Raised This Month: $7 Target: $400
 1% 

Security advisory regarding AMX Mod 2010.1


Post New Thread Closed Thread   
 
Thread Tools Display Modes
Author Message
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 12-09-2015 , 14:16   Security advisory regarding AMX Mod 2010.1
#1

AMX Mod X security advisory
amxmod.net distributing malware with backdoors

Important note

This special news should only concern server operators who have AMX Mod 2010.1 installed or plan to install it. If you know server operators that use AMX Mod 2010.1
please consider making them aware of this post. This is an important matter that is worth to be mentioned on the official AMXModX site.

AMX Mod

AMX Mod has been officially abandoned years ago, but recently one of its users (Stéphane "Flatounet" Vigne) is attempting to update it.
Development unfortunately progresses behind closed doors and nobody really knows what's happening.

Context

Some days ago I've been asked to provide help in migrating an AMX Mod 2010.1 installation to AMXModX for various reasons. Oddly enough the server got attacked a few short hours later
by someone who got a hold of the servers RCON password, and it was unclear how the attacker obtained it.

Symptoms

If you are experiencing any of these problems on your server it might be an indication that someone exploited your AMX Mod 2010.1 installation:
  • One or several players are suddenly admins
  • Server performance seems to fluctuate unexpectedly
  • Server appears to crash or shut down randomly
  • Ban lists have been wiped or altered
  • Server files have been altered or deleted

Log analysis

Usually the log does not contain useful information if the RCON password is not yet known (explanations below).
In this specific example however, the password was already known. If you are in this situation you would find similar logs:

His first attempt to check RCON validity:
L 12/04/2015 - 10:58:09: Rcon: "rcon 1627405150 "xxxxxx" echo HLSW: Test" from "2.3.87.69:7130"

Adding a SteamID to the admins list, likely via a VPS IP:
L 12/04/2015 - 11:02:10: Rcon: "rcon 1779953110 "xxxxxx" amx_addadmin "STEAM_0:0:13923116" abcdefghijklmnopqrstu" from "195.154.177.107:7130"

Disabling the server log to hide the following commands:
L 12/04/2015 - 11:04:38: Rcon: "rcon 873211125 "xxxxxx" log off" from "195.154.177.107:7130"
L 12/04/2015 - 11:04:38: Log file closed
Server logging disabled.


Malicious activity after this point may include clearing ban lists of SteamIDs and IPs or changing server variables like sys_ticrate in an attempt to disrupt server functionality.


The hidden commands

Since the RCON was already known in this case, the log doesn't help us understand how it has been found.
Assuming the RCON password is unknown and has not been compromised, a possible threat is a malicious server plugin that allows unauthorized clients to get a hold of this information.

Unfortunately my investigations have found that AMX Mod 2010.1 itself is that malicious server plugin. Naively checking the provided source code on the official website did not lead
to anything. Checking the compiled binaries however revealed some interesting things!

So let's look at what our disassembler/decompiler shows us. We want to find the ClientCommand() function which is used by the engine to receive input from a client console. The decompilation shows us an unwelcomed surpise:



What do we see here?

Mostly a silly attempt to hide specific commands (by checking a string character by character) doing some nasty things:
  • silenmod: Suppress server log temporarilyy when cmdr and cmdc commands are used
  • mrp: Get/change the servers RCON password
  • setaccess: Modify a users admin access flags
  • cmdr: Execute arbitrary console commands on the server
  • cmdc: Execute arbitrary console commands on a specified client
  • cfile: Check whether a specified file exists
  • wfile: Append data to a specified file
  • dfile: Delete a specified file
  • uptime: Check server uptime
  • slog: Disable server logging completely

Access to these commands is restricted to clients marked as AMX Mod 2010.1 devs. This client authentification happens during client connection, and we find is_dev_authid() in the binaries:





We can see three hardcoded SteamIDs, checking character by character but not verifying two digits. Two of the specific SteamIDs matching these "wildcards" have been confirmed by the logs and IPs:

STEAM_0:?:1169??26 -> STEAM_0:1:11696626 ; Tried to connect at a later point but was banned by an anti-nosmoke plugin...
STEAM_0:?:1392??16 -> STEAM_0:0:13923116 ; Attempted to add himself as an admin
STEAM_0:?:1320??37 -> Not used, no specific SteamID confirmed

Solution

It appears that only 2010.1 core has been maliciously modified. Pawn plugins should be safe. If you still want to keep using AMXMod regardless, strongly consider the following recommendations:
  • Ban these SteamIDs:

