Giant security hole!

**RussEfarmer**

I'm posting this on the forums because it's clear this won't be a very quick fix..
EDIT: it was

Some backstory: Sometime around April 5th in the early morning, a hacker (or multiple) came on the server with knowledge of a security hole in our server. He took advantage of this security hole with a modified hack client that allowed him to broadcast any image he wanted to around to everyone on the server. It was used to show porn. About an hour later, presumably the same hacker(s) arrived with alt accounts, and started attacking the server with a unique lag script that not only made the server lag, but streamed a huge amount of garbage data to every person connected to the server, crashing the game when you tried to connect.

Here are screenshots:

First screenshot by Speedydog showing a ULX Admin Echo reading "Banana Papoya started streaming (Console)'s screen"
Another screenshot by Speedydog showing either another hacker or the same hacker under an alias running the command
Part of a packet capture I took trying to connect to the server while the lag script was running. The server was sending me 1.5Mbps of this, all the while having less than 1 FPS
Screenshot of me recreating the ULX Admin Echo, but not the screen sharing exploit. I could not recreate it fully.

The command that triggers the ULX Admin Echo is grabscreen_stream 1, but does not do anything outside of showing the message. If anyone can find something else it does without a hacked client, it would be appreciated.

@B0T.ikillyou managed to actually find the exact script this console command gets added by. This is a screengrabbing addon that no longer works with this version of Garry's Mod. I don't have a low enough level of understanding of this script to accurately explain what it's doing, but basically, a callback function runs when you change that cvar to 1. That callback function starts a chain of client/server networking messages that basically comes back around to being able to send a jpeg image to literally whoever you want on the server. All you have to do to take advantage of this is some custom code and a hack injector to run it with.

TL;DR there is a file on Prophunt, and possibly other servers, called grabscreen.lua that is currently making the server extremely vulnerable to hacker attacks. This file allows a hacker to stream jpeg images to everyone on the server in full screen as many times as they want to, and it is highly probable that it is the culprit of the lag attacks Prophunt has been enduring on and off the past couple weeks. Now that this exploit is known by both us and most likely dozens of hacker forum lurkers, the offending addon needs to be removed immediately.

**Jammin** · 04-12-2021, 02:54 AM

Is that file at all related to the Discord Bot's !ss relay service?

**Tedgp908** · 04-12-2021, 06:16 AM

(04-12-2021, 02:54 AM)Jammin Wrote: Is that file at all related to the Discord Bot's !ss relay service?

It’s almost like I’ve complained this has to be horribly insecure without even looking at the code for it.

***Dinkleberg >:(*** · 04-12-2021, 07:58 AM

I've removed this file from all servers I found it on. Currently I've only found it on PH and Murder.

**RussEfarmer** · (This post was last modified: 04-12-2021, 09:50 AM by RussEfarmer.)

(04-12-2021, 07:58 AM)Dinkleberg >:( Wrote: I've removed this file from all servers I found it on. Currently I've only found it on PH and Murder.

You're a lifesaver. Sorry if I was too mean about it.

(04-12-2021, 02:54 AM)Jammin Wrote: Is that file at all related to the Discord Bot's !ss relay service?

Nope, this addon doesn't have any way to send data to discord or another addon.

**B0T.ikillyou** · 04-12-2021, 10:45 AM

This was like an OG plugin for taking screenshots or recordings of possible hacker's screens back in the day.
Thank you Russ for keeping up with this issue and thank you Dink for taking care of it! Since this has been resolved, I think we can close this thread.

**TheUltraFish** · 04-12-2021, 06:00 PM

Don't know what caused Dink to do something about it this time, but this wasn't a new issue. Hell, I remember a TTT admin telling me about it over a year and a half ago. Anyways, glad it was taken care of finally.

**Here lies Eggroll's Eggrolls** · 04-22-2021, 05:42 AM

Since this is still a fairly new thread I guess I should go ahead and throw this out there. (I'm not saying that this is a good idea at all since after that script being clearly broken and having an exploit) There is an updated version of this screen-grabbing script that has been uploaded to the steam workshop here. It doesn't throw console errors (the old script did) and it works well. I'm not saying that it'd be a good idea buuut if it is truly missed by people and needed then that is the updated version of that addon that could be added to the server with the click of a few buttons. The only downside is that the ULX integration has been taken out of this version and only admins have access to the screen grabbing command. Yes, it is possible to re-add that but thinking about it that probably got removed for a good reason. Also, I'm sure that would take a lot of time to do. Again this isn't a suggestion to add the updated version of the script to the server... I am just pointing out that the script has been updated and if it's truly missed then could be considered being added back to the server as long as it doesn't have that horrible security exploit which I am not sure of but wouldn't chance it.

**RussEfarmer** · 04-22-2021, 09:16 AM

(04-22-2021, 05:42 AM)Here lies Eggroll's reputation.~ Wrote: Since this is still a fairly new thread I guess I should go ahead and throw this out there. (I'm not saying that this is a good idea at all since after that script being clearly broken and having an exploit) There is an updated version of this screen-grabbing script that has been uploaded to the steam workshop here. It doesn't throw console errors (the old script did) and it works well. I'm not saying that it'd be a good idea buuut if it is truly missed by people and needed then that is the updated version of that addon that could be added to the server with the click of a few buttons. The only downside is that the ULX integration has been taken out of this version and only admins have access to the screen grabbing command. Yes, it is possible to re-add that but thinking about it that probably got removed for a good reason. Also, I'm sure that would take a lot of time to do. Again this isn't a suggestion to add the updated version of the script to the server... I am just pointing out that the script has been updated and if it's truly missed then could be considered being added back to the server as long as it doesn't have that horrible security exploit which I am not sure of but wouldn't chance it.

I've used this script before and it works well:
[Image: 20180222180916_1.jpg]

However, since we already have a screengrabbing software that's fairly secure (integrated Discord access controls, can't be used in game) we should be using that.