Backdoor problem

[Separate 0]

Hi everyone!

I looking for someone who can help me with the backdoor problem.

I bought serverfiles from one member, but my files deleted from SCP and player have problem by this.

Contact me if you think how you can find and delete the backdoor from file(s).

Regards.

[tierrilopes 446]

" bought serverfiles "

 

You need give more information here.

But let me guess, the person you bought from sent you a tar.gz and told you to extract it (or the person installed it for you) ?

If so, i've seen most backdoors inside the db/mysql.  We need to view the files in order to see the issue, else its just guessing

 

Edited August 25, 2022 by Metin2 Dev
Core X - External 2 Internal

[Separate 0]

Well, this server online since 2018 and he want to close while i update all the time, so i bought the server how do not close. We speak the hsoting and the vps and other things droped to my account. I changed every password, in config files, in MySQL accounts, website use other with IP connection. Deleted web-admin from the accounts, changed SSH pw, changed website "storage" pw. The password is changed everywhere, what i saw in files.  But i reinstalled the BSD, and re-create all in the MySQL too. The problem, how items are "diseppear", but thats not really, he delete somehow them. Today i realised, how in the usr/game/log folder the auth, channel1, db, game99 folders logfiles are deleted. It's around 8 am. Every log files, yesterday, and the today what before 8 deleted, and i got some messages, how their item again diseppear. I cant tell more information, thats all what i know. He delete somehow these files, or he deleted from item table? I don't think so. Its totally random, how whos loss the items, and which items, and how many items. And this problem only with the new items, what you now get from runs, maybe how you're now upgraded, or bought from the offline shop. The old items, what you have, do not diseppear. I don't know, how he doin. You think, if i have more information by the problem do not show with us while i would get help? I can assisting all what the helper would get, and sure pay for it, how somehow solve the problem. Not for me, for the players. The server is totally non-profit, i operating for relaxation. So, please, if you have advice just tell it, i'm interested for every helpfully word, but not for the "aggressor" words.
EDIT : And yeah, if you want to see the files and would help, contact me in private message, and we speak about it. I do not want publicate my source files, sorry.

Edited February 5, 2020 by Separate

[tierrilopes 446]

From your description, it doesnt sound like a backdoor.

Why would an attacker delete only random items and not the entire item table?

 

Do you have api access opened to the game?

Also, do you know if the item loss happens with server going down at the same time?

 

[Separate 0]

The server is still online. They send the message how what the problem, when they connect to the server. They log out with the items, log in without some of them. Today i got the message, "i stay in map1, my client crashed, and the costume what i wear is diseppear." , so its not for the server down. The attacker is the owner who's sold the server for me. He now do not have opened server, so he try to make confuse the player, how stay here or no. He now want re-open with same source(without updates what i did after get the server), so he try to "prompt" them, how leave the opened server, and if they would get near-same feeling, go to the him. And if i want be sure, he deleted the item and account table while im in the hospital, and my backups what stay in the SCP. And, i dont know what is the API, so i dont know, how i have or not. If its a free stuff to try fck some thing, i think its defended, becouse the website is same around 1-1,5 year. And why i think how its backdoor? My host said, how try to connect my SSH with portugal, chinese, japanese, german IP addresses, near same time. I think that was a VPN. It's not the nation server, and not a huge server. 100%, how these nations do not know, how the server is open and running already.

[Jira 444]

Him is called Frankie? 

[tierrilopes 446]

I see.

Deleted item + account table means he had access to your database, directly (remote access with a hidden account [check users at mysql], shell, rat, etc) or indirectly (sql injection the most common. ).

 

It can be identified what method he is using to access without much difficulty, i will send you by pm, and when it happens again it will be clear what method he is using.

 

Edited February 5, 2020 by tierrilopes

[Separate 0]

I check the mysql users, here 3 for the hosting, one for the website, and one for me. I changed password with every user, and the website user have IP defend. I check the website with shelldetect, its find nothing. And, i yesterday before send here the message, deactive the website and connected to the test server to check, how maybe the problem with the homepage. In the test server nothing problem, but the diseppear still in the normal server. So... i think he didn't use the website for it, or maybe not only the website.

[Separate 0]

19 hours ago, Moț said:

Him is called Frankie? 

No. I would call him worm or some shit. But if would call in normal name he is not Frankie.

[iFreakTime~.~ 47]

A game source backdoor i think, it's the most common.

[Separate 0]

17 hours ago, iFreakTime~.~ said:

A game source backdoor i think, it's the most common.

Thanks for advice, i'll check tomorrow!