Critical Vulnerbility in Cracked Servers

[.ISO]

A critcal security vulnerbility has been discovered in cracked servers (server with cracked engine.dll), and this has been discovered by a misterious man called MR.Clean, who is a crack server hater. The exploit would let the hacker seize root access to the server's operating system, which will allow the hacker to manipulate the system, such as delete, steal, upload files to the server, and even DOWNLOAD files from it. A few people who observed the have has claimed that the scrds was stalled for a moment, and ftp.exe was spawned automatically. A similar thing would happen if you are running linux as well.
Here is a conversation between my friend, who is a server operator of a popular 32 man cracked server.

Mr. Clean: I have a piece of information for you
----: ?
Mr. Clean: Pirate servers have a security vulnerability
Mr. Clean: As long as your server is pirate
Mr. Clean: I will kill it
Mr. Clean: randomly
----: whos this
Mr. Clean: Someone who doesn't like pirate servers
----: whats the vulnerability
Mr. Clean is now Offline.
Mr. Clean is now playing Team Fortress 2. Click here to join.
Mr. Clean is now Online.
Mr. Clean: Did you get that
Mr. Clean: ----: whos this
Mr. Clean: Someone who doesn't like pirate servers
Mr. Clean: I deleted everything related to your tf2 server
Mr. Clean: I left it as that as a warning
Mr. Clean: if you start up another pirate server I will hose the operating system
----: lol
----: stfu
Mr. Clean: lol
Mr. Clean: your server hasn't come back

MR.Clean's steam community page can be accessed here:
Steam Community :: ID :: Mr.CleanESQ

If you know how this exploit was done, please let me know, so i can contact vivanty and other server crack makers. Also, i am also developing my own crack, so i need to know about this as well. Thanks and be safe.

 

[WorldWarIII]

Thanks for the heads up.

 

[Renegade89]

You sure its not just someone who has access already to your server?

 

[WorldWarIII]

It's probably a modified engine.dll to allow the user access through a trojan/rat.


Also, this is on rin. It's apparently through using VUP (Vitlyns) project.

 

[.ISO]

Yep, as i said, my friend posted that thread on Rin, but he didn't tell them the details on what the exploit can do. It's pretty damn seirous.

 

[Trigger-happy]

lol the sound of that convo he sounds like a pervert

 

[.ISO]

Yea...

 

[deltatsunami]

ScRiPt KidDy OmG

 

[.ISO]

Do you have the script

 

[deltatsunami]

Echo419 probably does.. he has everything. Ask him.

 

[.ISO]

He probably DOESN'T. This is extremely private lol. I'll ask him anyways.

 

[deltatsunami]

Excuse me but there is no such thing as privacy on the internet.
http://downloads.securityfocus.com/vulnerabilities/exploits/27159.php

 

[.ISO]

No i don't think that's the one. This have nothing to do with DDOS.
Also, wtf do u do with that

 

[deltatsunami]

Yes, if you can take down a server that means you DoS'd it. Its a script, run it agasint any cracked servers and you'll take it down.

 

[.ISO]

Thanks for the info, but this was patched like 2 years ago, and viytan said that this is not the exploit

 

[FSOwner]

It may be patched but other people don;t know that there's an update to stop it ^^

Oh and good effort posting that which i linked you to.

 

[.ISO]

It's not patched

 

[FSOwner]

but this was patched like 2 years ago,

It may be patched

It's not patched

Decision please?

 

[rushil01]

rofl hahaha

 

[.ISO]

"but this was patched like 2 years ago,"
i was talkin about the exploit that delta posted

"It may be patched"
no it's not

"It's not patched"
It's not patched

 

[FSOwner]

One delta posted,

2008-01-06 Half-Life CSTRIKE Server 1.6 Denial of Service Exploit (no-steam)

That is all.

 

[.ISO]

But that wasn't it.

