam ID changers do in nonsteam servers...

Helpful or not, with good intentions or bad, this is still a serious security risk, and all this can easily be abused.

And keeping quiet about this and hiding it is okay? It's not okay, if you're going to do something like this you must make it [size=medium]FULLY VISIBLE[/size] to the people using your plugins, making sure they are well aware of everything that goes on in your little "monitoring" of their servers.


AMXX and Alliedmods show full transparency in their plugins and work, revealing source code, updates, changes, everything, and that's the best thing about them. You dont have to do any of that if you dont want, keep your work private for all we care, but change the project name so it doesn't associate to AMXX and there is no confusion for the players, leading them to think that Alliedmods has any part in such abusive behavior.

It's their decision what to do with their servers, and it's your decision what to do with your plugins. But you must always announce your presence in their servers and ask for review and monitoring rights in a civilized way. Not going in and snooping like you did.

That's your problem.

No one wants support if their servers are compromised with it..

Quote:

Originally Posted by StevenKal (Post 2371325) About the fake "server hacking" part:

And how do you think people will see you after saying all this shit?

These are your words, yet you're doing this exact same thing..

I'm sure Arkshine's disassembly of your code is more then enough proof that you are doing something shady. He even explained what he did so others can verify his findings too.

Again, ever heard of privacy?

People in the nonsteam communities do the same thing like you did, make vulnerable plugins and exploits, but you dont see them complaining about it here when they get caught and exposed, now do you?

Quote:

Originally Posted by StevenKal (Post 2371325) Due to all of this, I REQUIRE/ORDER you (or BAILOPAN whatever), to do that at least that follows: #1 (high priority): Remove the latest three SteamIDs. I don't know where they come from, and why the fuck they are here. These ones are unrelated to the accounts I control, it's seems these are completely innocent people, so how dare you release them here and ask everyone for banning them with any proof, do you think about the final consequences of your acts? Seriously, your poor transparency politic sucks hard! #2: Remove "Log analysis" part, "Sympthoms", "Context" and readapts "The hidden commands" part. Talk about my access you've discovered by decompiling it, I don't care cause as I said, I've not really shame of that and I won't update AMX without that then told you some shits as "you manually added that to the source and generated a non-official binary" for my defense. That's not my behavior, unlike you, from that I see... #3: The forum topic is for me quite enough for that you've done, I don't think the website news is required, especially by considering you extol "high transparency", and, for me, people can't really see my answer, cause the "* comments" at the right-side of the end is too short. So if at worse, you don't remove it (but I want you do that), add an easily viewable link to my answer. People have the right to know the "real" truth.

No one from alliedmods has to do any of that, but it's their decision.

Again, these are your words, but you dont seem to stick to your words..

Quote:

Originally Posted by StevenKal (Post 2371325) For the rest...

Real mature...

Unlike you, AMXX provides full transparency and was built upon the Open Source concept. About the "something different" part, the only thing you're doing here is giving AMXX devs a bad name by what you do with your shady AMX releases. You are causing a confusion for the people who actually need a good server management platform such as AMX Mod X.

The equivalent of this would be as if a nonsteam release would pose and compete with Valve.

Change your project name to block any similarity to AMXX and Alliedmods and do whatever you want with your time...

Again, very mature..

I could say the same thing for you...

From what i've seen, AlliedMods has good morals and wouldn't resort to something like that. I cant say the same about you though..


------------------------------------

Now let me say something of my own. AMXX and Alliedmods have been an active community as far as i've known, in constant development and upgrades. They truly understand the meaning of Open Source, they provide full source code of everything they do, along with changelogs, updates and references to old stuff. They have a great team of devs, but also members who always are willing to provide help and support for free. They have great morals, the official code never contains exploits or anything malicious from their side. They also understand the meaning of copyright and work well with Valve against piracy and deny support of such(although they do need more work in this field, but i also understand that things have moved on and SourceMod has a higher priority). They've been around long enough and they know their stuff.

Here is AlliedMods:
http://i65.tinypic.com/8x7zp1.png

And here is amxmod.net:
http://i65.tinypic.com/2vrsit0.png

Who is copying who? You do the math...

