Hacked by KHobbits?

Discussion in 'Bukkit Discussion' started by PsychoSpyder, Sep 9, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    PsychoSpyder

    When I was on my server, I was was disconnected randomly. It said: You logged in from another location. I dismissed it and thought that someone was just attempting to login to my minecraft account. The same thing happened again, and at the 4th time I was logged off for 5 minutes. I panicked and called a friend, and told him I was being hacked, I told him to come onto the server. He said that I wasn't on. When I logged back onto the server, spawn was in a mess. At first, I thought someone had kicked me from my server and had griefed the server. Then I was logged off again. My friend told me that I was destroying my own spawn, and that someone else was using my account. I quickly logged onto minecraft.net and changed my password, but I still couldn't log on. I looked at the server console and a guy called khobbits had joined (KHobbits is the creator of Essentials). KHobbits made himself Moderator and opped himself. When I tried to ban him he would somehow unban himself. When I banned his IP, he logged in with another account: khobbits1. From the console, I banned myself and told my friend to use some Groupmanager commands. He demoted KHobbits from moderator. KHobbits only disconnected after I banned his IP several times. After that I did a quick google search to see if the same thing had happened to anyone else, and other people were hacked as well.

    I'm not blacklisting KHobbits on this site, I think that it actually might not be him.
     
  2. Offline

    Necrodoom

    Update to bukkit devbuild to avoid exploit.
    Also, it was an impersonator.
     
  3. Offline

    UltiFix

    Wow im REALLY glad I don't use groupmanager now, thats scary.... Giving himself permissions without users knowing. I love pex
     
  4. Offline

    Bobcat00

    No, that's not what happened.
     
  5. Offline

    Necrodoom

    As if PEX doesnt do the exact same.
     
  6. Offline

    jeffro1001

    I know what happened.
    The hacker used the bukkit exploit to force his way onto the server ( yes i know its been fixed )

    After being logged into the server as Khobbits he was able to take advantage of the built in backdoor that comes with groupmanager to gain elevated rights.

    Thanks bukkit for removing my previous post. I dont guess you feel as if the bukkit community needs to know about it huh?

    Think im lying? go install group manager on a fresh bukkit and see if im wrong.

    If you use group manager look in the groupmanager\worlds\<worldname>\users.yml and clean up that mess
     
  7. Offline

    Necrodoom

    Considering they dont even get any server breaking permissions having such low ranks, this isnt no backdoor. You are throwing blame at Groupmanager for having some users in the users.yml, despite anyone using the exploit wouldve might aswell log in as one of the admins, and actually being able to do anything.

    Is it somehow Groupmanager's fault that this exploit exists?

    Also, considering that about any other permission plugin adds example users with some low default perms to the users, i have no idea why are you throwing the blame at Groupmanager for giving you users example, despite it being even less exploitable than the common "backdoor", since it cant be used in offline mode.

    Think before you post stuff like that.
     
  8. Offline

    TnT

    Here's the problem with this post - this cannot be caused by any authentication exploit unless khobbits already had elevated privileges on the server. There is still no way to "force OP" any server.

    Most probable situation? This server is running in offline mode and the person's permissions file has khobbits in an elevated group of some sort. Alternatively, this person has fallen victim to an authentication exploit and has khobbits in an elevated group of some sort in their permission file.

    Solution: Run the recently released RB and fix your permissions file. Don't run in offline mode.
     
  9. Offline

    jeffro1001

    Built in groupmanager Moderator abilities: ( not to mention any additional nodes the server admin may have added)
    - essentials.ban
    - essentials.ban.notify
    - essentials.banip
    - essentials.broadcast
    - essentials.clearinventory
    - essentials.delwarp
    - essentials.eco.loan
    - essentials.ext
    - essentials.getpos
    - essentials.helpop.recieve
    - essentials.home.others
    - essentials.invsee
    - essentials.jails
    - essentials.jump
    - essentials.kick
    - essentials.kick.notify
    - essentials.kill
    - essentials.mute
    - essentials.nick.others
    - essentials.realname
    - essentials.setwarp
    - essentials.signs.create.*
    - essentials.signs.break.*
    - essentials.spawner
    - essentials.thunder
    - essentials.time
    - essentials.time.set
    - essentials.protect.alerts
    - essentials.protect.admin
    - essentials.protect.ownerinfo
    - essentials.ptime
    - essentials.ptime.others
    - essentials.togglejail
    - essentials.top
    - essentials.tp
    - essentials.tphere
    - essentials.tppos
    - essentials.tptoggle
    - essentials.unban
    - essentials.unbanip
    - essentials.weather
    - essentials.whois
    - essentials.world
    - groupmanager.listgroups
    - groupmanager.mandemote
    - groupmanager.manpromote
    - groupmanager.manselect
    - groupmanager.manuadd
    - groupmanager.manudel
    - groupmanager.manwhois
    - groupmanager.notify.other


    so yea, looks to me like there are a few things that would cause some 'problems' for a server owner.

