Discussion in 'Bukkit Help' started by Larry Newman, Aug 26, 2015.

Thread Status:
Not open for further replies.
  1. Offline

    Larry Newman

    Gonna be honest, if this happens to be a thing opened to the public, then there may be something terrible happening. I wouldn't be posting here if I knew what this guy was doing, but this is what it is.

    I logged onto my server to see that my spawn was destroyed, half of my plugins were disabled, and there was a guy flying around unrestricted when NoCheatPlus was still enabled.

    Now, I don't give anyone operator except myself. I don't give anyone incredibly elevated permissions, except myself. I don't give anyone WorldEdit anywhere other than creative, except myself. I've never logged into my account from another computer, I've never ever typed my password into anything other than the official Minecraft launcher, and Minecraft.net. I've never given anyone access to the server console, or provided Rcon access to anyone at all.

    I run with Shockbyte, a highly respected company 3+ years in hosting Minecraft servers. I've contacted them of whether it could be a rogue staff member or someone deciding to get into their server files.

    I run Spigot 1.8.7, online mode server, high security, staff members have incredibly limited permissions, and I'm just curious if anyone has seen a recent hacked client or tool that allows someone to do this.

    This guy goes by the name <EDIT by Timtower: removed name to avoid whichhunt>
    So if you come across this guy, you might want to look out.
    Last edited by a moderator: Aug 27, 2015
  2. Offline

    timtower Administrator Administrator Moderator

  3. Offline


    I'd focus on the LOGS - checking from about 30 to 45 minutes before his account first joined - look at his ip, look for any accounts that were on in the time before from the same ip (as a scouting/setup account).
    Check the account properties for special permissions, subranks, op status. If he has them, then find out in the logs where he is made op, or who/console issues a command to add * permissions or worldedit.* permissions, etc

    One of your staff accounts? Check carefully again - check the IP that that staff account was logged in with by working back to find their login from that moment... is the IP realistic for your staff member, or is it a new and strange one, partucluarly does it match the bad guys account? Are other accounts also granted ops/permissions subsequently to this guy, did he assign ops/permissions to other accounts (other scout accounts from earlier, to use later)?

    You need to review logs - this is why they are there - to nail down the exact series of events as best possible that are logged, and if there are worldedit commands being issued and executed without any sign between login and doing of the account being granted these permissions, then you start examining your plugins having someone knowledgable do a decompling on them to look for opme code , particularly with plugins that you get from more questionable sources..

    As well, you also check yoru logs from a fresh startup of the server - whoa, whats that - java vomit errors all over your nocheatplus? Does that perhaps mean that while it 'seems' to be running on the server, that error it is spewing out might mean that there are some parts of it that are broken and wont work? Java vomit from that permission plugin, cause you pooched your yml file and things dont work exactly right the way you expect?

    Identify how he did damages - did he have time to just break everything one block at a time, or did it require mass-destruction tools like the worldedit superpick wide-pick mode, or was it 'every block turned to lava as a replacement' via worldedit commands, was it due to the detonation of tnt -- identify how he could have then gotten what he needed, and then identify any special things from the first few minutes he arrives on the server, particularly actions and interactions of other accounts, and commands he tries to issue, his ip, and any other accounts on that ip, any strangeness with op/power accounts at that time... Or did he take advantage of broken plugins from the startup java vomit warnings to sneak through just-so?

    Many of the op-me compromised plugins also have equivalent hidden/non-logging executable commands to carry out a variety of things as console commands without a player source, and most op-me compromised plugins also have code that will shut down any desired plugin they desire, so if you have one, its possible for someone to disable worldguard, or nocheatplus, and let them go about their business...

    I have assisted in 3 forensics investigations this past week alone, which all have a similar pattern in which a highly trusted, permissioned player is 'responsible' for granting commands to an account on the site, albeit not right away but within 10-15 mins of his account creation. In all cases, there is a scouting account from the same ip earlier, or two, playing for about 20 to 40 mins. Then suddenly one of the staff logs in from that same ip and logs out within the same second - in one case, the staffer was still logged into the site at the time, instead throwing an error due to being logged in in two places and kicking her off. In the other cases, the staff account was not logged on at the moment. But in each case, they were logged in from elsewhere, just so happening to be the bad guys ip, and then within a few mins of that event happening, chaos ensued with the opping of many accounts and permission elevations of others.

    This is not the classic man-in-the-middle attack seen previously, session-stealing by socially engineering a staff to a fake server at that time, but rather is an actual compromised password situation. In two of the cases, the passwords that had been used for the accounts were rather weak passwords that clearly fall into the smart-guessable short-list for a smart bruteforce attack. In the third it was quite complex and disconnected and not likely brute forced, suggesting that the passwords were compromised some other way.

    But to see such a similar pattern in a short time frame suddenly, suggests that there MAY possibly some tools out there to try to brute-force or smart-brute specific accounts, hence a scout playing while identifying the names of the power accounts to try to brute the password on. Not that one needs a tool to try to smart-brute attack any account manually with a dozen attempts, considering what percentage of users use passwords guessable within 10 tries - 123456, qwerty, password, pa55w0rd, (sameasusername), minecraft, etc
    Last edited: Aug 26, 2015
  4. Offline

    Larry Newman

    @timtower @Boomer I probably should've provided more information, but nobody would've read that. The FIRST things I did were pretty much everything above.

    Logs are first, then comes permission/ip check. Then you look for compromised accounts, unauthorized usage, and logins. I'm the only one that logged into my control panel since I've had my server, there's an IP log that comes along with it. I'm familiar with poison/opme plugins and I know where they come from.

    Other than the guy haughtily laughing after I joined, he seemed like he didn't know what he was doing.
  5. Offline


    So the question still remains - First, there are always going to be tricky twisty hacky ways to cheat flying systems, they just keep getting more and more trickier (Im not flying, im jumping repeatedly while climbing a block of air!) that will find ways to get around nocheatplus now and then. So that aside, the damages to the server - did they require elevated privledges in order to bypass region protection or use worldedit commands - did the player use any commands during his time on at all, or did he simply have free reign of the server long enough flying around to fist-break everything you saw? Did he use and execute power-commands that only ops /power players would have, regardless of there being or not being any op or permission commands logged on the server. Checking your console log on a commercial server was a good idea, it does eliminate gui-console interference, but there are still the command-dispatcher mechanisms that will result in logging a console command operation as-if someone typed into the console, yet did not.

    Aside of the flying, which may be a pure working hack, is there 'evidence' is there to support that he had anything other than pure time on his hands to cause the damages that required escalated privledges or bypassing plugins

    Would also be very interested to see a fresh, brand-new clean startup sequence from a restart not /reload from the server, if possible, to see what combination of plugins and versions you have, in case there are any warning flags to be concerned about. Could you do that, please?

    Caveat though: If your server is in offline mode, all bets are off.
  6. I didn't read any of the wall of texts above, but did you download all of your plugins from bukkit dev? If not, that's the problem.
    shades161 and timtower like this.
  7. Offline


    As an addition to what @MrBlackIsBack said, make sure you trust the plugins downloaded from dev bukkit. There's been instances where they were allowed on the site even though they can be harmful. Such as a plugin "logging" stuff in the console with 2 letters, allowing for just the right situation causing "o" and "p" used together to op a player through the console.
  8. The chances of a bad plugin getting into bukkit dev are so slim I don't think it should be considered, but that's my opinion :)
  9. Offline


    @MrBlackIsBack Well it's happened a few times at least, so its just worth at least knowing it's possible, but unlikely.
  10. Offline


    Can you give us the output of /version and /plugins?
Thread Status:
Not open for further replies.

Share This Page