Security advisory regarding AMX Mod 2010.1
AMX Mod X security advisory
distributing malware with backdoors
Important note
This special news should only concern server operators who have AMX Mod 2010.1 installed or plan to install it. If you know server operators that use AMX Mod 2010.1
please consider making them aware of this post. This is an important matter that is worth to be mentioned on the official AMXModX site.
has been officially abandoned years ago, but recently one of its users (St閜hane "Flatounet" Vigne) is attempting to update it.
Development unfortunately progresses behind closed doors and nobody really knows what's happening.
Some days ago I've been asked to provide help in migrating an AMX Mod 2010.1 installation to AMXModX for various reasons. Oddly enough the server got attacked a few short hours later
by someone who got a hold of the servers RCON password, and it was unclear how the attacker obtained it.
If you are experiencing any of these problems on your server it might be an indication that someone exploited your AMX Mod 2010.1 installation:
One or several players are suddenly admins
Server performance seems to fluctuate unexpectedly
Server appears to crash or shut down randomly
Ban lists have been wiped or altered
Server files have been altered or deleted
Log analysis
Usually the log does not contain useful information if the RCON password is not yet known (explanations below).
In this specific example however, the password was already known. If you are in this situation you would find similar logs:
His first attempt to check RCON validity:
L 12/04/2015 - 10:58:09: Rcon: "rcon
"xxxxxx" echo HLSW: Test" from "2.3.87.69:7130"
Adding a SteamID to the admins list, likely via a VPS IP:
L 12/04/2015 - 11:02:10: Rcon: "rcon
"xxxxxx" amx_addadmin "STEAM_0:0:" abcdefghijklmnopqrstu" from "195.154.177.107:7130"
Disabling the server log to hide the following commands:
L 12/04/2015 - 11:04:38: Rcon: "rcon
"xxxxxx" log off" from "195.154.177.107:7130"
L 12/04/2015 - 11:04:38: Log file closed
Server logging disabled.
Malicious activity after this point may include clearing ban lists of SteamIDs and IPs or changing server variables like sys_ticrate in an attempt to disrupt server functionality.
The hidden commands
Since the RCON was already known in this case, the log doesn't help us understand how it has been found.
Assuming the RCON password is unknown and has not been compromised, a possible threat is a malicious server plugin that allows unauthorized clients to get a hold of this information.
Unfortunately my investigations have found that AMX Mod 2010.1 itself is that malicious server plugin. Naively checking the provided source code on the official website did not lead
to anything. Checking the compiled binaries however revealed some interesting things!
So let's look at what our disassembler/decompiler shows us. We want to find the ClientCommand() function which is used by the engine to receive input from a client console. The decompilation shows us an unwelcomed surpise:
What do we see here?
Mostly a silly attempt to hide specific commands (by checking a string character by character) doing some nasty things:
silenmod: Suppress server log temporarilyy when cmdr and cmdc commands are used
mrp: Get/change the servers RCON password
setaccess: Modify a users admin access flags
cmdr: Execute arbitrary console commands on the server
cmdc: Execute arbitrary console commands on a specified client
cfile: Check whether a specified file exists
wfile: Append data to a specified file
dfile: Delete a specified file
uptime: Check server uptime
slog: Disable server logging completely
Access to these commands is restricted to clients marked as AMX Mod 2010.1 devs. This client authentification happens during client connection, and we find is_dev_authid() in the binaries:
We can see three hardcoded SteamIDs, checking character by character but not verifying two digits. Two of the specific SteamIDs matching these "wildcards" have been confirmed by the logs and IPs:
STEAM_0:?:1169??26 -> STEAM_0:1: ; Tried to connect at a later point but was banned by an anti-nosmoke plugin...
STEAM_0:?:1392??16 -> STEAM_0:0: ; Attempted to add himself as an admin
STEAM_0:?:1320??37 -> Not used, no specific SteamID confirmed
It appears that only 2010.1 core has been maliciously modified. Pawn plugins should be safe. If you still want to keep using AMXMod regardless, strongly consider the following recommendations:
Ban these SteamIDs:
Confirmed wildcard matches:
[INDENT]STEAM_0:0:
STEAM_0:0:[/INDENT]
Potential SteamIDs matched by the third. Checking 198 valid IDs these are the ones we found with a pofile and with Counter-Strike in their accounts.
The malicious accounts are likely among the private profiles, but it should be safe to ban them all:
[INDENT]STEAM_0:0: ; Private
STEAM_0:1: ; Private
STEAM_0:1: ; Private
STEAM_0:1: ; Private, VAC
STEAM_0:0: ; Last Online 2254 days ago
STEAM_0:0: ; Last Online 1190 days ago
STEAM_0:0: ; Last Online 583 days ago
STEAM_0:1: ; Last Online 2764 days ago
STEAM_0:1: ; Last Online 678 days ago
STEAM_0:1: ; Last Online 1386 days ago[/INDENT]
The SteamIDs used with the amx_addadmin command, attempting to give them admin rights:
[INDENT]STEAM_0:1:
STEAM_0:1:
STEAM_0:1:1108105[/INDENT]
Also these basic safety precautions
Change your RCON passwords (consider your passwords compromised even if nothing has happened yet)
Check your plugin sources and don't hesitate to recompile them yourself
Don't trust this developer with future binary updates (AMXMod 2016 is apparently coming up). Feel free to contact me to make sure you are safe.
Backup all your configuration files.
Keep an eye on your logs and scan them for suspicious entries
We hope this helps to prevent any security issues on other servers that run AMXMod, or helps them deal with it if they already have 2010.1 installed.
