List of possible server attackers (BLIDS 34102, 43991, 43126)

[Ipquarx]

I was helping a player named Ares with his server being attacked and spammed by someone exploiting the recently discovered eval exploit.

As I was telling him to add me on steam someone was repeatedly disconnecting me with the message "awww_:(" (pictured below) and giving me super admin.



I collected a console.log from him, helped him remove the exploit, and looked through it to see who could possibly be abusing it.

Here's the console.log: justfilehosting.space/download.php?f=vwuir (Posted with his permission)

I looked through it to see when the first instance of evidence of the exploiting was happening. Luckily, whoever was doing it made a couple mistakes in their coding before they actually did anything.

First connect request besides the host was from Biller (ID 43126, IP 179.197.0.97)
Second connect request was from Pipblade (ID 34102, IP 72.198.81.25)
Third request was from a person who disconnected before the exploiting started.
Fourth request was from Setro (ID 43991, IP 24.47.111.232)

One of those 3 people was using the exploit. I am not pointing fingers at any specific one of them. It's also possible none of them were actually the ones attacking the server, but I have my doubts.

[Ad Bot]

[Akio]

I blame Setro

[-Setro-]

What the forget?
I was building a fort, that's all I was doing.

[Ipquarx]

What the forget?
I was building a fort, that's all I was doing.

I am not pointing fingers at any specific one of them. It's also possible none of them were actually the ones attacking the server, but I have my doubts.

I want people to understand that one of those 3 people were using the exploit, FOR CERTAIN. There is not enough evidence to conclude which one.

[-Setro-]

I'm still going to get blamed because of my reputation.
Man, forget this community.

[Akio]

I blame Setro

[Nasa12]

[-Setro-]

Good job, you quoted yourself.

Also, how did you come to the conclusion that it was one of the three of the BL_ID's above?
I don't see anything in console that has "43991" in it rather than persistence, connections, and an admin attempt (because the hacker claimed to have changed the password)

[Otis Da HousKat]

I'm still going to get blamed because of my reputation.
Man, forget this community.

forget you too. Acting awfully suspicious even though there isn't anything concrete against you.

[Nasa12]

Good job, you quoted yourself.

Also, how did you come to the conclusion that it was one of the three of the BL_ID's above?
I don't see anything in console that has "43991" in it rather than persistence, connections, and an admin attempt (because the hacker claimed to have changed the password)

You're a hax

[-Setro-]

forget you too. Acting awfully suspicious even though there isn't anything concrete against you.

You'd defend yourself too if your BL_ID was there.

[randomtroll39]

Good job, you quoted yourself.

Also, how did you come to the conclusion that it was one of the three of the BL_ID's above?
I don't see anything in console that has "43991" in it rather than persistence, connections, and an admin attempt (because the hacker claimed to have changed the password)

He said he isn't blaming you.
You've basically confirmed it's you by being so defensive

[Otis Da HousKat]

You'd defend yourself too if your BL_ID was there.

You're on the list because you were there in the time frame when the attacks started happening. That's all. Calm down.

[TrollBoat]

I have a reliable source saying it's Setro..

[Ipquarx]

Also, how did you come to the conclusion that it was one of the three of the BL_ID's above?

Because as those 3 IDs were connected, this popped up in the console log:
Syntax error in input.
eval error >> %name = $OutputEvent_Name_output;echo("it;

That's the exploit, with invalid code place in it. The full console log is linked in the OP.

I'd also like to point out that again, there's not enough evidence to conclude which one did it, and no, setro's behaviour is normal in this kind of situation.