#Fw: I don't have any leaked script! Any!

Support continuation:

• Source: #🚀┊txadmin message
• Author: @slim crown
• Supporter: @near roost

Open your resources folder in vscode and type const _ = Buffer.from

And show me the result of it

Idk how im supposed to open all folder with vscode

Go into vscode, press "File" in the top left, click "open folder"

Then select your resources folder

it appear only this

That is not your whole resources folder

You clicked open file

yeah

Click "open folder"

i did

but i have it 😄

So your resources are hosted somewhere else?

VPS

yeah

Any chance you can provide me credentials for that VPS? Only if you agree

So I can take a look myself

I can give you anydesk

:rocket: Congratulations @slim crown, you leveled up to <@&1005551371765956658>!
Now you can chat in #old-homelab-24h1-25h1, #old-cooking-24h1-25h1, #old-aviation-24h1-25h1!

if you want

Nah

Le me explain something

Could i?

I just tried this:

I did fresh install on VPS.
Then i uploaded server with oxmysql(version 2.12.0) and fxversion: 12966
The server crashing and crashing.. Just like for everyone!

Then i tried to install newest oxmysql(version 2.13.0) and fxversion: 12966

Then i restarted the server and automatically gone the fxversion 12746 🙂
And just crashes 🙂

Probably.. Yeah! It is possible to be leaked script! Fine! I agree with you!

Incorrect but i agree!

But there is no logic just after installing oxmysql 2.13.0 and all vps fxversion t o go 12746 from 12966.

The OS is infected

I tough same btw

so.. I just started new vps

moved all server without artefacts and oxmysql

I tried with version oxmysql 2.12.0

How do you even edit resources if you can't open them in vscode or so

Easy

just like that

tried and with fxversion 12966..

Then i just installed again newest oxmysql - 2.13.0

restarted the server

This opens in vscode?

and bum

yeah?

Can you do that for the whole folder?

Nope

and bum.. The server goes back to artefacts 12746 🙂

Connect to the VPS using SSH extension in vscode

yep

im trying it

give me some minutes

Sure

where i have to write this?

So when you've opened your resources folder, you press ctrl + shift + F

and then paste it there

wait

everything just

get crazy

:O

So all this is leaked scripts?

Even this which i bought?

Cooked

holy

moly

but this is even scripts from github

Github scripts can contain backdoors as well

okay

thats new info for me

😄

So you want to tell me that in ps-ui even have backdoor?

Yea

A big backdoor lol

in RageUI also??

Yea

and in all esx scripts?

The issue usually stems from 1 leaked resource, whether you knew if it was leaked or not, it just injects itself into basically everything

In every script

Okay

that explain everything

Yeah

give me your paypal

if you want

Nah

Its fine

You sure?

Yes

Its 100$ dude 😄

Okay..

You know best

I dont feel like giving you my full name 💀

Good luck with your OS tho and in the future only get your resources from trusted locations

Thank you Yorick

I have only one more question

Ofc

All this files are generated by the backdoor script right?

And what's the point of doing that and people who can't buy scripts?

I mean.. It infected all others?

Of doing what?

I dont know for sure what cipher exactly does

that the servers crash because that didn't happen before

Just check the scripts which you download for backdoors as Yorick shows

They give „buyers“ access to the server via a webpanel so they can have fun (nvm misunderstood)

and if is okay.. Insert it in the machine

Cuz.. I see that all files are same

ok

I mean.. All is the same

Yeah that is a Base64 string and if you decode it it will show you a URL

https://base64.guru/converter/decode/text

Throw it in here

check this out

lol

😄

Yeah that one has been known

as I see, many of us have this problem, if anyone wants they can contact me in DM to see what resource we have in common from github which had a backdoor

(also if it is not github, just to understand because the backdoor its literally the same one...)

I'm still thinking that this cause not coming just from backdoor or something like this.

