Hacking Plugin: Ban players when hacks detected

Discussion in 'Archived: Plugin Requests' started by aNeonGamer, Dec 3, 2012.

  1. Offline

    aNeonGamer

    Hey everyone!

    I have seen many servers who have a plugin that detects hacks from a player. The plugin they use was taken down from Bukkit, and is not available anymore :(

    What I basically need (and other people, too) is a plugin that bans players when a client mod is detected. I DO NOT NEED A PLUGIN TO STOP HACKING!

    I need a plugin that detects it, and bans player.

    ***IDEA*** Configurable ban time, ban message.

    Thank you so much for anyone who will take on the task of making this plugin, or anyone who can find a plugin like the one I have described!

    Thank you so much!
     
  2. Offline

    aviator14

    K, tell us the code that client hacks send to the server.

    oh wait...
     
    joshwenke and repsor like this.
  3. Offline

    skipperguy12

    ... Use NoCheatPlus.

    Also, get a couple of backup plugins, and you should be good to go.
     
    Codex Arcanum likes this.
  4. Offline

    SirTyler

    Other than what skipperguy suggested, you will find nothing to counter hacks. There is no way to detect what code the client has without a client mod itself (seems redundant doesn't it?) and even then someone can bypass whatever security measure you put in place. Simply put you can never be 100% safe, NoCheatPlus (DO NOT confuse with NoCheatPlusPlus if that still exists) and backup plugins are the closest thing you can get to security.
     
    MrBluebear3 likes this.
  5. Offline

    Muffin89

    Hey!
    If we lived in a world with pink trees and yellow rabbits and candy shaped cows. Then this request would be a perfect example on how a request should look like.

    You say you want:
    And this non-plugin should do the following:

    So first you don't want a plugin to stop hacking, but then you want a plugin that detects and bans player.
    The whole idea is based on the configurable ban time and ban message.
    Not trying to be rude :) I just found it a bit funny. Internet can be a scary place sometimes and to avoid scary comments in the future. Try to read the sticky threads in each individual forum.

    I'm not saying I'm perfect, just trying to help out a fellow bukkit member to adapt into the community.

    I would recommend you to look into this thread for plugin requests:
    http://forums.bukkit.org/threads/read-me-first-plugin-requests-guide.81209/
     
  6. Offline

    aNeonGamer

    Okay, so you are telling me that there is no way to detect hacking? And that the best I could go for is a plugin that completely stops your player from hacking?

    Thank you for this information.
     
  7. Offline

    Muffin89

    What he tells you is:
    You could make them run a stand-alone application that needs to be run before they join. So yes you could code your own anti-cheat application that goes side by side with minecraft. The other way is to go to http://plugins.bukkit.org and then search for anti-cheat plugins.

    Nocheatplus is one of them and its a very recommended anti-cheat plugin. It does not "see" all types of cheat, no. But they do their best to update their plugin with the latest exploits and do all in their power to block as much as possible. But there will always be cheaters, doesnt mather if you make your own anti-cheat application or plugin, people will always find a way around it.
     
  8. Offline

    Adriani6

    It's impossible to "Check if a player has a texture pack, mod, or hack installed."
    You can use NoCheatPlus or AntiCheat.
     
  9. Offline

    AndyMcB1

    I believe you can detect if a player has a texture pack.. sorry!!
     
  10. Offline

    Adriani6

  11. Offline

    CeramicTitan

  12. Offline

    aviator14

    At least when ModAPI is out the server can be told what plugins the client is running, but there's nothing to stop a person from modding their minecraft to lie about that, on top of real hacks which wouldn't even be downloadable as plugins.

    OMG YOU MEAN PEOPLE ARE ALLOWED TO LIE ON THE INTERNET?!


    Everyone has a texture pack, for most it's just referred to as 'default'.
     
  13. Offline

    zack6849


    Are you implying that its not possible for plugins to be malicious? because if so you're sadly mistaken.
    the list of things a plugin can do is huge, but to name a few simple ones.

    • give unwanted op
    • delete all your worlds
    • delete all plugins
    • if the coder is smart they could do many things that are worse, for example deleting the entire serve
    that's just to name a few.
    I wish plugins couldn't be malicious, and im sure many other people do too. bukkit even has a whole group of people to look through the code of every plugin release to make sure there isn't anything malicious in it


    even if you were talking about the un-released mod api, there will still be people making things like this. its unfortunate but true.
     
  14. Offline

    AndyMcB1

    http://dev.bukkit.org/server-mods/force-texture/

    This 'detects'
     
  15. Offline

    Adriani6

    How does it work?

    When the plugin is installed a server is started on port 5000 on a Thread, When you get sent a texture pack on login you send a request to the server and it reads your username. This is then securely marked and you are allowed to move.
     
