How to Spot a Backdoored AMXX Plugin Before You Run It

June 4, 2026 Daemon666 8 min read 15 просмотров

A single malicious plugin can quietly grant its author full control of your server: silent admin on join, a hidden chat command that runs RCON, or a beacon that phones home with your rcon_password. These backdoors are common in "free plugin packs" and cracked premium plugins passed around forums. The defense is simple in principle — read the source, never run a compiled-only binary you cannot inspect — and this is the checklist for doing it.

1. Insist on source you can read

The golden rule: run the .sma, not a mystery .amxx. A compiled binary handed to you with no source is the single biggest red flag, because you cannot audit it and decompilation is unreliable. Our own plugin directory stores only source and compiles it on demand for exactly this reason — what you download is what you can read. Compile it yourself; see compiling .sma to .amxx.

2. Grep the source for privilege grants

A backdoor almost always gives someone admin flags they should not have. Search the .sma for the functions that set access, and check who they target:

grep -iE 'set_user_flags|read_flags|ADMIN_|amx_rcon|rcon_password' plugin.sma

Danger patterns:

  • set_user_flags(id, read_flags("abcdef...z")) called on connect for a hardcoded SteamID or name — instant silent admin for the author.
  • Any string comparison against a specific STEAM_0: ID or player name followed by a flag grant.
  • server_cmd("rcon_password ...") or code that changes rcon_password — it is stealing or resetting your RCON.

3. Look for hidden commands

Backdoors register a secret command that only the author knows, often a harmless-looking chat trigger:

grep -iE 'register_clcmd|register_concmd|register_srvcmd' plugin.sma

Cross-check every registered command against what the plugin claims to do. A "round sound" plugin that registers say /gimme and grants admin, or a register_clcmd that runs amx_rcon-style behavior for anyone who types a magic word, is a backdoor. Legitimate commands map to the plugin's stated features; extras that do privileged things do not belong.

4. Watch for outbound network calls

A plugin that talks to the internet without a reason is exfiltrating data or pulling remote commands. Check the includes and modules:

grep -iE '#include *<sockets>|#include *<grip>|socket_open|socket_send' plugin.sma

A GeoIP lookup uses a local database, not sockets — so an admin or "stats" plugin opening a socket to an external IP is suspicious. Legitimate uses exist (a web-based ban sync), but they should be documented and pointed at your endpoint, not a stranger's. Treat an undocumented outbound connection as hostile.

5. Scan a compiled .amxx if that is all you have

If you are stuck with a binary, extract its strings before you even consider loading it — hardcoded backdoors often leave their fingerprints in plain text:

strings plugin.amxx | grep -iE 'STEAM_|rcon|http|amx_|flags|socket'

A hardcoded STEAM_0: ID, a URL, or rcon strings inside a plugin that has no business with any of them is enough to reject it. This is a smell test, not proof of safety — a clean strings dump does not clear a binary. When in doubt, do not run it.

6. Test in isolation first

Vet new plugins on a throwaway test server with a unique rcon_password before they touch production. Load the plugin, then from the console run amxx plugins to confirm what loaded and watch the AMXX logs (debug logging) for unexpected command registrations or network activity. Have a second account connect and confirm nobody silently receives admin — check with the flags reference what each connected player actually holds.

Troubleshooting / red-flag summary

  • Compiled-only, no source — reject by default. You cannot audit what you cannot read.
  • Hardcoded SteamID or name in an access grant — backdoor. The author is giving themselves admin.
  • Registered command that does not match the feature list — hidden trigger. Remove the plugin.
  • Sockets/HTTP with no documented reason — exfiltration or remote control.
  • Obfuscated strings, base-encoded blobs, or code that builds commands from scrambled text — deliberately hiding intent. Do not run it.

Verification

After vetting, load the plugin on the test server and prove three things: amxx plugins shows it running with no extra plugins pulled in; a non-admin test client receives no admin flags after connecting; and the server opens no unexpected outbound connections while it runs. Only then promote it to production. As a standing policy, download plugins from sources you can read and compile yourself — the same discipline that keeps server files safe keeps your plugin list clean.

Участники: Daemon666 ✦
Поделиться: