AMX Mod X




Security advisory regarding AMX Mod 2010.1 Dec 09, 2015 13:16
AMX Mod X security advisory
amxmod.net distributing malware with backdoors

Important note

This special news should only concern server operators who have AMX Mod 2010.1 installed or plan to install it. If you know server operators that use AMX Mod 2010.1
please consider making them aware of this post. This is an important matter that is worth to be mentioned on the official AMXModX site.

AMX Mod

AMX Mod has been officially abandoned years ago, but recently one of its users (Stéphane "Flatounet" Vigne) is attempting to update it.
Development unfortunately progresses behind closed doors and nobody really knows what's happening.

Context

Some days ago I've been asked to provide help in migrating an AMX Mod 2010.1 installation to AMXModX for various reasons. Oddly enough the server got attacked a few short hours later
by someone who got a hold of the servers RCON password, and it was unclear how the attacker obtained it.

Symptoms

If you are experiencing any of these problems on your server it might be an indication that someone exploited your AMX Mod 2010.1 installation:

  • One or several players are suddenly admins
  • Server performance seems to fluctuate unexpectedly
  • Server appears to crash or shut down randomly
  • Ban lists have been wiped or altered
  • Server files have been altered or deleted


Log analysis

Usually the log does not contain useful information if the RCON password is not yet known (explanations below).
In this specific example however, the password was already known. If you are in this situation you would find similar logs:

His first attempt to check RCON validity:
L 12/04/2015 - 10:58:09: Rcon: "rcon 1627405150 "xxxxxx" echo HLSW: Test" from "2.3.87.69:7130"

Adding a SteamID to the admins list, likely via a VPS IP:
L 12/04/2015 - 11:02:10: Rcon: "rcon 1779953110 "xxxxxx" amx_addadmin "STEAM_0:0:13923116" abcdefghijklmnopqrstu" from "195.154.177.107:7130"

Disabling the server log to hide the following commands:
L 12/04/2015 - 11:04:38: Rcon: "rcon 873211125 "xxxxxx" log off" from "195.154.177.107:7130"
L 12/04/2015 - 11:04:38: Log file closed
Server logging disabled.


Malicious activity after this point may include clearing ban lists of SteamIDs and IPs or changing server variables like sys_ticrate in an attempt to disrupt server functionality.


The hidden commands

Since the RCON was already known in this case, the log doesn't help us understand how it has been found.
Assuming the RCON password is unknown and has not been compromised, a possible threat is a malicious server plugin that allows unauthorized clients to get a hold of this information.

Unfortunately my investigations have found that AMX Mod 2010.1 itself is that malicious server plugin. Naively checking the provided source code on the official website did not lead
to anything. Checking the compiled binaries however revealed some interesting things!

So let's look at what our disassembler/decompiler shows us. We want to find the ClientCommand() function which is used by the engine to receive input from a client console. The decompilation shows us an unwelcomed surpise:



What do we see here?

Mostly a silly attempt to hide specific commands (by checking a string character by character) doing some nasty things:
  • silenmod: Suppress server log temporarilyy when cmdr and cmdc commands are used
  • mrp: Get/change the servers RCON password
  • setaccess: Modify a users admin access flags
  • cmdr: Execute arbitrary console commands on the server
  • cmdc: Execute arbitrary console commands on a specified client
  • cfile: Check whether a specified file exists
  • wfile: Append data to a specified file
  • dfile: Delete a specified file
  • uptime: Check server uptime
  • slog: Disable server logging completely


Access to these commands is restricted to clients marked as AMX Mod 2010.1 devs. This client authentification happens during client connection, and we find is_dev_authid() in the binaries:





We can see three hardcoded SteamIDs, checking character by character but not verifying two digits. Two of the specific SteamIDs matching these "wildcards" have been confirmed by the logs and IPs:

STEAM_0:?:1169??26 -> STEAM_0:1:11696626 ; Tried to connect at a later point but was banned by an anti-nosmoke plugin...
STEAM_0:?:1392??16 -> STEAM_0:0:13923116 ; Attempted to add himself as an admin
STEAM_0:?:1320??37 -> Not used, no specific SteamID confirmed

Solution

It appears that only 2010.1 core has been maliciously modified. Pawn plugins should be safe. If you still want to keep using AMXMod regardless, strongly consider the following recommendations:

  • Ban these SteamIDs:

    Confirmed wildcard matches:
    [INDENT]STEAM_0:0:11696626
    STEAM_0:0:13923116
    [/INDENT]

    Potential SteamIDs matched by the third. Checking 198 valid IDs these are the ones we found with a pofile and with Counter-Strike in their accounts.
    The malicious accounts are likely among the private profiles, but it should be safe to ban them all:
    [INDENT]STEAM_0:0:13201737 ; Private
    STEAM_0:1:13201737 ; Private
    STEAM_0:1:13207837 ; Private
    STEAM_0:1:13203837 ; Private, VAC
    STEAM_0:0:13204137 ; Last Online 2254 days ago
    STEAM_0:0:13205937 ; Last Online 1190 days ago
    STEAM_0:0:13209137 ; Last Online 583 days ago
    STEAM_0:1:13201537 ; Last Online 2764 days ago
    STEAM_0:1:13202837 ; Last Online 678 days ago
    STEAM_0:1:13204537 ; Last Online 1386 days ago[/INDENT]

