[Bug Report] New exploit?

egorka2 · **Author**

Hi! Somewhere 2 weeks ago noticed that my sourcebans, there were new admins. I deleted them, then appeared again. It later emerged that dude just a couple of minutes breaks my password on admin and add new admin quietly. And by the logs, modify the data and it can unlock players as Guest.

Naturally passwords are very complex, changing after every break, external access to the database is closed, the 1.4.11 version costs with the latest LFI Fix. None of this helps! As soon as he wants to, he immediately gets my password and goes through my account!

Hacker's steamid - STEAM_0:0:71645076

77.232.152.119 - - [24/Dec/2014:18:03:21 +0300] "GET /index.php?p=home HTTP/1.0" 200 36446
77.232.152.119 - - [24/Dec/2014:18:03:22 +0300] "GET /themes/sourcebans_dark/css/css.php HTTP/1.0" 200 22931
77.232.152.119 - - [24/Dec/2014:18:03:22 +0300] "POST /index.php HTTP/1.0" 200 136
77.232.152.119 - - [24/Dec/2014:18:03:22 +0300] "POST /index.php HTTP/1.0" 200 141
77.232.152.119 - - [24/Dec/2014:18:03:22 +0300] "POST /index.php HTTP/1.0" 200 136
77.232.152.119 - - [24/Dec/2014:18:03:22 +0300] "POST /index.php HTTP/1.0" 200 141
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 141
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 136
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 141
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 136
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 536
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 141
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 533
77.232.152.119 - - [24/Dec/2014:18:03:23 +0300] "POST /index.php HTTP/1.0" 200 141
77.232.152.119 - - [24/Dec/2014:18:03:24 +0300] "GET /index.php?p=admin&c=admins HTTP/1.0" 200 104610
77.232.152.119 - - [24/Dec/2014:18:03:25 +0300] "GET /themes/sourcebans_dark/css/css.php HTTP/1.0" 200 22931
77.232.152.119 - - [24/Dec/2014:18:03:25 +0300] "POST /index.php HTTP/1.0" 200 134
77.232.152.119 - - [24/Dec/2014:18:03:25 +0300] "POST /index.php HTTP/1.0" 200 139
77.232.152.119 - - [24/Dec/2014:18:03:25 +0300] "POST /index.php HTTP/1.0" 200 134
77.232.152.119 - - [24/Dec/2014:18:03:25 +0300] "POST /index.php HTTP/1.0" 200 139

Sarabveer · 12-24-2014 , 10:38 Re: New exploit?

Change every-single password. For MySQL, then Rcon, then SourceBans.

IDK what this exploit is.

egorka2 · 12-24-2014 , 10:53 Re: New exploit?

All passwords are changed ten times, it does not help. order ssl certificate for some statistics too hard.

Rytis · 12-24-2014 , 11:55 Re: New exploit?

I would completely reinstall SourceBans and import the bans

I bet he already created a backdoor for himself

Sarabveer · 12-24-2014 , 14:30 Re: New exploit?

Quote:

Originally Posted by Rytis

I would completely reinstall SourceBans and import the bans

I bet he already created a backdoor for himself

True!

I feel like removing the Demo's function all-together. Since it has so many exploits.

egorka2 · 12-24-2014 , 15:25 Re: New exploit?

Found the backdoor. This gif file as a script on the home page. Remove. Plus set SSL. I think now it will be normal.

Rytis · 12-24-2014 , 16:23 Re: New exploit?

Do you still have a copy of the gif file? If so, could you PM me with the file? I would appreciate it

Sarabveer · 12-24-2014 , 17:11 Re: New exploit?

Can I also have the gif file. Also, did it come pre-installed with SourceBans?

egorka2 · 12-25-2014 , 13:31 Re: New exploit?

Sent to all who asked. Check pm

**Peace-Maker** · 12-26-2014 , 14:04 Re: New exploit?

I'd like to have a look at this as well