1. There is no such thing as a "pending" ban or Steam admin. Anyone threatening your account is a scammer trying to scare you. Read more.

Invalid Report: 76561197964899068 - ([Other] Other game items)

Discussion in 'Archived Reports' started by 404UserNotFound, Sep 5, 2015.

  1. 404UserNotFound

    404UserNotFound Donator - Tier V

    Messages:
    96
    Steam:
    STEAM_0:1:28177988
    Scam Report

    Report Type: [Other] Any other fraudulant behavior
    Virtual item type involved: [Other] Other game items

    Accused profile: 76561197964899068

    Victim profile: 76561198095040360

    What happened? Description:
    This report does not just involve the listed victim as a victim. Many people were affected by this. This is a long story. Please bear/bare with me. There is a lot of evidence and a bit of a backstory.

    Some of you may have heard about the recently discovered Source SDK 2013 MP base file upload and execution exploit.. Well, there's more to the story of how it was discovered. I posted the indepth story of how it was discovered here on Reddit

    Essentially, I came home from work several days ago to find messages on Steam accusing me of hacking and keylogging people's accounts, and that I apparently had a Team Fortress 2 Classic (Facepunch fan-made mod) server running on my dedicated server. I was confused at first because TF2C is not Linux-supported as of yet and my dedicated server runs Ubuntu 12.04.

    After doing investigating, I discovered someone gained access to my dedicated server and remotely executed SRCDS.exe to create a fake "VaultF4" branded TF2 Classic server located at the IP 198.245.49.206:27085. That is indeed the IP address of my dedicated server, but it's a port that I have never used before. What they then did was used a spray exploit to deliver a particularly nasty RAT keylogger to many users.

    I've since cleared my name with the community and directed them to the real perpetrators. I don't have information on the RAT but some was posted in the Team Fortress 2 Classic thread on Facepunch.com (which I can't view to get the link as I'm IP banned from Facepunch).

    What has since happened is people on Facepunch are now discussing going to the FBI or whichever department of justice deals with online crime, in an attempt to get some justice on TheRubberFruitFace, Roy and Sikes. Rara has already contacted Steam Support about the items that were stolen and traded off to Amnesic. And the TF2 Classic dev team have contacted Valve about the exploit to hopefully get it patched.

    All that's left now is for this situation to be examined by SteamRep staff and hopefully get these 4 (6, with Amnesic's alt and TheRubberFruitFace's alt, though it could be more as I feel that Roy and Sikes may have several alts out there) labelled as scammers or whatever needs to be done.

    It took me a while to get all this information together, so hopefully I didn't forget anything or leave anything out. If any more information is required, please ask me and I'll try my best to get it for you.

    Provide Evidence:
    1. Reddit - PSA about this Source SDK 2013 MP base file upload and execution exploit.
    2. My indepth explanation of how the above exploit was discovered and how I was nearly blamed for all the hackings. I also discuss how I believe RubberFruitFace, Roy and Sikes gained access to my dedicated server.
    3. TF2Classic.com forum post about the exploit. There is some information there that I posted about what was going on. Could be useful.

    For these next 3, just do CTRL+F and look for "ptrace". Check the IPs. The one beginning with 198 is my IP address but I don't remember ptracing myself, nor do I know what a ptrace is, so I'm a tad confused.
    4. "Syslog" file from my dedi. Contains the IP range of TheRubberFruitFace ("46.99.###.###")
    5. Syslog.1 file
    6. Syslog.2 file

    This next one is trade screenshots from the listed victim (Rara) showing all his items being traded off to someone else's account. Rara has told me that Amnesic has pretty much sold off all the stolen CS:GO items, but has not sold off the TF2 items that were stolen.
    View attachment 318990

    Here's TheRubberFruitFace's list of bans on my server. You can see the IP he used to use here. Compare his listed IP to the one in the first Syslog file.
    8. Bans for TheRubberFruitFace

    His IP on SourceBans is listed as "46.99.54.237". The one in my syslog is "46.99.31.3". Seems like a match to me, and it's how I came to the realization of who was behind this whole situation.

    Attached Files:

    Last edited by a moderator: Oct 31, 2015
  2. 404UserNotFound

    404UserNotFound Donator - Tier V

    Messages:
    96
    Steam:
    STEAM_0:1:28177988
    Darnit, could an admin edit the evidence section and fix up the broken linking on "3. TF2Classic.com forum post..."?
  3. 404UserNotFound

    404UserNotFound Donator - Tier V

    Messages:
    96
    Steam:
    STEAM_0:1:28177988
  4. 404UserNotFound

    404UserNotFound Donator - Tier V

    Messages:
    96
    Steam:
    STEAM_0:1:28177988
  5. Clive

    Clive SteamRep Admin

    Messages:
    6,571
    SteamRep Admin:
    STEAM_0:0:43668349
    Thank you for your report, however we do not handle hijacking or hacking reports. Due to this, I am marking this report Invalid.