Inactive [SEC] NoCheat v3.5.0 [CB 1.2.4 R1.0][ABANDONED]

Discussion in 'Inactive/Unsupported Plugins' started by Evenprime, Feb 15, 2011.

  1. Offline

    Evenprime

  2. Offline

    Evenprime

    Because I can reach a lot of people here:

    Do not login to any MC servers that you don't fully trust, as it is currently possible for the owner of that server to steal your session and use it to log into another server.

    E.g. if you are admin on one server, and somone you don't know invites you onto their server (and you actually log into that server), they are able to log into your server (or any other server) with your username without you noticing. This is possible without them knowing your password (and they don't need it anyway for that) and they can connect to "online-mode=true" servers.

    To be save, add an additional line of defense like AuthX and make sure it's active for all "important" players (admins, mods).
     
  3. Offline

    Evenprime

  4. Offline

    APhilosopher

    thank you very much for alerting me to this issue, i was not aware of it and will now no longer log onto any servers other then my own,

    can you tell me please how will i know when this issue has been resolved? where do i look to? will it require an MC update? or will it be in the bukkit updates? where do i keep my eyes pealed to for the fix to this?
     
  5. Offline

    Evenprime

    If at all, it has to be fixed by Mojang/Minecraft by changing how authentication in Minecraft works. So it will definitely take at least an update of Minecraft itself. I have no idea when (or if at all) they'll fix the problem.
     
  6. Offline

    Orange1Riot

    does this stop the mod nodus?
     
  7. Offline

    Jacek

    Is it even possible to fix ? From what I can tell the hacker server acts as a a client connecting to the server they want OP on which I guess could be fixed by making the serverhash somehow based on the servers IP then minecraft.net could generate the hash based on the IP the request came from and see if they match up. But it would always be possible for the server to act as a proxy to the actual server, just adding an extra chat packet would it not ?
     
  8. Offline

    Evenprime

    I've suggested a simple fix for the problem in a bug report which would require only very little changes to server, client and minecraft's authentication servers. This is what I'd propose:

    Current broken system:

    Server -> Client : "hash" value
    Client -> Minecraft.net: "username" + "hash" value
    Server -> Minecraft.net: Does "username" + "hash" value exist? Yes = allow login

    Fixed system:

    Server -> Client : "hash" value
    Client -> Minecraft.net: "username" + "hash" value + "server hostname : port" (that the client is currently connected to)
    Server -> Minecraft.net: Tell me "server hostname : port" that is stored for "username" + "hash". Is it really my own? Yes = allow login

    Because servers usually know or can find out (automatically) what their public IP is and how players can connect to them, the server would be able to decide if the client has been mislead by an attacker. If the attack happens, the "server hostname : port" would be those of the attacker instead of the Server, therefore the server would not accept the login. Because only the server decides if and how it uses that additional bit of information, no flexibility in server setup is lost (server owners could decide to run without that additional security, or make exceptions etc.). Also minecraft.net wouldn't need to do any additional work besides storing the hostname : port info in addition to the hash-value. And the minecraft protocol wouldn't need any changes at all (Packet1Login and Packet2Handshake stay the same).
     
  9. Offline

    Jacek

    Client -> Attacker: hi :)
    Attacker -> Server: hi :)
    Server -> Attacker : "hash" value
    Client -> Minecraft.net: "username" + "hash" value + "server hostname : port" (hostname of the attackers server (the one they actually connected to))
    Attacker -> Minecraft.net: "username" + "hash" value + "server hostname : port" (hostname of the actual server, to Minecraft.net this just looks like the player gave up a joined another server)
    Server -> Minecraft.net: Tell me "server hostname : port" that is stored for "username" + "hash". Is it really my own? Yes = allow login (Still returns yes because the attacker told minecraft.net that the admin just joined the server)

    no ?

    OH ! Client -> Minecraft.net requires a valid session ID. Ignore me ;)

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jul 18, 2016
  10. Offline

    jycs

    1.2.5 compatible ?
     
  11. Offline

    Jacek

    You could find out by trying it :D
     
  12. Offline

    jycs

    I worry about compatibility problems of the plugins of my server.
     
  13. Offline

    Jacek

    That's pretty obvious ;) Set up a local server to test with :D
     
  14. Offline

    jycs

    We have 2 // local installation ;)
     
  15. Offline

    Sayshal

    So test it..
     
  16. Offline

    jycs

    a compatibility problem can cause an error anytime! -_-
     
  17. Offline

    Sayshal

    Test it.
     
  18. Offline

    Jacek

    If you want to be that cautious then you will have to test it with the plugins that you use. I can tell you that it works fine on my server but nothing about yours.
     
  19. Offline

    Sparten368

    Does this prevent nodus hackers? only asking because i have been using it and when it detects a hack it does not try to stop. or maybe it like stops the player from doing that but i would not know because i am an admin with override controls.
    Also how do i make it so when someone starts to hack and NC detects to kick the player? if possible.
     
  20. Offline

    spunkiie

  21. Offline

    Evenprime

    This is my last post here. Goodbye everyone.

    Read this for more info: NoCheat
     
  22. Offline

    C0nsole

    Evenprime
    I maybe you should put a link to nocheat+ in the OP as the last thing you do here :p
     
  23. Offline

    HiddenSniper13

    Yo Bro, Bro Hoof /)(\
     
  24. Offline

    monir

    It wstill works but when will it brake? in 1.3?
     
  25. Offline

    coolfire8888

    Nice plugin, no doubt i'm using this on my server [diamond]
     
  26. Offline

    djmaster329

    Plugin is broken in 1.3.1:
    Code:
    [SEVERE] Error occurred while enabling NoCheat v3.5.0 (Is it up to date?)
    java.lang.VerifyError: (class: cc/co/evenprime/bukkit/nocheat/checks/chat/ChatCheckListener, method: commandPreprocess signature: (Lorg/bukkit/event/player/PlayerCommandPreprocessEvent;)V) Incompatible argument to function
    at cc.co.evenprime.bukkit.nocheat.NoCheat.onEnable(NoCheat.java:90)
    at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:217)
    at org.bukkit.plugin.java.JavaPluginLoader.enablePlugin(JavaPluginLoader.java:365)
    at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:381)
    at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:265)
    at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:247)
    at net.minecraft.server.MinecraftServer.i(MinecraftServer.java:296)
    at net.minecraft.server.MinecraftServer.d(MinecraftServer.java:275)
    at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:225)
    at net.minecraft.server.DedicatedServer.init(DedicatedServer.java:140)
    at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:380)
    at net.minecraft.server.ThreadServerApplication.run(SourceFile:539)
    
     
  27. Offline

    Pythros


    Per the DBO page (http://dev.bukkit.org/server-mods/nocheat/) NoCheat is inactive. There are a couple replacements posted there, NoCheat+ and AntiCheat. Also, on that page, md_5 did do a quick update to NoCheat for 1.3.
     
  28. Offline

    bikboii

    My error:
    Suggestions?
     
  29. Offline

    Pythros


    Read my post before yours.
     
  30. Offline

    bikboii

    I just switched to NoCheatPlus - works perfectly.
     
  31. Offline

    dsbizz

    How come it doesnt work on my server? NoCheatPlus doesnt work or regular NoCheat please help!!!!!!!
     

Share This Page