Okay, so my server just suffered from a VERY terrible hack by some group who I think call themselves "proxy". I host my server on beastnode.com and was wondering if there was some sort of op hack for 1.3.1 v 2.0 that they may have used. I very much hope that this is it because the alternative would have meant they attacked my server host directly (I have changed my password from a mobile device that cannot be tracked, in case they got that) because I know they didn't get any of my admin's or my own minecraft accounts. the thing with them was that they logged in over 100 people (I am restricted to 40 slots on my host, so idk how they did that) and, from the reports I got from my admins and players before I could get on, they all managed to op themselves, but, like, in a flower pattern (1 guy opped himself from himself, and then he opped another guy, they both opped someone so on and so fourth) until about 50 or them were opped. I then promptly stopped the server, banned everyone on the op list, and removed every name from there, but before I could finish this, they had started the server back up. they managed to erase my entire ban list, and even, for some reason, put themselves on the whitelist. The problem is, I feel that this was my server host's fault mainly because they could remotely start the server which is not something bukkit is capable of to my knowledge. I ended up deleting the start.sh file which is the only way to start the server (from my knowledge) and, this time, the server remained off. idk how they did all this, but it was quite a tramatic experience for me and my players. we are not a commercial or big server in any way and we like to keep everything communal. I am extremely glad to say that I backed up the server only days before the attack (full backup) so, even after they somehow deleted all my server files sans the ones needed to run, I had something to work off of. can anyone tell me what I did wrong and how I can prevent such an attack in the future and, if it's bukkit's fault, if there's a workaround that works yet. If you read all this, I thank you for your patience and time as at the time of writing, I am a bit shaken up. Cheers and thanks for any help in advance, Dyskmaster. PS: they also once got past the whitelist even after I removed their names from it, which confused me greatly, but was my first cue that it might be an attack on my server directly through my host. The strangest thing was, they never added their names to the whitelist, but they got on anyway... HOW IS THAT POSSIBLE? and how can something like that be prevented?
I managed to download an extra copy of the server files DURING the attack (everything but the maps, actually) so I can provide you with that stuff. the problem is, I never configured nocheat+ as very few ppl cheated with it and we almost always have an admin/moderator online to watch the newbies. here's my server.properties file though. I had to change it to .txt as it wouldn't upload otherwise. Thanks for the quick responses
Use pastebin.com, uploads don't work. The reason why we want to see your nocheat+ is because there is a malicious version that contains code so people can op themselves. Make sure you only download from bukkitdev. Upload your nocheat+ to mediafire
I don't have nocheat+ and am now convinced it was a brute-force attack on my server host (you know, where they spam every possible password combo till they get it right) that caused them to gain access to the ftp server. also, I have learned my lesson on downloading anything that isn't from bukkit dev, so thanks for the concern. also, you may close this thread as I think I have found the reason I was hacked (the server host) thanks to all of you for your help, and I will make sure to never download a plugin from outside of bukkit dev.
online mode is always set to true for me. I hear horror stories otherwise. and I'm switching hosts as this isn't the first time I've heard they've been hacked (including the poster above me). thanks again, and how do I close a thread?
By reporting this thread and asking for closure, or tagging a mod. However, in the help section, you can set the thread to "solved", somewhere in the thread options.
