[Powerlord]

Quote:

Originally Posted by culexor Here's a list of plugins running on the server Code: admin_logging.smx admin-flatfile.smx adminhelp.smx AdminList.smx adminmenu.smx antiflood.smx basechat.smx basecomm.smx basecommands.smx basetriggers.smx basevotes.smx clientprefs.smx disabled extendedcomm.smx firewallradio_v1.02.smx forlix_floodcheck.smx funcommands.smx funvotes.smx glow.smx hlstatsx.smx infinite_aux_power.smx kigen-ac-pub.smx list.txt mapchooser.smx nextmap.smx nominations.smx playercommands.smx playersvotes.smx randomcycle.smx rcon_lock.smx reloadmaponserverstart.smx reservedslots.smx rockthevote.smx serverhop.smx sm_downloader.smx sm_skinchooser_hl2dm.smx smac.smx sounds.smx sourcebans.smx spraytrace.smx st_gamedesc_override.smx superlogs-hl2mp.smx votemute_p.smx webshortcuts.smx

It would help immensely if you gave us the output of plugin_print, meta list, sm exts list, and sm plugins list rather than the output of ls -1 on your plugins directory.

[culexor]

I managed to find out which server was deleting all of the files. So it's a safe assumption that there is a buggy/rogue plugin installed on that server. After some digging, I checked the source of a few of the files, but didn't come up with anything. I then decompiled those same plugins and one of them revealed something interesting.

One of the roleplay plugins I was running was from an older RP mod that I must have forgotten to delete (I switched to a new mod). It's a prop saving plugin, so people can add furniture to their houses, etc. Anyway, after decompiling the plugin using lysis, I found that it contained a couple hundred more lines than the source file.

Here's a pastebin of the source file (.sp): http://pastebin.com/XJcLshgn

And a pastebin of the lysis output (decompilation): http://pastebin.com/BB9meNpm

I'm not all that familiar with sourcepawn/c++ but some things still stuck out to me. Specifically, the last 200 lines or so (which were not in the .sp file), starting at line 674 (of the decompiled version, not the source).

Again, I'm not all that familiar with this stuff, so I could very well be mistaken. But it would be greatly appreciated if someone who did know this stuff well could just have a look and let me know what they think.

[Nolongerinthegame]

Yep looks like its been edited by a dodgy person from a dodgy website. But you said you had the mod for a while so why had it just started to delete the files recently

[culexor]

Quote:

Originally Posted by nelioneil Yep looks like its been edited by a dodgy person from a dodgy website. But you said you had the mod for a while so why had it just started to delete the files recently

It happened once a few months back as well.

[TheAvengers2]

Quote:

Originally Posted by nelioneil you said you had the mod for a while so why had it just started to delete the files recently

I think it's some kind of backdoor. The guy who made it probably visited recently.

RegConsoleCmd("sm_version", CommandHelp, "Roleplay Version", 0);

^ lmao

[thetwistedpanda]

It is a backdoor, and it is why your files are being deleted. It lets him issue ServerCommands as well as navigate/check/edit/delete files/directories. It's all in the code. But it's anyone that knows about it, it's not restricted to an IP or steam. So if they know !version and know the parameters, you're effed!

[culexor]

Well I had a chat with the author of the plugin and he admits to creating the backdoor but not executing it. I know there's nothing I can do now but I just want to warn anyone out there not to use this guy's plugins.

Here's a log of the chat:
http://pastebin.com/ua1yQ6KX

[thetwistedpanda]

*sigh*, out of curiosity, where did you download the plugin from.

[culexor]

Here: https://forums.alliedmods.net/showthread.php?p=1216685

He took the plugin down a while ago. I switched to a different plugin when that happened but forgot to take out the saveit.smx From what I remember, he only releases the plugin to people who rent servers from him now.

[thetwistedpanda]

So he was uploading binaries that didn't match the source to distribute his backdoor >.<, I wonder how many other servers were subject to it. Safe to say his reputation is trashed now though. Amusing how the thread was edited today and is asking for removal. Bleh.