  16. Offline

    Kiakaha

    Here are some other notable Cheat preventing plugins (you're never free of hacks but these all help stop those buggers)

    • OreBfuscator is one of the best things to stop xrayers. by scrambling the blocks they think they can see
    • Chestfix is to stop people using "Free cam" to loot chests they shouldnt even be able to get too
    • Anti Xray is a poor mans OreBfuscator. it limits ore mining over time to stop Xrayers from getting ahead
    • Chunkbreedlimit is to stop people from spawning so many sheep/cow/pigs that your server starts to lag
    I also recommend using "Spigot" craftbukkit fork because it stops a few other tricks that people can use to attack your server

    Another really effective anti cheating method is to use "Spout craft + Spoutplugin" and use the Force spout client option
    Only people using Spoutcraft can then join your server and there are either Far less or no hacked spoutcraft clients out there yet I don't know about that because i personally wouldnt touch a 3rd party modded client with a "carrot on a stick"

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 30, 2016
    Adriani6 likes this.
  17. Offline

    SirTyler

    There probably are hacked versions, but you are right in that there are probably less; its a double edged sword as you then force your entire sever population to download and use Spoutcraft to join, and unless you are using some of its features that seems like a useless requirement.
     
  18. Offline

    Kiakaha

    Luckily Spoutcraft is AWESOME
    and yeah i use it heavily, thats why i mentioned it. I personally use spoutcraft client even to play on other non spout servers (when not tinkering with my own)[/quote]
     
  19. Offline

    aviator14

    It's almost impossible for DBO plugins to be malicious without someone noticing, if server owners wait until updates are approved. The BukkitDev team can't check external links, and so it is very unwise to click those, especially on newer plugins.

    In the case of current client mods, everything legit should be found on the Minecraft Forums. If you found it somewhere else, you have no idea where it came from. If it doesn't have 89+ pages to look through, you don't know what it does people.

    It sounds like plugins made for the upcoming system will not be individually reviewed, but still they will develop a reputation from the people who use them.
     
  20. Offline

    aNeonGamer

    Is it possible not to detect the code, but to detect that players movements?

    What I mean is that if you can design a plugin that see's if a player is jumping 20 blocks high (detects the player is doing that) then bans him. Do you know what I mean....?
     
  21. Offline

    MyPictures

    Thats pretty easy to fake. The hacker can just send a fake packet to port 5000 and boom.


    There are already some hacks for spoutcraft out that just work fine. So spout is not really secure, it may stop "script-kids" but a real hacker can easy remove that spoutcraft "protection".

    NoCheatPlus, SafeGuard or AntiCheat do that.

    Anyways here some examples why we cant check the client for bad modifications/hacks:
    1. Privacy: Lets say you open your web browsers and go to www.google.com to search something. So would you like if Google checks your computer to see what you have installed on it? Or read all your private data and such? I guess NO.... (That's not possible anyways but just saying...)

    2. Lie: Lets say you ate something wrong and now you feel really sick so you cant go to your friends party but you really want to. So your friend calls you and asks: Hey. Are you good/healthy?

    So all what you have to say now is YES I am! and boom you can go to his party.

    Example for the client:
    Server asks client: Do you have hacks? | Client says: No I'm clean! | Servers lets client join. |

    Other example:
    Server says: Please send me your md5 checksum! | Client copys the md5 from the vanilla client and sends it to the server| Server allows the client so join | <-- Thats why checking for the md5 is useless.

    So you arrived now to your friends party and he sees that you are totally sick! So he sends you back home because he doesn't want the other guest to get sick because of you.

    Example for the client:
    So the client now joined the server, now it has to follow our rules and restrictions that we set with NoCheatPlus, SafeGuard, AntiCheat, .... If it tries to jump 20 blocks higher then NC+ will detect illegal behavior and take actions against that (configurable). For example: Kick, cancel, tempban, ban (I do not recommend banning that fast), ...
    So if the client doesn't want to follow our rules then we can take actions and send it back home (kick, tempban, ...).

    Tricking/Confusing: Lets say you have a Girlfriend but today you decided to meet up with an other hot girl but sadly your GF saw how you hold her hand and then she asks you: WTF DO YOU DO?
    So what you can do now is trying to trick/confuse her by telling her for example: Shes just my sister. Or: We are just friends. Or whatever you think would work ;P
    So maybe your GF lets you hanging out with her for a bit but as soon as you do something wrong/ go to far then she will freak out on you. (LOL what for an example ;P)

    Example for the client:
    So lets say the hacker doesn't want to get fall damage so he tells the server: I was always on ground (onGround=true) so I never fell down from this cliff! The server will say then: OK, fine no fall damage for you mister! (that wont work if you have NC+ installed :) ).

    Misunderstanding/False positives: So lets say you go to a car shop and ask the manager if you could lend a car to test drive it. He says: "Yea sure" and gives you the keys to drive but unfortunately he forgets to tell the boss that he gave you the keys to test drive. So the boss sees how you drive away with one of his awesome cars. He gets really pissed and calls the police to catch you now.
    So now the police has to decide if you really just did a test round or if you stole the car (as the boss says).
    Now the POLICE has to decide what will happen to you. They could send you to court, lock you in jail, give you a money punishment or whatever they want to.

    Boss=NC+, SG, AC, ...
    Police=You, Admin, Moderator, ...
    Example for the client:
    So NC+ thinks that one user is hacking and reported that user to you. Now you have to decide if that user really did some bad hacking or if he just lagged out and moved strange because of that lag (false positive).Now YOU decide now what should happen to that player. You could ban him, forgive him, temp-ban him or whatever you see as fair decision.

    I hope you understood that better now with this InRealLife examples. Its not possible to check the client for bad code but its possible to check its behavior it does on your server. So we basically can take actions against that if we really want to.
     
    firecopy likes this.

Share This Page