04-12-2021, 01:40 AM
(This post was last modified: 04-12-2021, 12:23 PM by RussEfarmer. Edited 2 times in total.)
I'm posting this on the forums because it's clear this won't be a very quick fix..
EDIT: it was
Some backstory: Sometime around April 5th in the early morning, a hacker (or multiple) came on the server with knowledge of a security hole in our server. He took advantage of this security hole with a modified hack client that allowed him to broadcast any image he wanted to around to everyone on the server. It was used to show porn. About an hour later, presumably the same hacker(s) arrived with alt accounts, and started attacking the server with a unique lag script that not only made the server lag, but streamed a huge amount of garbage data to every person connected to the server, crashing the game when you tried to connect.
Here are screenshots:
First screenshot by Speedydog showing a ULX Admin Echo reading "Banana Papoya started streaming (Console)'s screen"
Another screenshot by Speedydog showing either another hacker or the same hacker under an alias running the command
Part of a packet capture I took trying to connect to the server while the lag script was running. The server was sending me 1.5Mbps of this, all the while having less than 1 FPS
Screenshot of me recreating the ULX Admin Echo, but not the screen sharing exploit. I could not recreate it fully.
The command that triggers the ULX Admin Echo is grabscreen_stream 1, but does not do anything outside of showing the message. If anyone can find something else it does without a hacked client, it would be appreciated.
@B0T.ikillyou managed to actually find the exact script this console command gets added by. This is a screengrabbing addon that no longer works with this version of Garry's Mod. I don't have a low enough level of understanding of this script to accurately explain what it's doing, but basically, a callback function runs when you change that cvar to 1. That callback function starts a chain of client/server networking messages that basically comes back around to being able to send a jpeg image to literally whoever you want on the server. All you have to do to take advantage of this is some custom code and a hack injector to run it with.
TL;DR there is a file on Prophunt, and possibly other servers, called grabscreen.lua that is currently making the server extremely vulnerable to hacker attacks. This file allows a hacker to stream jpeg images to everyone on the server in full screen as many times as they want to, and it is highly probable that it is the culprit of the lag attacks Prophunt has been enduring on and off the past couple weeks. Now that this exploit is known by both us and most likely dozens of hacker forum lurkers, the offending addon needs to be removed immediately.
EDIT: it was
Some backstory: Sometime around April 5th in the early morning, a hacker (or multiple) came on the server with knowledge of a security hole in our server. He took advantage of this security hole with a modified hack client that allowed him to broadcast any image he wanted to around to everyone on the server. It was used to show porn. About an hour later, presumably the same hacker(s) arrived with alt accounts, and started attacking the server with a unique lag script that not only made the server lag, but streamed a huge amount of garbage data to every person connected to the server, crashing the game when you tried to connect.
Here are screenshots:
First screenshot by Speedydog showing a ULX Admin Echo reading "Banana Papoya started streaming (Console)'s screen"
Another screenshot by Speedydog showing either another hacker or the same hacker under an alias running the command
Part of a packet capture I took trying to connect to the server while the lag script was running. The server was sending me 1.5Mbps of this, all the while having less than 1 FPS
Screenshot of me recreating the ULX Admin Echo, but not the screen sharing exploit. I could not recreate it fully.
The command that triggers the ULX Admin Echo is grabscreen_stream 1, but does not do anything outside of showing the message. If anyone can find something else it does without a hacked client, it would be appreciated.
@B0T.ikillyou managed to actually find the exact script this console command gets added by. This is a screengrabbing addon that no longer works with this version of Garry's Mod. I don't have a low enough level of understanding of this script to accurately explain what it's doing, but basically, a callback function runs when you change that cvar to 1. That callback function starts a chain of client/server networking messages that basically comes back around to being able to send a jpeg image to literally whoever you want on the server. All you have to do to take advantage of this is some custom code and a hack injector to run it with.
TL;DR there is a file on Prophunt, and possibly other servers, called grabscreen.lua that is currently making the server extremely vulnerable to hacker attacks. This file allows a hacker to stream jpeg images to everyone on the server in full screen as many times as they want to, and it is highly probable that it is the culprit of the lag attacks Prophunt has been enduring on and off the past couple weeks. Now that this exploit is known by both us and most likely dozens of hacker forum lurkers, the offending addon needs to be removed immediately.