Solved Something is giving players the * permission

Hello

Recently my server is having various griefer attacks. A few players managed to get the wildcard permission and attempt to destroy everything, including regions etc.

I honestly have no clue how this could happen. They are new players, just joined. But it's extremely annoying.

Is this a new kind of hack or something? Or just a bug in a plugin? This is my plugin list:
BoatBug, BuyCraft, SpamGuard, Vault, IWarnYou, Multiverse-Core, TreeAssist, Speedwalks, DrugMeUp, Votifier, MobDisguise, bCombatLog, NoPortal, LagMeter, MultiInv, Minequery, WorldEdit, Towny, VanishNoPacket, LogBlockQuestioner, PermissionsEX, LogBlock, Questioner, Jail, MineBackup, Telepads, MCSL, MCCasino, BKCommonLib, mcbans, Lockette, ZacAutoMessager, NoCheat, LegendaryItems, Monstersbox, qQuests, MagicTorches, HeroBounty, SellSign, ServerSigns, CommandBook, VirtualChest, MobARena, ChatManager, BOSEconomy, Worldguard, PreciousStones, Factions, HomeSpawnPlus, Register, ChestShop

I also have my server set to online mode etc. I really have no clue here. If anyone knows anything more, that'd be great.

Does really no one have any idea? If it helps, none of my admins joined a server (session stealer)

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

It's still happening. We thought one of the admins was hacked, but even after we demoted him it keeps happening.

 

And still happening... We tried to solve it with so many ways, but we're really clueless now.

 

Shut down your server to ensure all permissions files are saved. Check through them for any users in groups or with perms they shouldn't have.

grep your logs for those users who got * to find out how they got it.

 

bPermissions doesn't allow you to use the * node, whereas PermissionsEX does. You probably set up your PermissionsEX incorrectly.

It seems to be a bug in your plugins, but most likely its an issue with how you set up your permissions.

I suggest using pastebin to post your permissions config.

 

mbaxter
I've already done that dozens of times, and they still keep popping up. But I'll try again.
TnT
My permissions file is rather big, I did an upload instead:
<Edit by Moderator: Redacted mediafire url>
(This was after I removed the * permissions from players that shouldn't have it)
And here's a pastebin of the config:
http://pastebin.com/6G06uy0w

EDIT: Also, it's not only the * permission they get. They can get pretty much any permission. Some have the permissions.manage.user.* for example instead of *

EDIT2: They always get their permissions via serversigns apparently. But I have no idea how they are able to set it up. And no, we didn't set up the sign.

Ok, so it's indeed something with ServerSigns. So, this is what the log says
2012-07-14 14:14:45 [INFO] [ServerSigns] execute Command: pex user RegisterPrime add *

2012-07-14 14:14:46 [INFO] Permission &amp;quot;*&amp;quot; added!

2012-07-14 14:14:46 [INFO] [ServerSigns] execute Command: pex user RegisterPrime remove *

Somehow they get the * permission, even if the plugin says it gets removed. I really have no idea how they still get the * permission then.

Ok, I'm getting really clueless here.
Whatever I do, they seem to be able to get the * permission or the ability to control the PEX permissions.

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

The obvious thing to do is remove that plugin.

The best thing to do, however, is not give players abilities to do what they are doing!

See this page: http://dev.bukkit.org/server-mods/serversigns/pages/permissions/

Giving out the * node is extremely dangerous. It is terrible practice to give out everything and restrict only what you don't want players to have. It is much better to give each individual node, and that node only.

 

Problem is, I never gave it out. The only players who have access to such a sign are my staff, and the sign is in a sealed room and even protected with a custom permission.

I also just removed the plugin and see what it gives.

 

Wait.

You created a sign to give players the * node?

 

[quote uid=90584474 name="Viperdream" post=1214095]---------My permissions file is rather big, I did an upload instead:
<Edit by Moderator: Redacted mediafire url>
-----------[/quote]

Ill look at your permisisons.yml however it is againt my personal ToS to download peoples permissions.yml.
Please post youre permissions.yml at pastie or pastebin.
Pastebin http://pastebin.com/
Pastie http://pastie.org/
Or at the code box Symbol {}#
and then link them here.

 

you could dympli remove the sign with that command

the default permissions for sv are that any user can use the sign

dympli= simply
sv=svs=serversigns

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

It gives them the * node for a millisecond or so, so it can run the command via that player.

But anyway, I just wiped all the files from ServerSigns, and now there doesn't seem to be a problem any more.
I'm still baffled how they got permission to make their own ServerSign though, and no they didn't gain it via the temporary grantpermission command.

I suppose it was due to the recent exploit at Mojang or a mistake by an Admin.

So, it's all good now