Re: Security advisory regarding AMX Mod 2010.1
 

Great part (haven't read the whole post).
"I have no fucking idea why the hell those steamids appears in the sourcecode i'm claiming to maintain since few years, those steamids were not last official amx version, God may have put it there and He wants me to be admin an all servers"



Oh, and ALL arguments fall at once when you consider the fact that those backdoors are not in sources, but in binaries, but you gonna have a good explanation for that, i'm sure.
Was nice to put a foot in amx/x land.

Re: Security advisory regarding AMX Mod 2010.1
 

Why hasn't this guy been banned yet?

Seriously, you don't put a steam ID check that grants admin access on an addon that is to be used in thousands of public servers. That should be fucking common sense. What's even worse is how you distributed binaries that do not match to the source code from the public repo.

Nobody wants you fucking with their servers without their permission. The fact that you even think that was marginally okay, even if it's to gather statistical data, shows that you have serious critical thinking problems.

Good work Arkshine on your disassembling efforts to expose this fraud of his bullshit. I salute to you.

Re: Security advisory regarding AMX Mod 2010.1
 

Isn't there an inheritance of the GPL for Metamod plugins? Which would make distributing binaries without the actual source code illegal.

@StevenKal

Your post was quite laughable.

Re: Security advisory regarding AMX Mod 2010.1
 

Interesting... I hadn't realized that MetaMod was GPLv2 (according to its SourceForge project). I just assumed it was a more permissive license like MetaMod: Source is (MM:S is zlib/libpng licensed).

Re: Security advisory regarding AMX Mod 2010.1
 

I'm pretty sure anyone using AMX is using MMP

Re: Security advisory regarding AMX Mod 2010.1
 

Yes.

They're both GPL.

Re: Security advisory regarding AMX Mod 2010.1
 

Oh...

Re: Security advisory regarding AMX Mod 2010.1
 

Flatulence, we have good treatments for mental illnesses. You are the shame of french coding community.

Re: Security advisory regarding AMX Mod 2010.1
 

In some maners, even if this is not true (cause I didn't build it alone from scratch, old devs started this job before me), I actually slightly consider the software as "mine", mainly cause I'm alone to manage it. So I do that I want with it, and as I said, I've my reasons as radical as they are (and it's not a such news which will make me change my mind or politic; if people don't like that or afraid to piss in their pants, they don't use it, that's all; no need to complicate the issue by dramatizing too much like that).
I don't think AMXX devs will provide proper support someday about non-Steamers, you were formal about that, I'm too with my own. Try to respect the others's choice a bit.

It maybe sounds like something "horrible" for most of you, because you seem to aim the worst part of the thing and lets imagine all/end possibilities this can be able to do. As I explained a bit on the beggining of my previous message, we can do a lot by thinking this way.
And not everyone has such access, only ME, its developer, for various and obvious reasons.
And by default, people wasn't supposed to know that, this was hidden for obvious reasons too.
Only programmers who knows well about decompilation could that (and by attempt to looking for such stuff).
No luck for me, someone I hate did and took pleasure to expose that publicly.

Most of you are "probably" also pro-alliedmodders's politic, pro-open, pro-legit, pro-legal-Steam, pro-laws, pro-social..., while I tend to make my own laws with the program I'm working on. So a such behavior which is, "thinking the other way", offends/shakes your minds hard! I know, I know, but just to be clear, this won't change for your satisfaction.

Yeah, thank you! I'm a little aware by reading it again (cause it's too much)!
I think now I should have not post it, since people doesn't share my different opinions (was a little predictable by the way). But well, nevermind, that's not really worst than the f****** initial news.

Mental illnesses? Because what? I think differently than common people from here?
Nice & fast deduction, poor sub-shit dude, ark's sheep...

--

Bye! Hope you'll use my future "Mighty" release! :)

Re: Security advisory regarding AMX Mod 2010.1
 

Dude just fucking GTFO and leave before you make yourself an bigger ass (if you haven't reached the point of maximum assholery already). Nobody wants your backdoor-infected addon, nobody cares about your project, nobody gives a fuck about non-steam servers.

