Security advisory regarding AMX Mod 2010.1
AMX Mod X security advisory
amxmod.net distributing malware with backdoors Important note This special news should only concern server operators who have AMX Mod 2010.1 installed or plan to install it. If you know server operators that use AMX Mod 2010.1 please consider making them aware of this post. This is an important matter that is worth to be mentioned on the official AMXModX site. AMX Mod AMX Mod has been officially abandoned years ago, but recently one of its users (Stéphane "Flatounet" Vigne) is attempting to update it. Development unfortunately progresses behind closed doors and nobody really knows what's happening. Context Some days ago I've been asked to provide help in migrating an AMX Mod 2010.1 installation to AMXModX for various reasons. Oddly enough the server got attacked a few short hours later by someone who got a hold of the servers RCON password, and it was unclear how the attacker obtained it. Symptoms If you are experiencing any of these problems on your server it might be an indication that someone exploited your AMX Mod 2010.1 installation:
Log analysis Usually the log does not contain useful information if the RCON password is not yet known (explanations below). In this specific example however, the password was already known. If you are in this situation you would find similar logs: His first attempt to check RCON validity: L 12/04/2015 - 10:58:09: Rcon: "rcon 1627405150 "xxxxxx" echo HLSW: Test" from "2.3.87.69:7130" Adding a SteamID to the admins list, likely via a VPS IP: L 12/04/2015 - 11:02:10: Rcon: "rcon 1779953110 "xxxxxx" amx_addadmin "STEAM_0:0:13923116" abcdefghijklmnopqrstu" from "195.154.177.107:7130" Disabling the server log to hide the following commands: L 12/04/2015 - 11:04:38: Rcon: "rcon 873211125 "xxxxxx" log off" from "195.154.177.107:7130" L 12/04/2015 - 11:04:38: Log file closed Server logging disabled. Malicious activity after this point may include clearing ban lists of SteamIDs and IPs or changing server variables like sys_ticrate in an attempt to disrupt server functionality. The hidden commands Since the RCON was already known in this case, the log doesn't help us understand how it has been found. Assuming the RCON password is unknown and has not been compromised, a possible threat is a malicious server plugin that allows unauthorized clients to get a hold of this information. Unfortunately my investigations have found that AMX Mod 2010.1 itself is that malicious server plugin. Naively checking the provided source code on the official website did not lead to anything. Checking the compiled binaries however revealed some interesting things! So let's look at what our disassembler/decompiler shows us. We want to find the ClientCommand() function which is used by the engine to receive input from a client console. The decompilation shows us an unwelcomed surpise: https://i.imgur.com/diPvIVO.png What do we see here? Mostly a silly attempt to hide specific commands (by checking a string character by character) doing some nasty things:
Access to these commands is restricted to clients marked as AMX Mod 2010.1 devs. This client authentification happens during client connection, and we find is_dev_authid() in the binaries: https://i.imgur.com/gg3OHQ6.png https://i.imgur.com/Oq99nEU.png We can see three hardcoded SteamIDs, checking character by character but not verifying two digits. Two of the specific SteamIDs matching these "wildcards" have been confirmed by the logs and IPs: STEAM_0:?:1169??26 -> STEAM_0:1:11696626 ; Tried to connect at a later point but was banned by an anti-nosmoke plugin... STEAM_0:?:1392??16 -> STEAM_0:0:13923116 ; Attempted to add himself as an admin STEAM_0:?:1320??37 -> Not used, no specific SteamID confirmed Solution It appears that only 2010.1 core has been maliciously modified. Pawn plugins should be safe. If you still want to keep using AMXMod regardless, strongly consider the following recommendations:
We hope this helps to prevent any security issues on other servers that run AMXMod, or helps them deal with it if they already have 2010.1 installed. |
Re: Security advisory regarding AMX Mod 2010.1
Good work bro ! You are awesome !!
|
Re: Security advisory regarding AMX Mod 2010.1
Nice catch Arkshine. IMO, the only remedy is to not use anything from that website/author. Use AMX Mod X.
|
Re: Security advisory regarding AMX Mod 2010.1
good Joob Arkshine !!! We have had this problem with it as you know. I'm glad you're found the problem. |
Re: Security advisory regarding AMX Mod 2010.1
Fun fact #1: that person is likely monitoring either manually or automatically all servers under AMX since there are not much: http://www.amxmodx.org/newstats.php?mod_id=0&addon_id=2.
Fun fact #2: in the second screenshot you can see "is_blocked_authid" function. At client connection, If you are validated with this check, your steamid and ip are automatically added to the ban list. For some reasons, It would appear that my steamid and ConnorMcLeod are blocked. Likely because we know this guy long time ago and this is not the first time he's doing some vicious and nasty things. |
Re: Security advisory regarding AMX Mod 2010.1
It must be the french connection. I have to say I was looking forward to the new amxmod to see what he plans to bring to the table.
I was pretty sure he was referring to you when I read this part: Quote:
|
Re: Security advisory regarding AMX Mod 2010.1
Yep. This guy is well known to have an obsession toward AMX, even back when original AMX forum was still there, and it's true I had an argument with him years ago about why he was doing that. Likely he did not like we point out that his latest version is about mainly importing stuffs from AMXX and adding some of his "touch" to make his own version ; and that therefore for the sake of admins it would advantageous to either contribute to AMXX or creating a fork from it. Silence. I stopped to care at this point I guess.
Well, I think he genuinely wants to propose something more ready-to-use as user, but what he's doing (especially messing with server when he feels like) and the way is doing it is very very wrong. |
Re: Security advisory regarding AMX Mod 2010.1
Who uses that anyway. It's severely less mature than AMXX. Some people really like being different for the sake of bring different I guess.
|
Re: Security advisory regarding AMX Mod 2010.1
When 1.8.3 will be official version ?
|
Re: Security advisory regarding AMX Mod 2010.1
Quote:
Great discovery anyway. I hope that AMX project will really fail now. Misery is right, why would anyone still use that addon in the first place? |
All times are GMT -4. The time now is 09:43. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.