[Kigen]

One of our server got hacked yesterday and I'm strongly suspecting something within SourceMod or one of its plugins was the cause.

I was wondering if anyone knew of any problems with plugins or SourceMod itself that could have led to this.

Code:

L 03/04/2008 - 16:04:03: "I FUCK U<779><STEAM_ID_PENDING><>" connected, address "75.141.50.202:10058"
L 03/04/2008 - 16:04:03: "I FUCK U<779><STEAM_ID_PENDING><>" connected, address "75.141.50.202:10058"
Client "I FUCK U" connected (75.141.50.202:10058).
Client "I FUCK U" connected (75.141.50.202:10058).
*DEAD*(Terrorist) brutaL.: nice
L 03/04/2008 - 16:04:03: "brutaL.<741><STEAM_0:0:9081185><TERRORIST>" say_team "nice"
L 03/04/2008 - 16:04:03: "brutaL.<741><STEAM_0:0:9081185><TERRORIST>" say_team "nice"
L 03/04/2008 - 16:04:03: [swear_replacement.smx] [Swear Replacement] Named changed from I FUCK U
L 03/04/2008 - 16:04:03: [swear_replacement.smx] [Swear Replacement] Named changed from I FUCK U
*DEAD* |☆|W@KEK3K v.3: lol
L 03/04/2008 - 16:04:03: "|☆|W@KEK3K v.3<693><STEAM_0:1:12205891><TERRORIST>" say "lol"
L 03/04/2008 - 16:04:03: "|☆|W@KEK3K v.3<693><STEAM_0:1:12205891><TERRORIST>" say "lol"
L 03/04/2008 - 16:04:04: "I FUCK U<779><STEAM_0:0:17549938><>" STEAM USERID validated
L 03/04/2008 - 16:04:04: "I FUCK U<779><STEAM_0:0:17549938><>" STEAM USERID validated
L 03/04/2008 - 16:04:04: [sourcebans.smx] [SourceBans] STEAM_0:0:17549938 is NOT banned.

L 03/04/2008 - 16:04:04: [sourcebans.smx] [SourceBans] STEAM_0:0:17549938 is NOT banned.

L 03/04/2008 - 16:04:04: [SM] Native "GetEntData" reported: Entity 29 is invalid
L 03/04/2008 - 16:04:04: [SM] Native "GetEntData" reported: Entity 29 is invalid
L 03/04/2008 - 16:04:04: [SM] Debug mode is not enabled for "sm_super_cmds.smx"
L 03/04/2008 - 16:04:04: [SM] Debug mode is not enabled for "sm_super_cmds.smx"
L 03/04/2008 - 16:04:04: [SM] To enable debug mode, edit plugin_settings.cfg, or type: sm plugins debug 35 on
L 03/04/2008 - 16:04:04: [SM] To enable debug mode, edit plugin_settings.cfg, or type: sm plugins debug 35 on
Console: LOLOLOLOLOLOLOLOLOLOOLOLOLOLOL
L 03/04/2008 - 16:04:04: "Console<0><Console><Console>" say "LOLOLOLOLOLOLOLOLOLOOLOLOLOLOL"
L 03/04/2008 - 16:04:04: "Console<0><Console><Console>" say "LOLOLOLOLOLOLOLOLOLOOLOLOLOLOL"
L 03/04/2008 - 16:04:04: [swear_replacement.smx] [Swear Replacement] Named changed from I FUCK U
L 03/04/2008 - 16:04:04: [swear_replacement.smx] [Swear Replacement] Named changed from I FUCK U
L 03/04/2008 - 16:04:04: [swear_replacement.smx] [Swear Replacement] Named changed from I FUCK U
L 03/04/2008 - 16:04:04: [swear_replacement.smx] [Swear Replacement] Named changed from I FUCK U
L 03/04/2008 - 16:04:06: [SM] Native "GetEntData" reported: Entity 29 is invalid
L 03/04/2008 - 16:04:06: [SM] Native "GetEntData" reported: Entity 29 is invalid
L 03/04/2008 - 16:04:06: [SM] Debug mode is not enabled for "sm_super_cmds.smx"
L 03/04/2008 - 16:04:06: [SM] Debug mode is not enabled for "sm_super_cmds.smx"
L 03/04/2008 - 16:04:06: [SM] To enable debug mode, edit plugin_settings.cfg, or type: sm plugins debug 35 on
L 03/04/2008 - 16:04:06: [SM] To enable debug mode, edit plugin_settings.cfg, or type: sm plugins debug 35 on
Console: ROFL ROFL ROFL ROFL ROLF ROLF ROLF ROLF ROLF
L 03/04/2008 - 16:04:06: "Console<0><Console><Console>" say "ROFL ROFL ROFL ROFL ROLF ROLF ROLF ROLF ROLF"
L 03/04/2008 - 16:04:06: "Console<0><Console><Console>" say "ROFL ROFL ROFL ROFL ROLF ROLF ROLF ROLF ROLF"