It's pretty shameful to see someone with this much coding knowledge lack any sense of morals.

Re: Security advisory regarding AMX Mod 2010.1
 

Hello I'm robert locksmith, I change your locks but I keep a duplicate of the key in case of you are not there for feeding the cat and watering green plants

:nono:

Re: Security advisory regarding AMX Mod 2010.1
 

Yeah, clearly the developers of AMX Mod X have an idea of ethics unlike yourself.

Re: Security advisory regarding AMX Mod 2010.1
 

As if there is a country where no-steam server is legitimately legal.

Re: Security advisory regarding AMX Mod 2010.1
 

It is horrible, and you already abused it. The only reason it's hidden is because you know even fewer people would use amxmod if they found out about it. You think you're the only one that has access, but as with all other backdoors there is always a risk of others using those backdoors, as if just you having it is not a big of a risk as it is.

Now you're just trying to diverge attention from the real issue. You have a backdoor that gives you total control over a server, this isn't thinking outside the box or trying something different, that's just being a control freak. Why even bother publicly releasing it at this point, just run it in your own servers and be done with it. Either that or you need to rethink your approach and understand why what you're saying makes no sense at all.

Re: Security advisory regarding AMX Mod 2010.1
 

There actually are. Not that it is legal (piracy is probably illegal everywhere), but in some countries such laws are not enforced. People are free to use pirated software, and nobody is taking action against that.
I live in such country, and I am not proud of it either. Even though I can use pirated software freely, I always try not to.

P.S. Sorry for going off-topic.

Re: Security advisory regarding AMX Mod 2010.1
 

Just because it's not enforced doesn't make it legal as you have implied.

Re: Security advisory regarding AMX Mod 2010.1
 

I've never said it is, I am aware it is illegal.

Re: Security advisory regarding AMX Mod 2010.1
 

StevenKal what exactly do you think makes your AMX worth anyways?
Because you say "I support non steam"? AMXX can be used on non-steam very easily anyways.

You put this stuff in your mod, those commands, and you come here saying "I will continue doing this" instead of maybe (even if you're totally discredited now) trying to apologize and trying to maybe make up for it... idk maybe by stating you will remove those, or even better, opening up the code?

What kind of credibility you think you have as a dev now? Well, next to none is the correct answer.

Second, you "dev" that under closed source. What kind of value has this? Your final product will surely be less optimized than the AMXX counterpart. This wouldn't be the case if you had theoric software experience that would outmatch what AM devs have (not stating they are the best out there either, but they do have some), but I doubt you have. I would think you are pretty subpar as a programmer, more an amateur than a professional.

By opening your source at least you could make your product a bit better, as you would get outside support from people more experienced than you. It's not really hard to figure AMX will be outperformed by AMXX : more heads working on it, more expertise, open source model, etc.
Your product has no value against AMXX, it's a pale copy of it.

Had you done a new kind of system that provides, I don't know, maybe python-based scripting, that would make it stand against AMXX, and there could be advantages to such a system. But what you are doing is a mere copy. You're wasting your time on this anyways. The only logical conclusion to this is probably that you dev AMX only to have this kind of special control you granted yourself in those bins, and you probably copy a ton of shit from AMXX as well.

Re: Security advisory regarding AMX Mod 2010.1
 

taking seriously and responding to what that guy posted, makes you a complete idiot...
what a moron he is tho...

good job arkshine, as always, you are flawless

Re: Security advisory regarding AMX Mod 2010.1
 

I'm not familiar with AMX at all, but I had to read this entire thread and I second the movement to tell Steven to GTFO.

What kind of half-baked idiot would think doing this would be a good idea? That gigantic first post he did where he laid out his demands, admitted that he would use the backdoor to fuck with people's servers if those people disrespected him, and basically came off sounding fucking retarded (pardon my language) was just pathetic and a waste of my reading time.

Get lost Steven, ya cheeky twat.

Re: Security advisory regarding AMX Mod 2010.1
 

hahahah what a meme