I found basechats.smx causing all these massive amount of logging. Notice it has an "s" in the end.
I'd suggest everyone double check their plugins folder asap.
https://forums.alliedmods.net/showthread.php?t=225925A number of communities have been hit by at least one person abusing the fact CS:GO's engine is lacking the fixes Valve made in the 2009 engine for file transfers.
This means that it's possible for a malicious person to
Download a number of files from the gameserver (it's unknown at this time if the engine is vulnerable to bypassing the extension blacklist).
Upload a number of files to the gameserver (see note above).
"Delete" a file by overwriting it with a folder.
There is an extension created by Zephyrus to combat this exploit available here.
There is a plugin that is being upload to game servers that will display hidden ads to clients.
The ad provider username in use by this individual is "bazdmegjo", please contact me privately if you have any further information about who this individual may be.
Known versions:
Filename: "basechats.smx" (note the 's' on the end)
File MD5 Hash: bd493c03a0115f704eaa96a0e1d8400e
Plugin Hash: 1f37a04083b593f5b024888a1dfbfe7d
Filename: "adminhelp.smx"
File MD5 Hash: 34ea070da0e8d820e7e1b5285d0a7db1
Plugin Hash: 4f3b8f9131ac3de3c4abfd21ca61c237
The "Plugin Hash" in the list above refers to the "Hash:" line seen in the "sm plugins info" output if you're running a version of SourceMod with the malicious plugin blacklist (most 1.5.0-dev snapshots, 1.5.0 and later, and all 1.6.x snapshots) - if you're hosting CS:GO servers, I suggest making sure you are.
The binaries above have already been pushed out to SourceMod's plugin blacklist - if you see any plugins fail to load because of this, please make sure to check all your other plugins.
The 2nd one (adminhelp.smx) appears to be the more refined plugin and was likely a later attempt by the exploiter. It also attempts to replicated itself to "votemenus.smx", although due to a bug in the code this fortunately fails. It is highly likely that the person involved in these actions will make continued attempts, so please be vigilant.
Checking your server (using the 'find' command) for the cvars "sm_ad_url" and "sm_xchat_name" may help to find other instances of the malicious plugin - please note these were both reused from legitimate plugins, so do not indicate malicious activity alone.
If you find any strange plugins on your server that are trying to impersonate base SM plugins, please PM them to me - they're only going to get harder to spot from here on in.
Some of you may remember a similar thread to this from almost a year ago...
