How to combat hackers that crash servers?

Discussion in 'Bukkit Help' started by Senzuri, Apr 18, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    I've had a problem as of late, where a user known as flavor (who has multiple accounts) continously crashes my server.

    I'm not sure how he does it. But it's gotten to the point where I need something done.

    The things I do know:
    - It is not a DDOS attack.
    - It's a type of attack that requires a user to be connected to the server (90% sure).
    - From what I can tell, its a type of attack that puts stress on the CPU. (CPU gets to 100% when attacked, MEM was at about 80%).

    Here's a message from one of his friends right before the server crashed:

    The server then stops responding, and cconsole starts printing out "[INFO] Read timed out"

    Some other things to note: I'm running latest recommended bukkit version (#677), plugins I'm running (all up to date):

    If anyone could help I would greatly appreciate it.

    I would also recommend you ban the follow accounts (they are all his alias accounts):

    And his friends accounts:
  2. Offline


    Maybe you should look into McBans. If several admins do a global ban on these user accounts they will get blocked from any server running mcbans.

    Do you see them using any commands in the console?
  3. Offline


    The console doesn't indicate they're using commands, the server simply stops responding, and CPU usage goes through the roof.

    I don't personally use MCBANS, but I did make a thread to try get these players off as much servers as possible:,461.0.html

    Update: Another user to add to the list:
    16:33:32 [INFO] <DerpStick> What's that?
    16:33:36 [INFO] <AussieYak> momo what is 'popping the cherry' ?
    16:33:39 [INFO] <**ZephyrKin Hydrothermal> SOMEBODY BET ON DROCKS
    16:33:39 [INFO] <DerpStick> I think it's the sound of you're server crashing!
  4. Offline


    I really want to thank you for pointing this out. We have issued a global ban through mcbans on another player who was crashing our server. I can confirm a few things to try and help but I do not have access to the server log. We have stopped the crashing by blocking his IP through a firewall and installing a whitelist. You HAVE to be logged in order to crash the server. I don't know what causes it but you do have to be logged in.

    We are also running 677 along with the following plugins.

    Plugins are: AuthDB, AutoSave, BorderGuard, ecoCreature, Essentials (with eco and ban/kick removed), Group Manager, HeroChat, Heroic Death, iConomy+iConomyChestShop, Lockette, Logblock, mcbans, Minecart Mania, NoCheat, OddItem, Signcolours, Whitelist, WorldEdit and WorldGuard.

    I really do hope the bukkit team can find a fix for this. It can really ruin servers and caused us a few hours downtime. Sorry if I was not much help but once again I do not have access to the console to post the errors we were getting but we were also getting the Timed out message through the console.


    The server owner gave me some more information on this and I'm posting it trying to help.

    This guy is the same person. I suggest you ban Zoffyx, Thecoldbard and Calasmeer

    Here is the first crash.

    [LIST=1][*]2011-04-18 18:27:22 [INFO] Thecoldbard [/84.19.169.***:62858] logged in with entity id 10394
    [*]2011-04-18 18:27:23 [INFO] Whitelist: Player jimminyjojo is trying to join...
    [*]2011-04-18 18:27:23 [INFO] allow!
    [*]2011-04-18 18:27:23 [INFO] jimminyjojo [/71.72.54.***:54023] logged in with entity id 10397
    [*]2011-04-18 18:27:23 [INFO] ยง9[PLAYER_COMMAND] TaylorSwift: /i compass compass 1
    [*]2011-04-18 18:27:25 [INFO] [HeroChat] [G] Snipedz: It's all sorted now.
    [*]2011-04-18 18:27:26 [INFO] [HeroChat] [G] IDontEvenKnow: server keeps crashing or something
    [*]2011-04-18 18:28:19 [INFO] Connection reset
    [*]2011-04-18 18:28:34 [INFO] Read timed out
    [*]2011-04-18 18:28:45 [INFO] Read timed out
    [*]2011-04-18 18:28:51 [INFO] Read timed out
    [*]2011-04-18 18:28:57 [INFO] Read timed out
    Here is the second crash.

