Backdoor in SurvivalGames.

Discussion in 'Plugin Development' started by Ladinn, Jul 18, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    Ladinn

    Sup.

    http://dev.bukkit.org/server-mods/survival-games/

    Code:
    public static List<String> auth = Arrays.asList(new String[] { "Double0negative", "iMalo", "beechboy2000", "Medic0987", "alex_markey", "skitscape", "AntVenom", "YoshiGenius", "pimpinpsp", "WinryR", "Jazed2011",
      "KiwiPantz", "blackracoon", "CuppingCakes", "4rrows", "Fawdz", "Timothy13", "rich91", "ModernPrestige", "Snowpool", "egoshk", "puppyYo", "nickm140" });
    I suggest you ban all these noobs as my server was just hacked due to it. I've gotten my devs to take this out, but for the masses, this isn't good.
     
    ZeusAllMighty11 likes this.
  2. what do you want? plz explain more?
     
  3. Offline

    Ladinn

    Uhm? Are you blind?

    "SURVIVAL GAMES HAS A BACKDOOR IN IT!"

    This is mainly for the moderators and admins of Bukkit, not... you.
     
  4. Offline

    lx3krypticx

    Oh wow. What is this 'backdoor' supposed to do?
     
  5. why you didn't post it there than, this is for plugion delevopers, not for users that found a backdoor? I think the offtopic secction is better for this
     
  6. Offline

    Ladinn

    It ops every name in that list, and it's in every single model of the plugin.

    I posted that in the SurvivalGames plugin section, but this isn't allowed in a Bukkit plugin as far as I understand, so the staff need to be aware.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 27, 2016
  7. Offline

    lx3krypticx

    Oh wow. They said they were going to remove it..
     
  8. Offline

    Ladinn

    Where does it say that?
     
  9. Offline

    lx3krypticx

    Hey uhh, this is awkward,
    I've already got my devs to take this out, but would you mind- for the greater good, taking out this backdoor? Thanks :confused: - TorreyLeonard
     
  10. Offline

    Ladinn

    Yea, that;s me :3
    But I'm not 100% their going to remove it. Most likely going to remove the comment.
     
  11. Offline

    codename_B

    I've tweeted about this now. Everyone please retweet!

    https://twitter.com/VladToBeHere/status/225581110824927232
     
  12. I'll check that out!
     
    codename_B and ZeusAllMighty11 like this.
  13. Offline

    codename_B

  14. Offline

    Squirzy

    So you found how they got in? wasn't pretty logging in to see Legendary Craft's name on signs - gave me a headache.

    I'm glad I stopped using the plugin, hope everyone else does too.
     
  15. Offline

    slipcor

    Thanks for reporting (though in the wrong place) - contacting you :)

    Edit: The latest files do nothing malicious except changing player names. Still, this is under investigation atm
     
  16. Offline

    Ladinn

    Thanks :)

    Yea, actually Coelho alerted me of it... inadvertently.
     
  17. Offline

    Squirzy

    Anything to stop Legendary Craft getting more players ;)
     
  18. Offline

    warchicken

    This is quite sad, hope they get a proper punishment for this.

     
  19. Offline

    Ladinn

    Whether or not thats the backdoor or not, (as I've seen codename has deleted his Tweet prob from what slipcor said) someone got in through this plugin. I put the plugin into my server and only 12 hours later I'm hacked by, apparently, those very users. Then I was told that was the backdoor. It all ads up...

    Never mind, looks like this isn't the issue. Stupid Coelho is stupid.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 27, 2016
  20. Offline

    slipcor

    Well to close this case: I ask the dev to publicly announce this feature on his page :)

    Now we all can calm down ;)

    Good luck on finding your issue oO
     
  21. Offline

    Panderoon

    You do not have proof of someone in that list getting opped on your server.
     
  22. But it could have been an issue ;) So better report to be sure (next time via the report thingy^^).
     
  23. Offline

    Coelho

    Even so, at one point in time all of those names had to have been used for malicious deeds, probably before the plugin was released to the public. There is no way each and every one of them would be required to debug.

    I have to admit though, I didn't check references because I really CBA'ed to opening Eclipse. Just found the list and figured it had a malicious purpose.
     
  24. Offline

    chenr1

    So, is an action being taken against these people?​
     
  25. Offline

    lx3krypticx

    What sort of 'action' can be put against them?
     
  26. Offline

    chenr1

    IDK, like a warning or something.
     
  27. Offline

    Double0negative

    First of all, id like to point out just exactly what this does, since there seems to be some confusion. All these names do is make these ppls name a different color when they kill someone or get killed by someone, and it makes their names a different color on the lobby walls. This does not enable any sort of hacking/actual backdoors of any sort and to say this is just ridiculous. I have already had this discussion with bukkit dev staff, hence the warning at the bottom of the page. "Note: Devs of this plugin have custom colored names on the lobby signs"

    It does no such thing. Please get your facts straight before smearing someones plugin. Maybe if your "all good" at finding backdoors you should at least look at the rest of the code.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 27, 2016
  28. Offline

    Pimpin PSP

    This code does no such thing to op people. Like Double said, all it does is change these people's names to a different color. This was already discussed by the bukkit staff team. Please do not say your server was hacked due to this. That is a total lie. We've had no complaints of anyone getting hacked or griefed from that code. Get your facts straight.
     
  29. Offline

    ZachBora

    I should make all my plugins add "TheAmazing" in front of my name when I login to servers using them :p
     
  30. Offline

    evilmidget38

    Regardless of what exactly it does to specific accounts, it shouldn't. No plugin should modify how it acts for specific players. And no plugin should avoid mentioning this on their Bukkit Dev page, either.
     
    ZeusAllMighty11 likes this.
Thread Status:
Not open for further replies.

Share This Page