Garry's Mod Leaks
[Info] What are backdoors, how do they work, how do you find them, how to stop them
Submitted by Poggers kekw, 20-02-2023, 07:06 PM, Thread ID: 260436
What Are Backdoors?
Backdoors are a snippet of code that give an attacker full server access to your server.
Why should I care?
Having full server side access can be very harmful Because with server side access attackers can: ruin your economy, get everyone's ips, get all of your addons, put ads outside of clients screens making the attacker money ( this has happened before ), hold you, yourserver, or your files ransom and they can run visuals on your server.
How do they work?
There are many types of backdoors here are some: web panels, web hooks, net strings, and concommands. I'll start with web panels, web panels use an http request to request a page and run code from that page, the thing that makes web panels, web panels is that they can control your server from the website. web hooks are just like web panels, but they inform the attacker with your server name, server password ( if there is one ) and net string. they can't control your server from the web hook ( most the time) but they still have serverside access. net strings are just nets that can run code on the server or run console commands. this requires the attacker to be on the server to run it and they don't get notified if your server runs the backdoor. concommands are malicious console commands that can: give superadmin, unban accounts, give money or ban people. this usually a very beginner tactic.
What does a backdoor look like?
there are 2 types of backdoors: function and global ( this is not actually correct but it's how I sort them ). Function based backdoors are the simplest they use some code executing functions to run and execute code, example: RunString, RunStringEx ( same thing as runstring ), and CompileString. Global based backdoors are a lot harder to find, they use global variables to call all the functions in a table form then call code executing functions from that table. for example: _G calls the global table and to call Runstring from _G you do _G["RunString"]. The thing that makes global based backdoors hard to find is that you call the code executing functions as a string from global. so you can encrypt the string and make it unsearchable. some global variables are: _G, debug.getfenv(), debug.getregistry().
How do i stop them?
Most backdoor blockers use a tactic called "detouring." detouring is when you preserve a vanilla lua function and overwrite that function letting you change it and add code to it while calling the preserved function inside of the overwritten one. example:
this code debugs RunString and prints and code excecuted with it. blockers with search the "code" parameter and check if anything malicious is trying to get through and will not execute the preserved runstring if it is malicious.
How do i find them?
use a program like sublime text or visual studio, drag the leak folder onto the program and right click it and click 'search folder'. there you can search strings to find any function or global based backdoor. here are some strings you can search: RunString, CompileString, http., _G, getfenv, getregistry.
thanks for taking your time to read this informative narrative. please like or +rep me if you found this useful.
Backdoors are a snippet of code that give an attacker full server access to your server.
Why should I care?
Having full server side access can be very harmful Because with server side access attackers can: ruin your economy, get everyone's ips, get all of your addons, put ads outside of clients screens making the attacker money ( this has happened before ), hold you, yourserver, or your files ransom and they can run visuals on your server.
How do they work?
There are many types of backdoors here are some: web panels, web hooks, net strings, and concommands. I'll start with web panels, web panels use an http request to request a page and run code from that page, the thing that makes web panels, web panels is that they can control your server from the website. web hooks are just like web panels, but they inform the attacker with your server name, server password ( if there is one ) and net string. they can't control your server from the web hook ( most the time) but they still have serverside access. net strings are just nets that can run code on the server or run console commands. this requires the attacker to be on the server to run it and they don't get notified if your server runs the backdoor. concommands are malicious console commands that can: give superadmin, unban accounts, give money or ban people. this usually a very beginner tactic.
What does a backdoor look like?
there are 2 types of backdoors: function and global ( this is not actually correct but it's how I sort them ). Function based backdoors are the simplest they use some code executing functions to run and execute code, example: RunString, RunStringEx ( same thing as runstring ), and CompileString. Global based backdoors are a lot harder to find, they use global variables to call all the functions in a table form then call code executing functions from that table. for example: _G calls the global table and to call Runstring from _G you do _G["RunString"]. The thing that makes global based backdoors hard to find is that you call the code executing functions as a string from global. so you can encrypt the string and make it unsearchable. some global variables are: _G, debug.getfenv(), debug.getregistry().
How do i stop them?
Most backdoor blockers use a tactic called "detouring." detouring is when you preserve a vanilla lua function and overwrite that function letting you change it and add code to it while calling the preserved function inside of the overwritten one. example:
Code:
local perserved_runstring = RunString
function RunString(code, identifier, error_handler)
  print(code)
  perserved_runstring(code,identifier,error_handler)
end
How do i find them?
use a program like sublime text or visual studio, drag the leak folder onto the program and right click it and click 'search folder'. there you can search strings to find any function or global based backdoor. here are some strings you can search: RunString, CompileString, http., _G, getfenv, getregistry.
thanks for taking your time to read this informative narrative. please like or +rep me if you found this useful.
This hidden content has been reported as still working 0 times this month.
1 times in total
Lost Programmer
My Github
Users browsing this thread: 3 Guest(s)