    [LIST=1][*]2011-04-18 18:31:54 [INFO] Whitelist: Player Thecoldbard is trying to join...
    [*]2011-04-18 18:31:54 [INFO] allow!
    [*]2011-04-18 18:31:54 [INFO] Thecoldbard [/84.19.169.***:63929] logged in with entity id 6320
    [*]2011-04-18 18:32:54 [INFO] Read timed out
    [*]2011-04-18 18:33:00 [INFO] Read timed out
    [*]2011-04-18 18:33:18 [INFO] Read timed out
    [*]2011-04-18 18:33:27 [INFO] Read timed out
    and the third one.

    [LIST=1][*]2011-04-18 18:29:21 [INFO] Thecoldbard [/84.19.169.***:63908] logged in with entity id 2659
    [*]2011-04-18 18:29:24 [INFO] Whitelist: Player winonitarosa is trying to join...
    [*]2011-04-18 18:29:24 [INFO] allow!
    [*]2011-04-18 18:29:24 [INFO] winonitarosa [/190.84.134.***:50071] logged in with entity id 5047
    [*]2011-04-18 18:29:27 [INFO] Connection reset
    [*]2011-04-18 18:29:32 [INFO] Connection reset
    [*]2011-04-18 18:30:05 [INFO] Read timed out
    [*]2011-04-18 18:30:11 [INFO] Read timed out
    [*]2011-04-18 18:30:14 [INFO] Read timed out

    *Filtered out IP addresses as I do not know if this is against the rules posting IP addresses.

    Any help on this matter would be great. The longer we wait to fix this we will have more and more people knowing about the exploit crashing servers just for the fun of it.
  5. Offline


    happened a few times on my server yesterday too!
  6. Offline

    Basso Ossab

    I've had users using ZoneAlarm on their PC that have crashed the server. Might not be that though.
    If you log their packets with wireshark, you'll might see what's happening.
  7. Offline


    I'm glad I'm not the only one suffering from this. It's a very serious issue and my server is basically defenceless against this kind of attack.
  8. Offline


    A new RB candidate is currently being tested that contains an exploit fix. Whether or not this will address your issue remains to be seen as there is little to no information provided, though.
  9. Offline


    Is there's any information you can ask me to get I'd be happy to help. All I know is the type of attack lags the server by causing 100% CPU usage.


    I've just finished talking to this guy that's been crashing my server. I can confirm more things:
    - The hack is compiled into a .class file, then placed into minecraft.jar
    - The hack sends a packet to the server, which causes the server to hang and CPU usage go through the roof
    - It is triggered by typing .crash (90% sure)
    - I also noticed they use /who
    - I believe they're using a massive list of phished accounts

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 13, 2016
  10. Offline


    I don't believe that the "Read Timed Out" is actually an error that's caused by the hack itself, just that the server is frozen (When I freeze my server from a massive worldedit, it throws Read Timed Out until it unfreezes). Unfortunately/Fortunately I haven't had this happen to my server yet. (Fortunate because I don't like when my server gets attacked, unfortunate that I couldn't gather more information via Wireshark when they were attacking.) If anyone using this hack is watching this thread, try to attack :p
  11. Offline


    UPDATE: EvilSeph released a build which prevents this exploit.

    I unbanned the person crashing my server, and told him to try again - it didn't work.

    If your having this problem try and use this version:
  12. Offline


    Thank you for the notice. We will be updating to 683 ASAP. Once again thanks for pointing this out.

    A very fast fix. Thank you for putting the time and effort into this.
  13. Offline


    People are still crashing my server with the latest build.

    They are typing ".crash" to trigger these crashes it seems.
Thread Status:
Not open for further replies.

Share This Page