:rocket: Congratulations @slim crown, you leveled up to <@&1005551490636722177>!

we too.. because it was infected also our backup of 1 month ago

but why it was working and now it is not if also before it had a backdoor?

Just there is no logic in that..

I just tried this:

I did fresh install on VPS.
Then i uploaded server with oxmysql(version 2.12.0) and fxversion: 12966
The server crashing and crashing.. Just like for everyone!

Then i tried to install newest oxmysql(version 2.13.0) and fxversion: 12966

Then i restarted the server and automatically gone the fxversion 12746 🙂
And just crashes 🙂
Probably.. Yeah! It is possible to be leaked script! Fine! I agree with you!
Incorrect but i agree!
But there is no logic just after installing oxmysql 2.13.0 and all vps fxversion to go 12746 from 12966.

also we didnt put it in our VPS so it was not infected (we just updated our artifacts mhmhmh)

YES

that is what is going on

i guess we are dump yes.. its a game YES! but how is this possible ...

Just there is no logic in that.. This cannot happen only from backdoor.

And to happen for 100+ customers of cfx.

they also told me "man its maybe due fivegua**rd that is overdoing something with artifacts" but it was on a fresh VPS and a fresh ESX server 😂

because we are all dumb.. bad scripter

I'm doing this think.. Almost from 6 years.

In the past i had backdoors also.

But.. Never this happend.

i have 3 scripter and all of them are doing this since a lot of time man and we did 2 version (now the 3 is coming out) and never got a backdoor

Idk why.. But after i think that oxmysql is the problem with this nodeJS 22.

yes we thought that too

we tryed also to do a oxmysql + artifacts downgrade

same

and the server can't start

but in the .dmp it always show the same artifacts lol

because big delay

and ram leak

right

exactly

:rocket: Congratulations @wet vault, you leveled up to <@&828359841512816671>!

I know 🙂

did it show you some "tick" on ?

Yep

HEHHAHHA 😂

from 200ms.. To 30 000ms 🙂

Just like starting

we have got 300.000+

just you see "server thread hitching"

yes

you got a new Gines record. 😄

i guess yes 😂

Probably this is the end of FiveM era for a lot of peoples just like us 😄

i guess probabile it is

Other think is..
Probably a lot of peoples just had backdoors in their servers.
And after installing oxmysql 2.13.0.. Then somehow oxmysql activated this backdoors and fcked up all our servers.

impossible

we didnt had them in the january backup

they showed up later

but now which type of artifacts and oxmysql you are gonna put?

12933 and 2.13.0

And i'm starting my server just from zero. 🙂

I will check every scripts before i add it. 🙂

Yesterday i just started new vps. I installed qbx and oxmysql on latests artefacts and there haven't problem. 🙂

i will see a few days later 🤣

I will be probably dead

cuz no sleep :X

ok

we are cleaning it, now its going everything under .zip we will reinstall the OS and will try with the latest artifacts

You have scripts which are backdoored already. This will not help.

I tried same.

Didn't helped.

but we cleaned everything we are gonna save only "resource" folder

Find the script first which inject backdoor in other resources.

Then clean everything.

https://docs.yorick.gg/General/Backdoor

@wet vault

Wrote a little doc for it

yea i have already did that

also we searched for the specific base64 string of the backdoor

we found more than 130+ file

now we reinstalled the OS

did the VPS setup and now its installing the .zip backup

we will do another search about it just to be sure its everything ok

(we didnt saved our cache/artifacts just to be sure)

do you think this is gonna be the right artifacts choice or we should go for the last?

i think this one its pretty stable

@near roost

Idk

okok

@slim crown it is working everything is fine

we are pretty sure there was something inside the artifacts

we also did a reebot of the server several time (with the same resources)

Yep.. In 12746 :]

0 backdoor

we are in 12508 and with a downgrade of oxmysql

we will never know but we are 100% sure it isnt something related to our resource ✅