    Confirmed wildcard matches:
    STEAM_0:0:11696626
    STEAM_0:0:13923116
    Potential SteamIDs matched by the third. Checking 198 valid IDs these are the ones we found with a pofile and with Counter-Strike in their accounts.
    The malicious accounts are likely among the private profiles, but it should be safe to ban them all:
    STEAM_0:0:13201737 ; Private
    STEAM_0:1:13201737 ; Private
    STEAM_0:1:13207837 ; Private
    STEAM_0:1:13203837 ; Private, VAC
    STEAM_0:0:13204137 ; Last Online 2254 days ago
    STEAM_0:0:13205937 ; Last Online 1190 days ago
    STEAM_0:0:13209137 ; Last Online 583 days ago
    STEAM_0:1:13201537 ; Last Online 2764 days ago
    STEAM_0:1:13202837 ; Last Online 678 days ago
    STEAM_0:1:13204537 ; Last Online 1386 days ago
    The SteamIDs used with the amx_addadmin command, attempting to give them admin rights:
    STEAM_0:1:42507932
    STEAM_0:1:39310704
    STEAM_0:1:1108105
    Also these basic safety precautions
  • Change your RCON passwords (consider your passwords compromised even if nothing has happened yet)
  • Check your plugin sources and don't hesitate to recompile them yourself
  • Don't trust this developer with future binary updates (AMXMod 2016 is apparently coming up). Feel free to contact me to make sure you are safe.
  • Backup all your configuration files.
  • Keep an eye on your logs and scan them for suspicious entries

We hope this helps to prevent any security issues on other servers that run AMXMod, or helps them deal with it if they already have 2010.1 installed.
__________________

Last edited by asherkin; 02-06-2018 at 14:18. Reason: Use https for images
Arkshine is offline
GoRiLliAz
Senior Member
Join Date: May 2013
Old 12-09-2015 , 14:26   Re: Security advisory regarding AMX Mod 2010.1
#2

Good work bro ! You are awesome !!
__________________


Last edited by GoRiLliAz; 12-09-2015 at 15:09.
GoRiLliAz is offline
fysiks
Veteran Member
Join Date: Sep 2007
Location: Flatland, USA
Old 12-09-2015 , 19:33   Re: Security advisory regarding AMX Mod 2010.1
#3

Nice catch Arkshine. IMO, the only remedy is to not use anything from that website/author. Use AMX Mod X.
__________________
fysiks is offline
Toots
Member
Join Date: Mar 2007
Old 12-10-2015 , 00:34   Re: Security advisory regarding AMX Mod 2010.1
#4

good Joob Arkshine !!!





We have had this problem with it as you know. I'm glad you're found the problem.




Toots is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 12-10-2015 , 04:20   Re: Security advisory regarding AMX Mod 2010.1
#5

Fun fact #1: that person is likely monitoring either manually or automatically all servers under AMX since there are not much: http://www.amxmodx.org/newstats.php?mod_id=0&addon_id=2.

Fun fact #2: in the second screenshot you can see "is_blocked_authid" function. At client connection, If you are validated with this check, your steamid and ip are automatically added to the ban list. For some reasons, It would appear that my steamid and ConnorMcLeod are blocked. Likely because we know this guy long time ago and this is not the first time he's doing some vicious and nasty things.
__________________

Last edited by Arkshine; 12-10-2015 at 04:21.
Arkshine is offline
klippy
AlliedModders Donor
Join Date: May 2013
Location: Serbia
Old 12-10-2015 , 19:20   Re: Security advisory regarding AMX Mod 2010.1
#6

Quote:
Originally Posted by Arkshine View Post
For some reasons, It would appear that my steamid and ConnorMcLeod are blocked.
This made me laugh.

Great discovery anyway. I hope that AMX project will really fail now. Misery is right, why would anyone still use that addon in the first place?
klippy is offline
Old 12-08-2017, 04:43
chuathoatvidiadem
This message has been deleted by chuathoatvidiadem.
antispamtelegram
New Member
Join Date: Dec 2017
Old 12-19-2017 , 10:54   Re: Security advisory regarding AMX Mod 2010.1
#8

why this ?
__________________
antispamtelegram is offline
Relaxing
AlliedModders Donor
Join Date: Jun 2016
Location: White Plains
Old 12-19-2017 , 12:20   Re: Security advisory regarding AMX Mod 2010.1
#9

Quote:
Originally Posted by antispamtelegram View Post
why this ?
Quote:
amxmod.net distributing malware with backdoors
__________________
Relaxing is offline
Old 03-12-2018, 06:22
toptenonlinebrokers
This message has been deleted by Arkshine. Reason: Spam
Closed Thread


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 22:54.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode