AlliedModders
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

AlliedModders (https://forums.alliedmods.net/index.php)
-   Off-Topic (https://forums.alliedmods.net/forumdisplay.php?f=15)
-   -   Server hacked (https://forums.alliedmods.net/showthread.php?t=282467)

okris 05-07-2016 16:54
Server hacked
 
Hello everyone.

I am running AMX Mod X 1.8.2 and one of my servers was hacked today. The attacker installed 2 plugins named cs.amxx and dproto.amxx and two config files named plugins-amxxx.ini and plugins-players.ini. The plugins modified files on my players' computers to connect them to a Romanian server. Here are the files if anybody is interested: http://s000.tinyupload.com/index.php?file_id=96730576301751480828
Don't run them on your server.

For months I have been running the same plugins all of which I've downloaded and recompiled from here, I've been running them on both servers but only one was hacked. The servers are behind a router which only lets through traffic on HLDS-related ports. I've checked the logs and found no sign of anybody using the rcon password, I did change it after I restored everything from backups. I haven't been using the server for anything else than uploading maps and adding/removing admins meaning for the past months I hadn't run anything I've downloaded off the internet. I really don't know what could've caused this. I hope it's one of the plugins nevertheless and Amx Mod X isn't compromised.

Luckily I noticed this in time before too many players were slowhacked.

tousif 05-08-2016 01:55
Re: Server hacked
 
No steam = No support

okris 05-08-2016 03:04
Re: Server hacked
 
Screenshot of my Steam licenses:
http://imgur.com/JmM7U57

tousif 05-08-2016 03:27
Re: Server hacked
 
Your Running Non steam server , which this community doesnt support . If you want support then please do remove dproto from your server.

okris 05-08-2016 03:52
Re: Server hacked
 
Quote:
Originally Posted by okris (Post 2417484)
... The attacker installed 2 plugins named cs.amxx and dproto.amxx ....
I don't know what dproto is. I did not have it in my plugins before, all these files appeared yesterday for the first time. It seems very unlikely that this can be done only with a rcon password. Although I do hope that it can because then it's just the matter of changing the password.

fysiks 05-08-2016 03:58
Re: Server hacked
 
You would require FTP access to put plugins on your server (unless you have a plugin for downloading plugins). So, I'd recommend changing all passwords that relate to your server (CPanel, FTP, Rcon, etc.).

okris 05-08-2016 07:00
Re: Server hacked
 
fysiks: Thank you for your reply. I access the server on a local network and all the ports apart from the two used by my servers are closed from outside access. But if you say that it's possible for a plugin to download and install other plugins, I'll have to review all plugins I have, maybe I've missed one or two with a backdoor.

HamletEagle 05-08-2016 07:44
Re: Server hacked
 
There are exploits which upload files to the server, without any plugin installed. I am not sure if they work on a steam only server. Anyway, in case you run dproto remove it.

okris 05-08-2016 15:28
Re: Server hacked
 
HamletEagle, thanks for the info, I didn't know it was possible. Maybe the easiest solution here would be to just prevent HLDS from modifying or creating any files except for stats and the ones in the logs folder. I'll fiddle with Windows user ownership and permission settings, the exploits will probably not end today anyway.

ILUSION 05-09-2016 09:13
Re: Server hacked
 
Update your HLDS to the latest version using steamcmd and your problem will be fixed. Its an exploit as Hamlet said.


All times are GMT -4. The time now is 01:46.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.