Critical Vulnerbility in Cracked Servers

.ISO · Jul 25, 2008

A critcal security vulnerbility has been discovered in cracked servers (server with cracked engine.dll), and this has been discovered by a misterious man called MR.Clean, who is a crack server hater. The exploit would let the hacker seize root access to the server's operating system, which will allow the hacker to manipulate the system, such as delete, steal, upload files to the server, and even DOWNLOAD files from it. A few people who observed the have has claimed that the scrds was stalled for a moment, and ftp.exe was spawned automatically. A similar thing would happen if you are running linux as well.
Here is a conversation between my friend, who is a server operator of a popular 32 man cracked server.

Mr. Clean: I have a piece of information for you
----: ?
Mr. Clean: Pirate servers have a security vulnerability
Mr. Clean: As long as your server is pirate
Mr. Clean: I will kill it
Mr. Clean: randomly
----: whos this
Mr. Clean: Someone who doesn't like pirate servers
----: whats the vulnerability
Mr. Clean is now Offline.
Mr. Clean is now playing Team Fortress 2. Click here to join.
Mr. Clean is now Online.
Mr. Clean: Did you get that
Mr. Clean: ----: whos this
Mr. Clean: Someone who doesn't like pirate servers
Mr. Clean: I deleted everything related to your tf2 server
Mr. Clean: I left it as that as a warning
Mr. Clean: if you start up another pirate server I will hose the operating system
----: lol
----: stfu
Mr. Clean: lol
Mr. Clean: your server hasn't come back

MR.Clean's steam community page can be accessed here:
Steam Community :: ID :: Mr.CleanESQ

If you know how this exploit was done, please let me know, so i can contact vivanty and other server crack makers. Also, i am also developing my own crack, so i need to know about this as well. Thanks and be safe.

WorldWarIII · Jul 25, 2008

Thanks for the heads up.

Renegade89 · Jul 25, 2008

You sure its not just someone who has access already to your server?

WorldWarIII · Jul 25, 2008

It's probably a modified engine.dll to allow the user access through a trojan/rat.

Also, this is on rin. It's apparently through using VUP (Vitlyns) project.

.ISO · Jul 25, 2008

Yep, as i said, my friend posted that thread on Rin, but he didn't tell them the details on what the exploit can do. It's pretty damn seirous.

Trigger-happy · Jul 26, 2008

lol the sound of that convo he sounds like a pervert

.ISO · Jul 26, 2008

Yea...

deltatsunami · Jul 26, 2008

ScRiPt KidDy OmG

.ISO · Jul 26, 2008

Do you have the script

deltatsunami · Jul 26, 2008

Echo419 probably does.. he has everything. Ask him.

.ISO · Jul 26, 2008

He probably DOESN'T. This is extremely private lol. I'll ask him anyways.

deltatsunami · Jul 26, 2008

Excuse me but there is no such thing as privacy on the internet.
http://downloads.securityfocus.com/vulnerabilities/exploits/27159.php

.ISO · Jul 26, 2008

No i don't think that's the one. This have nothing to do with DDOS.
Also, wtf do u do with that

deltatsunami · Jul 26, 2008

Yes, if you can take down a server that means you DoS'd it. Its a script, run it agasint any cracked servers and you'll take it down.

.ISO · Jul 27, 2008

Thanks for the info, but this was patched like 2 years ago, and viytan said that this is not the exploit

FSOwner · Jul 28, 2008

It may be patched but other people don;t know that there's an update to stop it ^^

Oh and good effort posting that which i linked you to.

.ISO · Jul 28, 2008

It's not patched

FSOwner · Jul 28, 2008

† .ISO™ † said:
but this was patched like 2 years ago,

Echo419 said:
It may be patched

† .ISO™ † said:
It's not patched

Decision please?

rushil01 · Jul 28, 2008

rofl hahaha

.ISO · Jul 28, 2008

"but this was patched like 2 years ago,"
i was talkin about the exploit that delta posted

"It may be patched"
no it's not

"It's not patched"
It's not patched

FSOwner · Jul 30, 2008

One delta posted,

2008-01-06 Half-Life CSTRIKE Server 1.6 Denial of Service Exploit (no-steam)

That is all.

.ISO · Jul 30, 2008

But that wasn't it.

