> Dev Builds
> Report Bugs
> Addon Stats
> Scripting API
> Link us
|Development Roundup, We need you!
||Sep 09, 2018 11:37
|Hey everyone, long time no see!
Today, we would like to talk about the next AMX Mod X version, what is happening, and what our future plans are.
What was taking so long?
As you may already understand, AMXX as a project is past its prime. Not many people are actively working on the code base, a direct result of reduced interest in the project specifically and GoldSrc games in general. Since we moved the project to GitHub, development has become quite a bit more active, but the pace is ultimately still slow. Our primary goal still is to once again provide an up-to-date release, including many bug fixes and long-awaited features.
Due to the waning interest in the games it supports, it is only natural that contributors would dip in and out of active development. So without a core team available to push through issues and keep the project on track, the contributions became a bit chaotic from a scheduling perspective.
My mistake as a maintainer was not setting clear targets that could be achieved with the limited time that both our contributors and I could put into the project. This meant that the number of changes got larger and larger as time passed (and oh how quickly it passes). I failed to get help from the community to process and test new changes and failed to tighten the scope of what we could ultimately deliver as an official release.
However, please keep in mind that all of the contributors are volunteers, and we can't force anybody to devote more time to AMXX than they are comfortable with.
Where we are now
As of 1.9, we have put the development version of AMXX into a feature-frozen state. This means that no new functionality and improvements will be accepted into what is going to eventually be the next release of AMX Mod X. Development will now focus on bug fixes and our time spent preparing for the next release.
We know that we still have a few exciting improvements and even the odd new feature in the pipelines, but we have to make a commitment to a release at some point. Once we have wrapped up the past couple of years into an official release, it will be much easier for our small team to get new stuff into the hands of users.
What is new?
AMX Mod X has had numerous fixes and improvements across all facets of the project:
- Stability and performance improvements
- Official support for ReHLDS and ReGameDLL
- Much improved UTF-8 support across the project
- Significant improvements to modules and the official plugins
- (Almost) completely revised and completed documentation
- Tons of new functionalities for plugin developers and admins
The full detailed release notes are currently work in progress, and can be found in the Wiki: https://wiki.alliedmods.net/AMX_Mod_X_1.9_Release_Notes.
What is next?
We need you!
As outlined above, this release has gotten pretty large, and we somewhat neglected including the community in the development. We are in sore need of more people that are willing to test and verify the new version.
Check out the release notes and give our new features a try, if something does not work as you expect it should, please let us know.
AMXX 1.9 latest build can be downloaded here: https://www.amxmodx.org/downloads-new.php.
As usual, AMXX should retain full backward compatibility, so if existing functionality breaks after upgrading, file a bug report.
How to report bugs or request features?
We've decided to complete our switch to GitHub and use their integrated issue tracker for all future bug reports and feature requests.
While this will require you to create a GitHub account to get in touch with contributors, we hope that it provides us with similar benefits as moving our code there. Having everything in one place for development should be more intuitive and get more eyes on the project. Also, quite frankly, the old issue tracker was barely used and still contains numerous outdated tickets that might not have been relevant for years.
The old tracker will still be publicly available, but new AMXX tickets will no longer be accepted.
The forum will remain the place for general support, help, and discussion.
First, starting from the next AMX Mod X release we will follow SourceMod in switching to a rolling-release cycle. We will provide more information at a later date, but this essentially means that we will be able to provide you with more frequent stable releases. It is simply not feasible for a mature project like AMXX to focus on big iterative releases that take years to come together.
Secondly, future changes will be focused on user-related issues, such as new/improved tools for managing servers and customization. This has been the primary area we have left out of this planned release, mostly because of missing time, but also because we needed to get the internals right before we can improve our user-facing tools.
Finally, we will try to get the community involved more. Even though we aren't nearly as many as we used to be, people still care about the project. We would like to thank every one of you for that.
|.: by Arkshine
|Security advisory regarding AMX Mod 2010.1
||Dec 09, 2015 13:16
|AMX Mod X security advisory
amxmod.net distributing malware with backdoors
This special news should only concern server operators who have AMX Mod 2010.1 installed or plan to install it. If you know server operators that use AMX Mod 2010.1
please consider making them aware of this post. This is an important matter that is worth to be mentioned on the official AMXModX site.