New Maintainer, Transition to GitHub
Hi everyone! A few announcements.
First, I'm proud to announce
as the official maintainer for AMX Mod X. As one our earliest community members, Arkshine understands both the project's history and the current landscape of the community. He's been extremely helpful reviewing patches and fixing bugs, and has shown excellent judgment in making sure AMX Mod X remains a high quality tool. Please welcome Arkshine!
Second, we have moved the AMX Mod X source code to .
A little over 10 years ago,
founded AMX Mod X. Its sister project, AMX Mod, had been abandoned. No one had write access to the source code, and critical pieces were closed-source. SniperBeamer forked it into the most public place possible - at the time, SourceForge - to ensure that it would outlive its maintainers. As the project grew and source control systems improved, SourceForge became a burden, and we moved all hosting to AlliedModders.
10 years later, that landscape has changed again. GitHub is much more accessible than either our tools or other project hosting sites. It has a much simpler workflow and provides both projects and individual contributors with a great deal of public visibility. I'm hoping that this move affords AMX Mod X continued life, and our contributors more ways to interact with the development community at large.
We'll continue to use
for bug reporting and release management. For more information on Git and GitHub, see:
AMX Mod X 1.8.2 for 2013 HLDS Update
We have released AMX Mod X 1.8.2 as an emergency bug-fix release. It is very important that you do not upgrade until you have read below.
The February 2013 update to Counter-Strike 1.6 is part of a large transition of HLDS games to . Because this transition is not yet complete, AMX Mod X may not yet work on specific games. Those games are listed below.
In addition, a Metamod update is required for all new servers. We are providing our own Metamod builds (branded as Metamod 1.20-am) until the official Metamod site can be updated. Note that on Linux, the Metamod DLL had to be renamed, which means you will have to edit liblist.gam. This is true even if you choose to use Metamod-P.
AMX Mod X 1.8.2 will NOT WORK on the following games:Any server installed using HLDSUpdateTool
Metamod 1.20-am and 1.21-am will work on all games supported by Metamod 1.19
(CS:CZ Bots cause a crash with 1.20-am so use 1.21-am instead).
To get all downloads, visit
For upgrade instructions and a full changelog, visit
Special thanks for this release goes to patch contributors Scott Ehlert, arkshine, Fysiks, Reuben Morais, Lev2001, joaquimandrade, Hawk552, and Ryan L. Thank you for your support!
Downtime Over
More information here:
Thanks for your patience!
Developer Builds Available
HEY GUYS, LONG TIME NO SEE. I've brought the automated build system back online upon request. You can see it here:
A new developer build is created every time a change is checked in. This should give people access to the few fixes that have occurred after the 1.8.1 release. I also took this opportunity to convert the source tree over to Mercurial, so it now lives here:
Since it's been over a year since the last news post, I would like to clarify the state of AMX Mod X development. As you have probably guessed, I no longer have time to work on it. When we started this thing in , it was a full-time deal (i.e. most of us were students). Most C++ developers in the HL1 scene have moved on, either to full-time jobs or other projects.
That's okay though - it's a solid product, and for what it set out to do, it's feature complete and doesn't have too many outstanding bugs.
As for the nagging question, "when is the next release?" AMX Mod X has lots of legacy constraints which makes QA cycles more difficult. I don't see myself having time to oversee a 1.8.2 in the foreseeable future.
I don't want to deter anyone else from stepping up to the plate though. If you want to post patches (in the bug system), please do! I will still review patches, check them in, give people commit access, etc - whatever they need to get work done.
& Copyright
AMX Mod X Dev Team关于CS中文ID插件按装不好_飞翔单机游戏网
您的位置:
→ 关于CS中文ID插件按装不好
【飞翔导读】检查一下你的amxmodx版本,是不是1.81版,还有你加载memhack_amxx.dll没有?
是1.81,不然站停插件列表里根本显示不出来。memhack也加载了。
检查一下你的amxmodx版本,是不是1.81版,还有你加载memhack_amxx.dll没有?
是1.81,不然站停插件列表里根本显示不出来。memhack也加载了。
“站停插件列表里根本显示不出来” 这句话你要表达的是什么意思?&&memhack_amxx.dll必要metamod 1.19,你确定你meta能显示出来?
直接给你办理方式吧:换amxmodx 1.81官方发布的完备版,里面有metamod 1.19完备文件,你的显着缺文件。
给 我 完备版 或发 我去amxomdx官网下载英文版,网上的汉化版基本都不是1.81
草在cstrike\addons\metamod\dlls里的metamod文件我都看到了是1.19.0.0~,只是\cstrike\addons\metamod的pingins.ini里写的是;; Metamod plugins.ini
; AMX Mod X 1.76b[]
win32&& addons\amxmodx\dlls\amxmodx_mm.dll; Enable this instead for binary logging; win32&& addons\amxmodx\dlls\amxmodx_bl_mm.dll?
&我说许多遍了,换官方1.8.1。一致公认的“年度最佳游戏”称号,更被誉为“史诗般杰出的作品”——Half-life更是在当今日趋竞争激烈的行动类游戏市场中与Quake系列、Unreal系列形成三足鼎立之势当年让我打得废寝忘食的游戏。记得还出过汉语方言配音版的,搞笑极了。不知各人是否有过如许的经历,2帮人进去后就是扔雷,我记得死得最怨的就是被3颗连环雷...&CS1.5硬盘版CDKEY:条命2》的开发过程是如此恒久。
飞翔声明:飞翔网登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述。
评论:0 次
阅读本文后您有什么感想? 已有 0 人给出评价!