.ISO · Aug 9, 2008

UPDATE:

Original Link:
http://209.85.141.104/search?q=cach...hp?t=73039+core2.smx&hl=en&ct=clnk&cd=2&gl=ca

Just today I've switched from Mani Admin to the MetaMood:Source v1.6.1.671 and SourceMod v1.0.2.2236 + the following SourceMod plug-ins:

Code:

[SM] Listing 17 plugins:
01 "Admin File Reader" (1.0.2.2236) by AlliedModders LLC
02 "Admin Help" (1.0.2.2236) by AlliedModders LLC
03 "Admin Menu" (1.0.2.2236) by AlliedModders LLC
04 "Anti-Flood" (1.0.2.2236) by AlliedModders LLC
05 "Basic Chat" (1.0.2.2236) by AlliedModders LLC
06 "Basic Comm Control" (1.0.2.2236) by AlliedModders LLC
07 "Basic Commands" (1.0.2.2236) by AlliedModders LLC
08 "Basic Info Triggers" (1.0.2.2236) by AlliedModders LLC
09 "Basic Votes" (1.0.2.2236) by AlliedModders LLC
10 "HLstatsX Plugin" (2.3) by Tobi17
11 "Nextmap" (1.0.2.2236) by AlliedModders LLC
12 "Players Votes" (1.2.5) by pZv!, The Resident
13 "Reserved Slots" (1.0.2.2236) by AlliedModders LLC
14 "SourceBans" (1.1.0) by SteamFriends Development Team
15 "SourceBans Sample Plugin" (1.0.0 RC2) by SteamFriends Development Team
16 "TeamSwitch" (1.3) by MistaGee
17 "TF2 Fast Respawns" (1.0.5) by WoZeR

+ the following MetaMod plug-in:
svtags_mm

All running on the Windows XP SP3 machine with all the updates (was running with Mani since September). It's Orange Box TF2 server (3 instances).

After several hours of testing all my servers (3 srcds processes) restarted and I've noticed someone trying to log-in to this server via Remote Desktop. I was lucky that I was logged in at that time via the Remote Desktop too, therefore I've got the question from Windows that someone is trying to log-in, would I like to close all the programs or no.

I said no, went to Control Panel | User Account and found the new "srcds" user created there. This was a new user, so I deleted it and traced it to the:

core2.smx

plug-in appeared under sourcemod\plugins of each tf2 installation. It's very small and looks like downloader. Apparently, this core2.smx (which appears as SourceMod Core plug-in in the sm plugins list) downloaded the real malware to my machine and saved it into the same directory under the name: core2.dat.

Looking inside the core2.dat using the text editor I found that it's a binary executable with the following piece of the debug info:

c:\Programming\hack_mm\msvc8\Release - Orange Box\stub_mm.pdb

and also importing functions like:

Code:

NetUserAdd
NetUserSetInfo
LoadUserProfileA

and so on

which shows that this piece of shit code is responsible for creating the new user in my system.

The question is, how did it get through, and how to prevent it from appearing again? I've tried deleting these files and restarting my servers, this happened again some minutes later. It's probably some automated bot which scans vulnurable servers and installs the virus.

I checked tf2 logs and sourcemod logs and found nothing suspisious.

So... the hacker was using SourceMod as a backdoor...

FSOwner · Aug 11, 2008

Negative core2 is not actually part of the base sourcemod package, either he's got a bad plugin people are exploiting or someones got his admin password.

.ISO · Aug 11, 2008

I know core2.smx is not part of SM, but the guy is using sm as a backdoor

FSOwner · Aug 11, 2008

"c:\Programming\hack_mm\" modified metamod please? Unless he has the sockets extension loaded he's not gonna be able to download anyway.

.ISO · Aug 11, 2008

we wouldn't know how he did it unless we actually catches someone hacking a bait server

FSOwner · Aug 11, 2008

However we do know that AMX/SourceMod don't work properly on cracked servers, so we know some modification of the original source occurred.

.ISO · Aug 11, 2008

Right. Vivanty also made a fixed ver of SM and AMX mod X, which not alot of people uses.

Critical Vulnerbility in Cracked Servers

FS Member

WorldWarIII

Guest

New Member

WorldWarIII

Guest

FS Member

FS Member

FS Member

New Member

FS Member

New Member

FS Member

New Member

FS Member

New Member

FS Member

FS Owner

FS Member

FS Owner

Maestro of Meyhem

FS Member

FS Owner

FS Member

FS Member

FS Owner

FS Member

FS Owner

FS Member

FS Owner

FS Member

Similar threads

Privacy & Transparency

Privacy & Transparency