How to combat hackers that crash servers?

Discussion in 'Bukkit Help' started by Senzuri, Apr 18, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    Senzuri

    I've had a problem as of late, where a user known as flavor (who has multiple accounts) continously crashes my server.

    I'm not sure how he does it. But it's gotten to the point where I need something done.

    The things I do know:
    - It is not a DDOS attack.
    - It's a type of attack that requires a user to be connected to the server (90% sure).
    - From what I can tell, its a type of attack that puts stress on the CPU. (CPU gets to 100% when attacked, MEM was at about 80%).


    Here's a message from one of his friends right before the server crashed:
    [​IMG]

    The server then stops responding, and cconsole starts printing out "[INFO] Read timed out"

    Some other things to note: I'm running latest recommended bukkit version (#677), plugins I'm running (all up to date):
    Backup.jar
    HeroicDeath.jar
    Minequery.jar
    SpawnMob.jar
    BorderGuard.jar
    iConomy.jar
    NoCheat.jar
    TelePlusPlus.jar
    LocalShops.jar
    Permissions.jar
    WorldEdit.jar
    Factions.jar
    MinecraftRkitPlugin.jar
    SimpleReserve.jar

    If anyone could help I would greatly appreciate it.

    I would also recommend you ban the follow accounts (they are all his alias accounts):
    Flavor
    BigRig
    StarmTK
    Bingbongben
    Mattsimo
    Jokerswild2412
    FrozenHobbit

    And his friends accounts:
    iantorlan
    DerpStick
     
  2. Offline

    Phaedrus

    Maybe you should look into McBans. If several admins do a global ban on these user accounts they will get blocked from any server running mcbans.

    Do you see them using any commands in the console?
     
  3. Offline

    Senzuri

    The console doesn't indicate they're using commands, the server simply stops responding, and CPU usage goes through the roof.

    I don't personally use MCBANS, but I did make a thread to try get these players off as much servers as possible:
    http://forums.mcbans.com/index.php/topic,461.0.html

    Update: Another user to add to the list:
    16:33:32 [INFO] <DerpStick> What's that?
    16:33:36 [INFO] <AussieYak> momo what is 'popping the cherry' ?
    16:33:39 [INFO] <**ZephyrKin Hydrothermal> SOMEBODY BET ON DROCKS
    16:33:39 [INFO] <DerpStick> I think it's the sound of you're server crashing!
     
  4. Offline

    Snip3d

    I really want to thank you for pointing this out. We have issued a global ban through mcbans on another player who was crashing our server. I can confirm a few things to try and help but I do not have access to the server log. We have stopped the crashing by blocking his IP through a firewall and installing a whitelist. You HAVE to be logged in order to crash the server. I don't know what causes it but you do have to be logged in.

    We are also running 677 along with the following plugins.

    Plugins are: AuthDB, AutoSave, BorderGuard, ecoCreature, Essentials (with eco and ban/kick removed), Group Manager, HeroChat, Heroic Death, iConomy+iConomyChestShop, Lockette, Logblock, mcbans, Minecart Mania, NoCheat, OddItem, Signcolours, Whitelist, WorldEdit and WorldGuard.

    I really do hope the bukkit team can find a fix for this. It can really ruin servers and caused us a few hours downtime. Sorry if I was not much help but once again I do not have access to the console to post the errors we were getting but we were also getting the Timed out message through the console.


    EDIT:

    The server owner gave me some more information on this and I'm posting it trying to help.

    This guy is the same person. I suggest you ban Zoffyx, Thecoldbard and Calasmeer

    Here is the first crash.

    Code:
    [LIST=1][*]2011-04-18 18:27:22 [INFO] Thecoldbard [/84.19.169.***:62858] logged in with entity id 10394
    [*]2011-04-18 18:27:23 [INFO] Whitelist: Player jimminyjojo is trying to join...
    [*]2011-04-18 18:27:23 [INFO] allow!
    [*]2011-04-18 18:27:23 [INFO] jimminyjojo [/71.72.54.***:54023] logged in with entity id 10397
    [*]2011-04-18 18:27:23 [INFO] ยง9[PLAYER_COMMAND] TaylorSwift: /i compass compass 1
    [*]2011-04-18 18:27:25 [INFO] [HeroChat] [G] Snipedz: It's all sorted now.
    [*]2011-04-18 18:27:26 [INFO] [HeroChat] [G] IDontEvenKnow: server keeps crashing or something
    [*]2011-04-18 18:28:19 [INFO] Connection reset
    [*]2011-04-18 18:28:34 [INFO] Read timed out
    [*]2011-04-18 18:28:45 [INFO] Read timed out
    [*]2011-04-18 18:28:51 [INFO] Read timed out
    [*]2011-04-18 18:28:57 [INFO] Read timed out
    [*]
    Here is the second crash.