 

[.ISO]

UPDATE:

Original Link:
http://209.85.141.104/search?q=cach...hp?t=73039+core2.smx&hl=en&ct=clnk&cd=2&gl=ca

Just today I've switched from Mani Admin to the MetaMood:Source v1.6.1.671 and SourceMod v1.0.2.2236 + the following SourceMod plug-ins:

Code:

[SM] Listing 17 plugins:
01 "Admin File Reader" (1.0.2.2236) by AlliedModders LLC
02 "Admin Help" (1.0.2.2236) by AlliedModders LLC
03 "Admin Menu" (1.0.2.2236) by AlliedModders LLC
04 "Anti-Flood" (1.0.2.2236) by AlliedModders LLC
05 "Basic Chat" (1.0.2.2236) by AlliedModders LLC
06 "Basic Comm Control" (1.0.2.2236) by AlliedModders LLC
07 "Basic Commands" (1.0.2.2236) by AlliedModders LLC
08 "Basic Info Triggers" (1.0.2.2236) by AlliedModders LLC
09 "Basic Votes" (1.0.2.2236) by AlliedModders LLC
10 "HLstatsX Plugin" (2.3) by Tobi17
11 "Nextmap" (1.0.2.2236) by AlliedModders LLC
12 "Players Votes" (1.2.5) by pZv!, The Resident
13 "Reserved Slots" (1.0.2.2236) by AlliedModders LLC
14 "SourceBans" (1.1.0) by SteamFriends Development Team
15 "SourceBans Sample Plugin" (1.0.0 RC2) by SteamFriends Development Team
16 "TeamSwitch" (1.3) by MistaGee
17 "TF2 Fast Respawns" (1.0.5) by WoZeR

+ the following MetaMod plug-in:
svtags_mm

All running on the Windows XP SP3 machine with all the updates (was running with Mani since September). It's Orange Box TF2 server (3 instances).

After several hours of testing all my servers (3 srcds processes) restarted and I've noticed someone trying to log-in to this server via Remote Desktop. I was lucky that I was logged in at that time via the Remote Desktop too, therefore I've got the question from Windows that someone is trying to log-in, would I like to close all the programs or no.

I said no, went to Control Panel | User Account and found the new "srcds" user created there. This was a new user, so I deleted it and traced it to the:

core2.smx

plug-in appeared under sourcemod\plugins of each tf2 installation. It's very small and looks like downloader. Apparently, this core2.smx (which appears as SourceMod Core plug-in in the sm plugins list) downloaded the real malware to my machine and saved it into the same directory under the name: core2.dat.

Looking inside the core2.dat using the text editor I found that it's a binary executable with the following piece of the debug info:

c:\Programming\hack_mm\msvc8\Release - Orange Box\stub_mm.pdb

and also importing functions like:

Code:

NetUserAdd
NetUserSetInfo
LoadUserProfileA

and so on

which shows that this piece of shit code is responsible for creating the new user in my system.

The question is, how did it get through, and how to prevent it from appearing again? I've tried deleting these files and restarting my servers, this happened again some minutes later. It's probably some automated bot which scans vulnurable servers and installs the virus.

I checked tf2 logs and sourcemod logs and found nothing suspisious.

So... the hacker was using SourceMod as a backdoor...

 

[FSOwner]

Negative core2 is not actually part of the base sourcemod package, either he's got a bad plugin people are exploiting or someones got his admin password.

 

[.ISO]

I know core2.smx is not part of SM, but the guy is using sm as a backdoor

 

[FSOwner]

"c:\Programming\hack_mm\" modified metamod please? Unless he has the sockets extension loaded he's not gonna be able to download anyway.

 

[.ISO]

we wouldn't know how he did it unless we actually catches someone hacking a bait server

 

[FSOwner]

However we do know that AMX/SourceMod don't work properly on cracked servers, so we know some modification of the original source occurred.

 

[.ISO]

Right. Vivanty also made a fixed ver of SM and AMX mod X, which not alot of people uses.