Solved I believe my server is getting hacked.

Discussion in 'Bukkit Help' started by someone22, May 19, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    someone22

    So this all began yesterday, 2013-05-18.
    Two of my admins spotted invisible players with iron blocks, floating around in the sky, and someone had built a "SS" nazi mark on one of our buildings, but only the admins were online. (It's a private server) Me and another admin joined the server the next day where we spotted the same thing again, I have SuperLogger plugin installed, and all the logs from those 2 dates were completely erased.

    I have onlinemode set to true, and it is a Bukkit 1.5.2-R2 server.
    Please help, I'm kinda freaking out right now... :/

    Holy shit, it just happened again, another nazi mark and a sign where it said "DIE MOTHERFUCKERS, P.S FROM UNKNOWN". I am really freaked out right now, what should I do??

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 1, 2016
  2. Offline

    Bobcat00

    I have no experience with this sort of thing, but you should be able to look at the logs, see who logged in and ban them.

    You should also check your ops.txt file and whatever permissions files you're using to see how they got whatever permissions they needed.

    Are you using whitelisting? You should. Make sure it's still turned on.

    Consider the possibility that one of your admins is doing it or gave op to someone else. It happens.
     
  3. Offline

    someone22


    No, the log files are completely empty, and none of the admins are able to delete the logs.
     
  4. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    Shut down server
    Check ops.txt for names you don't recognize
    Check permissions plugin config for names you don't recognize
    Check server.log
     
    Novustorious likes this.
  5. Offline

    themine12

    1) Whitelist the server so only you and trusted admins can get on, then slowly allow more players on to single out the hacker (not necessary)
    2) Delete any vanish plugins you have on the server
    3) Remove all SuperLogger perms from admins (just in case they are deleting the records)
    4) Also get coreprotect to get a log of who placed what block and when (do NOT give perms to anyone)
    5)Deop all op's except yourself
     
  6. Offline

    someone22

    Alright, I've whitelisted the server for only the admins and installed CoreProtect.
    If this happens one more time, I'm going for one particular admin that would be able to do this.

    Thanks for all your help.
     
Thread Status:
Not open for further replies.

Share This Page