AMX Mod has been officially abandoned years ago, but recently one of its users (Stéphane "Flatounet" Vigne) is attempting to update it.
Development unfortunately progresses behind closed doors and nobody really knows what's happening.
Some days ago I've been asked to provide help in migrating an AMX Mod 2010.1 installation to AMXModX for various reasons. Oddly enough the server got attacked a few short hours later
by someone who got a hold of the servers RCON password, and it was unclear how the attacker obtained it.
If you are experiencing any of these problems on your server it might be an indication that someone exploited your AMX Mod 2010.1 installation:
- One or several players are suddenly admins
- Server performance seems to fluctuate unexpectedly
- Server appears to crash or shut down randomly
- Ban lists have been wiped or altered
- Server files have been altered or deleted
Usually the log does not contain useful information if the RCON password is not yet known (explanations below).
In this specific example however, the password was already known. If you are in this situation you would find similar logs:
His first attempt to check RCON validity:
L 12/04/2015 - 10:58:09: Rcon: "rcon 1627405150 "xxxxxx" echo HLSW: Test" from "220.127.116.11:7130"
Adding a SteamID to the admins list, likely via a VPS IP:
L 12/04/2015 - 11:02:10: Rcon: "rcon 1779953110 "xxxxxx" amx_addadmin "STEAM_0:0:13923116" abcdefghijklmnopqrstu" from "18.104.22.168:7130"
Disabling the server log to hide the following commands:
L 12/04/2015 - 11:04:38: Rcon: "rcon 873211125 "xxxxxx" log off" from "22.214.171.124:7130"
L 12/04/2015 - 11:04:38: Log file closed
Server logging disabled.
Malicious activity after this point may include clearing ban lists of SteamIDs and IPs or changing server variables like sys_ticrate in an attempt to disrupt server functionality.
The hidden commands
Since the RCON was already known in this case, the log doesn't help us understand how it has been found.
Assuming the RCON password is unknown and has not been compromised, a possible threat is a malicious server plugin that allows unauthorized clients to get a hold of this information.
Unfortunately my investigations have found that AMX Mod 2010.1 itself is that malicious server plugin. Naively checking the provided source code on the official website did not lead
to anything. Checking the compiled binaries however revealed some interesting things!
So let's look at what our disassembler/decompiler shows us. We want to find the ClientCommand() function which is used by the engine to receive input from a client console. The decompilation shows us an unwelcomed surpise:
What do we see here?
Mostly a silly attempt to hide specific commands (by checking a string character by character) doing some nasty things:
- silenmod: Suppress server log temporarilyy when cmdr and cmdc commands are used
- mrp: Get/change the servers RCON password
- setaccess: Modify a users admin access flags
- cmdr: Execute arbitrary console commands on the server
- cmdc: Execute arbitrary console commands on a specified client
- cfile: Check whether a specified file exists
- wfile: Append data to a specified file
- dfile: Delete a specified file
- uptime: Check server uptime
- slog: Disable server logging completely
Access to these commands is restricted to clients marked as AMX Mod 2010.1 devs. This client authentification happens during client connection, and we find is_dev_authid() in the binaries:
We can see three hardcoded SteamIDs, checking character by character but not verifying two digits. Two of the specific SteamIDs matching these "wildcards" have been confirmed by the logs and IPs:
STEAM_0:?:1169??26 -> STEAM_0:1:11696626 ; Tried to connect at a later point but was banned by an anti-nosmoke plugin...
STEAM_0:?:1392??16 -> STEAM_0:0:13923116 ; Attempted to add himself as an admin
STEAM_0:?:1320??37 -> Not used, no specific SteamID confirmed
It appears that only 2010.1 core has been maliciously modified. Pawn plugins should be safe. If you still want to keep using AMXMod regardless, strongly consider the following recommendations:
- Ban these SteamIDs:
Confirmed wildcard matches:
Potential SteamIDs matched by the third. Checking 198 valid IDs these are the ones we found with a pofile and with Counter-Strike in their accounts.