He continues to spam crap like this plus some website addresses to hacking websites until the map changes (it actually just keeps playing the same map).

[BAILOPAN]

Got any more logs?

[Kigen]

I got 400MB worth of it.

Depends on what ya need. I searched it but couldn't find a point of entry.

[Kigen]

I've been searching for all instances of Console being used to say something and I'm finding a lot.

Code:

[Ads] Loading addons\sourcemod\configs\ads\plugin.ads.cfg config file
[Ads] Loading addons\sourcemod\configs\ads\plugin.ads.cfg config file
[Ads] Loading Version 1.0.4.0 :: By Shane A. ^BuGs^ Froebel
[Ads] Loading Version 1.0.4.0 :: By Shane A. ^BuGs^ Froebel
Console: g
L 03/04/2008 - 14:11:02: "Console<0><Console><Console>" say "g"
L 03/04/2008 - 14:11:02: "Console<0><Console><Console>" say "g"
L 03/04/2008 - 14:11:02: World triggered "Round_Start"
L 03/04/2008 - 14:11:02: World triggered "Round_Start"
Invalid terrorist spawnpoint at (-514.0,144.0,144.0)
Invalid terrorist spawnpoint at (-514.0,144.0,144.0)
L 03/04/2008 - 14:11:02: XXX ACE RB SERVER TIME : 14:11 REBOOT AT : 6
L 03/04/2008 - 14:11:02: XXX ACE RB SERVER TIME : 14:11 REBOOT AT : 6

It says something different each time but its there.

[ThatGuy]

Did your box repeatedly go down?

[Kigen]

No, but we are hosting a series of servers from one box.

We had lag issues in the past but that was because the host put defrag in the schedule and it kept running every day.

[BAILOPAN]

For example, the last log you posted:

Code:

L 03/04/2008 - 14:11:02

Could you show all log lines in that file with that timestamp (in case there were any more)?

[Kigen]

Code:

] rcon plugin_print ; rcon meta list ; rcon sm plugins list
Loaded plugins:
---------------------
0:    "Mattie's EventScripts, http://mattie.info/cs, Version:1.5.0.171"
1:    "StatsmeMinimum-Plugin 1.3.0.9, Roger Devil"
2:    "Metamod:Source Interface v1.4.2.414"
---------------------
L 03/05/2008 - 20:27:58: rcon from "ip removed": command "plugin_print"
-Id- Name                  Version     Author               Status  
[01] SourceMod             1.0.0.185   AlliedModders LLC    RUN     
[02] FPS Boost             1.0         sslice               RUN     
[03] CS:S Tools            1.0.0.178   AlliedModders LLC    RUN     
[04] SDK Tools             1.0.0.177   AlliedModders LLC    RUN     
[05] SBSRC-MM              V:2.5.4     devicenull           RUN     
L 03/05/2008 - 20:27:58: rcon from "ip removed": command "meta list"
[SM] Listing 43 plugins:
  01 "Admin File Reader" (1.0.0.1857) by AlliedModders LLC
  02 "SQL Admins (Prefetch)" (1.0.0.1541) by AlliedModders LLC
  03 "Admin Help" (1.0.0.1857) by AlliedModders LLC
  04 "Admin Menu" (1.0.0.1857) by AlliedModders LLC
  05 "Admin loggin" (1.0) by vIr-Dan
  06 "Ads" (1.0.4.0) by Shane A. ^BuGs^ Froebel
  07 "Aimbot Detection" (0.0.1.0) by devicenull
  08 "Anti-Flood" (1.0.0.1857) by AlliedModders LLC
  09 "Bad name ban" (1.45) by vIr-Dan
  10 "Bad name ban" (1.59) by vIr-Dan
  11 "Basic Chat" (1.0.0.1857) by AlliedModders LLC
  12 "Basic Comm Control" (1.0.0.1857) by AlliedModders LLC
  13 "Basic Commands" (1.0.0.1857) by AlliedModders LLC
  14 "Basic Fun Commands" (1.0.0.1857) by AlliedModders LLC
  15 "Basic Fun Votes" (1.0.0.1857) by AlliedModders LLC
  16 "Basic Info Triggers" (1.0.0.1857) by AlliedModders LLC
  17 "Basic Votes" (1.0.0.1857) by AlliedModders LLC
  18 "All Command and ConVar Lister" (1.0) by Upholder of the [BFG]
  19 "HP left" (1.1) by vIr-Dan
  20 "LastX" (1.2) by HomicidalApe
  21 "ManiCompat" (1.0.0) by red!
  22 "Name Changer" (1.3) by bl4nk
  23 "Nextmap" (1.0.0.1857) by AlliedModders LLC
  24 "Observe Client" (1.1) by WhiteWolf
  25 "SlapSlay Commands" (1.0.0.1857) by AlliedModders LLC
  26 "Players Votes" (1.2.2) by pZv!
  27 "Quake Sounds" (1.8) by dalto
  28 "QuickDefuse" (0.3) by pRED*
  29 "RateChecker" (0.2) by pRED*
  30 "Advanced Client Redirect" (1.0) by Olly/Tobi
  31 "Reserved Slots" (1.0.0.1857) by AlliedModders LLC
  32 "Rock The Vote" (1.0.0.1800) by AlliedModders LLC
  33 "Money Per Round" (1.0) by Squish
  34 "PlayersList" (0.3) by O!KAK
  35 "SM Super Commands" (0.51) by pRED*
  36 "SM Super Menu" (0.4) by pRED*
  37 "SourceBans" by SteamFriends Development Team
  38 "Spray Pruning" (1.0.0.1) by sslice
  39 "Spray tracer" (2.0) by Nican132
  40 "Swear Replacement" (1.4) by Hell Phoenix
  41 "UserRestrict" (1.1.0) by theY4Kman
  42 "Web Shortcuts" (1.0.1) by James "sslice" Gray
  43 "YeGods High Ping Remover" (1.0.1.7) by dubbeh
L 03/05/2008 - 20:27:58: rcon from "ip removed": command "sm plugins list"

The amount of stuff on EventScripts is just a auto reboot.

[KMFrog]

• Theres a bug while the map is changing/has ended that sometimes dumps a persons chat message into the logs as from console if they send it just at the right time... so its kinda useless searching for console messages as even if you never used "say" via rcon, you would still have some.

• You run event scripts..... this opens up a whole new door which has nothing to do with SM at all and is just (if not more ) insecure.

• You run multiple versions of the same plugin which would at best, cause performance loss for no reason (there could also be many compatibility/security problems!)

• You run "unapproved" plugins. (Some may be unapproved for security reasons)

• You need to post your full logs from the time the hack started, to the time it stopped - IP addresses, steamIDs, player names - post everything but any passwords in plain text.

• You need to state if you use SQLite or SQL (injections)

[BAILOPAN]

Did you forget to complete that log snippet as in my post, or were there no other entries? That log entry looks like what KMFrom described, so maybe you should attach the entire log file of the original log snippet.

Also, have you (or anyone else) actually witnessed said console text being broadcast in-game?

At this point, given the number of other administration tools you have installed (including third party SourceMod plugins), my recommendation would be to:

• Make sure that the person's steam ID isn't in any of your administration configuration files or your SQL admin database.
• Disable third-party plugins that implement generic administration features, such as SourceBans and SM Super Commands+Menu.
• Enable debug mode in plugin_settings.cfg
• See if the situation happens again.