    Code:
    [LIST=1][*]2011-04-18 18:31:54 [INFO] Whitelist: Player Thecoldbard is trying to join...
    [*]2011-04-18 18:31:54 [INFO] allow!
    [*]2011-04-18 18:31:54 [INFO] Thecoldbard [/84.19.169.***:63929] logged in with entity id 6320
    [*]2011-04-18 18:32:54 [INFO] Read timed out
    [*]2011-04-18 18:33:00 [INFO] Read timed out
    [*]2011-04-18 18:33:18 [INFO] Read timed out
    [*]2011-04-18 18:33:27 [INFO] Read timed out
    and the third one.

    Code:
    [LIST=1][*]2011-04-18 18:29:21 [INFO] Thecoldbard [/84.19.169.***:63908] logged in with entity id 2659
    [*]2011-04-18 18:29:24 [INFO] Whitelist: Player winonitarosa is trying to join...
    [*]2011-04-18 18:29:24 [INFO] allow!
    [*]2011-04-18 18:29:24 [INFO] winonitarosa [/190.84.134.***:50071] logged in with entity id 5047
    [*]2011-04-18 18:29:27 [INFO] Connection reset
    [*]2011-04-18 18:29:32 [INFO] Connection reset
    [*]2011-04-18 18:30:05 [INFO] Read timed out
    [*]2011-04-18 18:30:11 [INFO] Read timed out
    [*]2011-04-18 18:30:14 [INFO] Read timed out
    [*]

    *Filtered out IP addresses as I do not know if this is against the rules posting IP addresses.


    Any help on this matter would be great. The longer we wait to fix this we will have more and more people knowing about the exploit crashing servers just for the fun of it.
     
  5. Offline

    spunkiie

    happened a few times on my server yesterday too!
     
  6. Offline

    Basso Ossab

    I've had users using ZoneAlarm on their PC that have crashed the server. Might not be that though.
    If you log their packets with wireshark, you'll might see what's happening.
     
  7. Offline

    Senzuri

    I'm glad I'm not the only one suffering from this. It's a very serious issue and my server is basically defenceless against this kind of attack.
     
  8. Offline

    EvilSeph

    A new RB candidate is currently being tested that contains an exploit fix. Whether or not this will address your issue remains to be seen as there is little to no information provided, though.
     
  9. Offline

    Senzuri

    Is there's any information you can ask me to get I'd be happy to help. All I know is the type of attack lags the server by causing 100% CPU usage.

    Update:

    I've just finished talking to this guy that's been crashing my server. I can confirm more things:
    - The hack is compiled into a .class file, then placed into minecraft.jar
    - The hack sends a packet to the server, which causes the server to hang and CPU usage go through the roof
    - It is triggered by typing .crash (90% sure)
    - I also noticed they use /who
    - I believe they're using a massive list of phished accounts

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 13, 2016
  10. Offline

    AgentKid

    I don't believe that the "Read Timed Out" is actually an error that's caused by the hack itself, just that the server is frozen (When I freeze my server from a massive worldedit, it throws Read Timed Out until it unfreezes). Unfortunately/Fortunately I haven't had this happen to my server yet. (Fortunate because I don't like when my server gets attacked, unfortunate that I couldn't gather more information via Wireshark when they were attacking.) If anyone using this hack is watching this thread, try to attack mc.greenmaw.com :p
     
  11. Offline

    Senzuri

    UPDATE: EvilSeph released a build which prevents this exploit.

    I unbanned the person crashing my server, and told him to try again - it didn't work.

    If your having this problem try and use this version:

    http://ci.bukkit.org/job/dev-CraftBukkit/683/
     
  12. Offline

    Snip3d

    Thank you for the notice. We will be updating to 683 ASAP. Once again thanks for pointing this out.

    A very fast fix. Thank you for putting the time and effort into this.
     
  13. Offline

    Senzuri

    People are still crashing my server with the latest build.

    They are typing ".crash" to trigger these crashes it seems.
     
Thread Status:
Not open for further replies.

Share This Page