    The 'back door' shouldn't be there at all, period.

    I'm not blaming group manager for the bukkit exploit. I'm saying the hacker used the khobbits acct to gain all of these abilities because he knew they would more than likely be available to him.

    Sure, he could have easily forced his way onto the server with an account that is opp'ed or admin, but just maybe he doesn't know the name of a server admin on that particular server.

    What he does know is that the Khobbits acct has these abilities on any server running that addon, if the owner isn't aware of it.

    Also, saying that many other permission plugins have example users, and that that is justification for addon developers for putting in these back doors is laughable.

    If they want to include some example entries so the server admin knows how to format them then they can provide examples, but easily # them out of actually working.
     
  10. Offline

    Bobcat00

    molehill --> mountain
     
    timtower likes this.
  11. Offline

    UltiFix

    It doesnt does it?! AH!!! im scared.
     
  12. Just a few details for clarification, the term 'backdoor' suggests that there is something in the code that can be abused. This is not true, neither Essentials nor GroupManager have any backdoors that allow me to run any commands that normal users can't.
    What I do have however is a set of example permissions in the default user file of groupmanager, the file is as follows:
    https://github.com/essentials/Essentials/blob/2.x/EssentialsGroupManager/src/users.yml

    This file is the 'example' file which is generated by default when you install GroupManager. Most plugins generate example files, and I have received much praise in general for how well the current example files demonstrate the features and functionality of GM and Essentials.

    One important note is the existence of the 'groupmanager.noofflineperms' permission. This permission means my account is blocked from use on offline mode servers. Until that permission is removed from my account, it shouldn't be able to receive any groupmanager permissions.

    I could have picked any names to serve as examples, but because I knew some people would not follow the instructions and forget to remove them, therefore I had to pick a few of the account names I knew I could trust.

    While originally I had myself as an admin in the example file, I changed this to moderator so in the rare case of abuse, the person would not be able to wreak havoc on a server.

    Also be aware, this attack exploit you experienced could have been done against any account including accounts which have admin or owner access.

    Since we're talking about this sort of thing, one thing I would like to point out is that sk89q does something similar with worldedit, but gives himself '*' permission:
    https://github.com/sk89q/worldedit/...pif/ConfigurationPermissionsResolver.java#L42

    He creates a wepif.yml in the root bukkit folder (if you've used worldedit/worldguard go check!). This file effects any plugins which use the wepif permissions api, which includes plugins like worldedit, worldguard, commandbook and a few others. Most people don't even notice this file is created!
     
  13. Offline

    iiHeroo

    TnT UltiFix KHobbits

    Well, few questions & statements.

    What does offline mode do/allow ?

    And if sk89q giving himself '*' is that even allowable ?

    And, I trust Group Manager, even though I don't use it, sorry KHobbits, but I still prefer PermissionsEx, because that's what my friend taught me to use, and the fact that I find the commands easier to remember, the only reason I don't like it, is when you do "/pex" your spammed with the commands, and it's all in white text, so it's not easy to read, maybe one day I'll use GM, but who knows. And I've seen the wepif.yml, and mainly look at the Notepad++ http://gyazo.com/aeec995852e0e9407f0989397732cea1 , sk89q as a group Admins, gives themself '*' and puts himself in the group Admins.
     
  14. Offline

    hatstand

    Offline mode allows anyone to log in under any name, they don't need an account.

    Except that's wrong, GJ spreading FUD. WEPIF only does anything if there's no other permissions system available.
     
  15. Offline

    seiterseiter

    GroupManager I believe comes with a default users.yml which as an example has khobbits set as admin which you are meant to remove.
     
  16. Offline

    EvilJackCarver

    That is indeed correct, KHobbits is set as an example user under moderator (meant to be removed) however even with a fresh GM install on an offline server, he still cannot get any access whatsoever due to the perm node "groupmanager.noofflineperms" being there. The bit 'noofflineperms' means just that - if the server is in offline mode (which it really shouldn't be, major security risk) then KHobbits automatically gets what amounts to a negating wildcard.

    More details on this post, this is just the short version.
     
  17. Offline

    iiHeroo


    Ahh, so it's a cracked server mainly ?
     
  18. Offline

    hatstand

    Same thing, though offline mode is the technically correct term.
     
  19. Offline

    iiHeroo


    Yeah, I was never told that, so xD, not my fault :(
     
Thread Status:
Not open for further replies.

Share This Page