The malicious accounts are likely among the private profiles, but it should be safe to ban them all:
[INDENT]STEAM_0:0:13201737 ; Private
STEAM_0:1:13201737 ; Private
STEAM_0:1:13207837 ; Private
STEAM_0:1:13203837 ; Private, VAC
STEAM_0:0:13204137 ; Last Online 2254 days ago
STEAM_0:0:13205937 ; Last Online 1190 days ago
STEAM_0:0:13209137 ; Last Online 583 days ago
STEAM_0:1:13201537 ; Last Online 2764 days ago
STEAM_0:1:13202837 ; Last Online 678 days ago
STEAM_0:1:13204537 ; Last Online 1386 days ago[/INDENT]
The SteamIDs used with the amx_addadmin command, attempting to give them admin rights:
Also these basic safety precautions
- Change your RCON passwords (consider your passwords compromised even if nothing has happened yet)
- Check your plugin sources and don't hesitate to recompile them yourself
- Don't trust this developer with future binary updates (AMXMod 2016 is apparently coming up). Feel free to contact me to make sure you are safe.
- Backup all your configuration files.
- Keep an eye on your logs and scan them for suspicious entries
We hope this helps to prevent any security issues on other servers that run AMXMod, or helps them deal with it if they already have 2010.1 installed.
|.: by Arkshine
|New Maintainer, Transition to GitHub
||May 16, 2014 02:38
|Hi everyone! A few announcements.
First, I'm proud to announce Arkshine as the official maintainer for AMX Mod X. As one our earliest community members, Arkshine understands both the project's history and the current landscape of the community. He's been extremely helpful reviewing patches and fixing bugs, and has shown excellent judgment in making sure AMX Mod X remains a high quality tool. Please welcome Arkshine!
Second, we have moved the AMX Mod X source code to GitHub.
A little over 10 years ago, SniperBeamer founded AMX Mod X. Its sister project, AMX Mod, had been abandoned. No one had write access to the source code, and critical pieces were closed-source. SniperBeamer forked it into the most public place possible - at the time, SourceForge - to ensure that it would outlive its maintainers. As the project grew and source control systems improved, SourceForge became a burden, and we moved all hosting to AlliedModders.
10 years later, that landscape has changed again. GitHub is much more accessible than either our tools or other project hosting sites. It has a much simpler workflow and provides both projects and individual contributors with a great deal of public visibility. I'm hoping that this move affords AMX Mod X continued life, and our contributors more ways to interact with the development community at large.
We'll continue to use https://bugs.alliedmods.net/ for bug reporting and release management. For more information on Git and GitHub, see: https://wiki.alliedmods.net/Git_Tutorial
|.: by BAILOPAN
|AMX Mod X 1.8.2 for 2013 HLDS Update
||Feb 14, 2013 13:18
|We have released AMX Mod X 1.8.2 as an emergency bug-fix release. It is very important that you do not upgrade until you have read below.
The February 2013 update to Counter-Strike 1.6 is part of a large transition of HLDS games to SteamCMD. Because this transition is not yet complete, AMX Mod X may not yet work on specific games. Those games are listed below.
In addition, a Metamod update is required for all new servers. We are providing our own Metamod builds (branded as Metamod 1.20-am) until the official Metamod site can be updated. Note that on Linux, the Metamod DLL had to be renamed, which means you will have to edit liblist.gam. This is true even if you choose to use Metamod-P.
AMX Mod X 1.8.2 will NOT WORK on the following games:
- Any server installed using HLDSUpdateTool
Metamod 1.20-am and 1.21-am will work on all games supported by Metamod 1.19
(CS:CZ Bots cause a crash with 1.20-am so use 1.21-am instead).
To get all downloads, visit http://www.amxmodx.org/downloads.php
For upgrade instructions and a full changelog, visit http://wiki.alliedmods.net/AMX_Mod_X_1.8.2_Release_Notes
Special thanks for this release goes to patch contributors Scott Ehlert, arkshine, Fysiks, Reuben Morais, Lev2001, joaquimandrade, Hawk552, and Ryan L. Thank you for your support!
|.: by BAILOPAN