    The SteamIDs used with the amx_addadmin command, attempting to give them admin rights:
    [INDENT]STEAM_0:1:42507932
    STEAM_0:1:39310704
    STEAM_0:1:1108105
    [/INDENT]

    Also these basic safety precautions
  • Change your RCON passwords (consider your passwords compromised even if nothing has happened yet)
  • Check your plugin sources and don't hesitate to recompile them yourself
  • Don't trust this developer with future binary updates (AMXMod 2016 is apparently coming up). Feel free to contact me to make sure you are safe.
  • Backup all your configuration files.
  • Keep an eye on your logs and scan them for suspicious entries


We hope this helps to prevent any security issues on other servers that run AMXMod, or helps them deal with it if they already have 2010.1 installed.
.: by Arkshine 51 comments


New Maintainer, Transition to GitHub May 16, 2014 02:38
Hi everyone! A few announcements.

First, I'm proud to announce Arkshine as the official maintainer for AMX Mod X. As one our earliest community members, Arkshine understands both the project's history and the current landscape of the community. He's been extremely helpful reviewing patches and fixing bugs, and has shown excellent judgment in making sure AMX Mod X remains a high quality tool. Please welcome Arkshine!

Second, we have moved the AMX Mod X source code to GitHub.

A little over 10 years ago, SniperBeamer founded AMX Mod X. Its sister project, AMX Mod, had been abandoned. No one had write access to the source code, and critical pieces were closed-source. SniperBeamer forked it into the most public place possible - at the time, SourceForge - to ensure that it would outlive its maintainers. As the project grew and source control systems improved, SourceForge became a burden, and we moved all hosting to AlliedModders.

10 years later, that landscape has changed again. GitHub is much more accessible than either our tools or other project hosting sites. It has a much simpler workflow and provides both projects and individual contributors with a great deal of public visibility. I'm hoping that this move affords AMX Mod X continued life, and our contributors more ways to interact with the development community at large.

We'll continue to use https://bugs.alliedmods.net/ for bug reporting and release management. For more information on Git and GitHub, see: https://wiki.alliedmods.net/Git_Tutorial
.: by BAILOPAN 20 comments


AMX Mod X 1.8.2 for 2013 HLDS Update Feb 14, 2013 13:18
We have released AMX Mod X 1.8.2 as an emergency bug-fix release. It is very important that you do not upgrade until you have read below.

The February 2013 update to Counter-Strike 1.6 is part of a large transition of HLDS games to SteamCMD. Because this transition is not yet complete, AMX Mod X may not yet work on specific games. Those games are listed below.

In addition, a Metamod update is required for all new servers. We are providing our own Metamod builds (branded as Metamod 1.20-am) until the official Metamod site can be updated. Note that on Linux, the Metamod DLL had to be renamed, which means you will have to edit liblist.gam. This is true even if you choose to use Metamod-P.

AMX Mod X 1.8.2 will NOT WORK on the following games:
  • Any server installed using HLDSUpdateTool

Metamod 1.20-am and 1.21-am will work on all games supported by Metamod 1.19
(CS:CZ Bots cause a crash with 1.20-am so use 1.21-am instead).



To get all downloads, visit http://www.amxmodx.org/downloads.php
For upgrade instructions and a full changelog, visit http://wiki.alliedmods.net/AMX_Mod_X_1.8.2_Release_Notes

Special thanks for this release goes to patch contributors Scott Ehlert, arkshine, Fysiks, Reuben Morais, Lev2001, joaquimandrade, Hawk552, and Ryan L. Thank you for your support!
.: by BAILOPAN 293 comments


Downtime Over Jan 22, 2011 08:15
More information here: https://forums.alliedmods.net/showthread.php?t=148196

Thanks for your patience!
.: by BAILOPAN 48 comments


Developer Builds Available Apr 04, 2010 20:35
HEY GUYS, LONG TIME NO SEE. I've brought the automated build system back online upon request. You can see it here:

http://www.amxmodx.org/snapshots.php

A new developer build is created every time a change is checked in. This should give people access to the few fixes that have occurred after the 1.8.1 release. I also took this opportunity to convert the source tree over to Mercurial, so it now lives here:

http://hg.alliedmods.net/amxmodx-central

Since it's been over a year since the last news post, I would like to clarify the state of AMX Mod X development. As you have probably guessed, I no longer have time to work on it. When we started this thing in 2003/2004, it was a full-time deal (i.e. most of us were students). Most C++ developers in the HL1 scene have moved on, either to full-time jobs or other projects.

That's okay though - it's a solid product, and for what it set out to do, it's feature complete and doesn't have too many outstanding bugs.

As for the nagging question, "when is the next release?" AMX Mod X has lots of legacy constraints which makes QA cycles more difficult. I don't see myself having time to oversee a 1.8.2 in the foreseeable future.

I don't want to deter anyone else from stepping up to the plate though. If you want to post patches (in the bug system), please do! I will still review patches, check them in, give people commit access, etc - whatever they need to get work done.
.: by BAILOPAN 67 comments



1 2 ... 26

© Copyright 2003-2016 AMX Mod X Dev Team