[Security Bulletin] Do not test/run op gain exploit programs!

Discussion in 'Community News and Announcements' started by EvilSeph, Mar 15, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph Retired Staff

    There is no way for anyone to illegitimately gain op on your server unless you are running your server in offline mode. Any program in existence that claims otherwise is trying to lure you into running it (in an effort to see if your server is at risk) to steal your information.

    You'll notice that in every video you either have to have the program running before you login or need to login, run the program and restart Minecraft. This is because these programs are designed to take the IP you enter into the ForceOP hack for testing, your username and password and send it to the creator. Even if this is not the case, it is fairly simple to put together a fake, convincing video by simply modifying the client to respond to "/op" and print local messages to make it seem like the user has gotten op.

    Regardless, any programs offered for download accompanying these videos or public reports of op force hacking or the like are usually sending the creator an email that says something like:
    "New server to grief: <IP you entered - usually your server, since you want to be sure your server is safe>
    Username: <you username>
    Password: <your password>"

    Every single time someone reports this issue, it turns out to be the same thing. A malicious program designed to fool server admins into thinking their server is at risk, running to try it out and make sure they aren't. Then later finding their server has been attacked by someone with op because they know your username and password, and thus can op anyone they want on your server.

    Until someone brings a real exploit that allows you to gain op to my attention, we'll have to continue stopping the discussion of and advising against the discussion of this 'hack' to slow down it spreading. We take every exploit report we get seriously and investigate each and every one. To this day, we have been unable to find a legitimate exploit to gain op in any server and every reported exploit has turned out to be a malicious program that collects your information in an effort to exploit you and your server.

    If you're looking to report an exploit, we advise people to stop posting exploit discussions publicly and, instead, contact one of my Admins, myself or create a private ticket on http://leaky.bukkit.org.
     
  2. Offline

    Boomer

    In my experience, the people who need to read and understand this thread are the very people who never ever ever ever will find it -- how many people have host services that have one-click download for plugins, one-click-install for bukkit versions, and to them that is the end all and be all extent of running the server, save for the part where they run around asking all their friends on skype or other servers "hey, what is the permission node i need for X plugin to work for builders?", even if instructed time and time again by folks like myself for them to always go to the website, to always look at the developer page, for special setup instructions, for permission nodes, to boomark it... then a day later, they make the rounds again "hey, what permission nodes to I need for plugin Y to work?"

    To the people who only use the host provider one-click links to install and download, they'll never ever know whats here, whats available, what improvements are being made between versions, if there are important things for them to learn, or anything else. And they turn to other people to inform them of when their one-click button will now download the newer versions...

    And I would be more than anything, the majority of these people get all their critical minecraft information from a video link a concerned and uninformed friend shows them - oo, see, someone can get ops on yourserver just like that! You should use the tester program shown in this other video link to see if you're vulnerable...

    I know a half dozen site operators who have repeatedly, repeatedly asked me 'what permission node do i ineed for x" and my answer is the same every time - find the dev site and read it through, then ask me for clarification', but instead choose use their precious seconds it takes to find the result to hunt out other friends who might directly tell them the answer. And I can guarantee that of those half dozen, probably only one of them knows of the bukkit website. They can't find plugins for themselves to do their own job, instead its all 'ooh, i like that plugin you have doing something, whats the name of it, im going to install it' or 'send me a copy of your plugin folder plzzzzz"

    One button push download/installations and such... making it easier for them, but really... oh it is sooo not.
    It just drives them into further isolation from reality. Such as becoming a victim to this information, and furthering the viral nature of it, perhaps feeding into the ' i ran it, and sure enough, yeah, players were ops days later so it was correct in its prediction, so it must be true, stupid bukkit is at fault!"

    Unfortunately, there are weaknesses in systems even if the owner is a superhardened no-ops-for-anyone-even-me, whitelisted with only a dozen trusted family friends type server owner, I personally witnessed where a hosting company had been hit by a script kiddie impacting one vulnerable hardware node in their network, and managed to gain control panel access to the accounts hosted on that hardware unit, deopping all valid ops and creating their own list. Although it was caught very quickly, patched, corrected, and fortunately none of the servers were griefed other than banning all the real op names, this is one of those actual real cases where outsiders were able to gain ops.
    Would it apply to everyone, of course not, as it was a vulnerability in the host system and not in bukkit, but it does require putting an asterisk on the "no one ever ever can get ops on your server unless you're foolish" hardline that is otherwise correct and truthful.
     
  3. Offline

    -_Husky_-

    yeah, pretty much.
     
  4. Offline

    eygptian

    Forgetting about hacking op and online and offline mode for a sec... isnt it to some degree illegal to use hacks that can be used as an advantage to ban and find ips of others, and to take control over someones server? If it isnt, it should at least be a violation in minecraft and there should be a hackers report forum. That would meen that other servers dont need to experience the hackers that have interveined with other servers, cause they'd be listed to everyone. Mcbans has the right idea with global bans that notifys everyone. I think someone should just step in and remove the downloads for hacking clients like nodus and minecrafthacks. It causes enough trouble. Cant we have a report hackers on bukkit type forum? I say this because bukkit is, I believe the most commonly used server software and so should have a list of notable hackers that may take someones server as their next target. If they ban their account before they decide to do that, then the hacking problems would disappear. Can someone tell me please how to check if my server is online mode. It says it is in the properties folder, but yet those hackers are still getting op. Dont tell me this is impossible and not right, they've done it, and if they actually cant, then I need to see whos been betraying me. But as far as I know from the server log, they just came on, got op, and started destroying. I was away from the server at the time, and non of my staff were on, so it is partly my thought they did it, but I want people to join my server frequently, not just when im on my computer. Sorry for the long diary, lol.
     
  5. Offline

    black_ixx

  6. Offline

    sam501

    I don't want to get your feelings down but my friend, sadly hes a griefer found a way to force op himself. It only works on some servers though...

    Beware of who you trust
     
  7. Offline

    jaboy

    "Can someone tell me please how to check if my server is online mode."
    when your server starts op ... look in the console (or the log) ... if its offline ... there will be a warning


    "but yet those hackerS are still getting op"

    if they are more than one ... one of them could have tricked an admin to give him op .... and then he give op to the rest

    your best bet is to open the minecraft folder find the file "ops.txt" and delete everyone ....
    then slowly as your admins rejoin ... tell them that ... "under NO circumstances can use the /op command" and then give them there op back
     
  8. Offline

    black_ixx

    I created the plugin, a bukkitDev page and uploaded some files. Then they were approved, but since today there arent files anymore and if I upload a new one, theres still no file. If I upload then the same file again, it tells me that I have already this file
     
  9. Offline

    ZachBora

    That's interesting, maybe you should contact a bukkitdev staff. Do you have an alternative link to your plugin?
     
  10. Offline

    black_ixx

    Thats the link: http://dev.bukkit.org/server-mods/oneop/
    There are already 21 downloads but no files...
     
  11. Offline

    JohGoins

    What I like about this is because its so weird.

    First off, I like how there is a lot of YouTube channel and videos about people getting hacked clients and greifing servers. At first it seems funny and fun, until they reach your server. Most "greifing" channels usually use a hacked client to give themselves op and be able to randomly change nearby blocks into lava, water, cobblestone, etc. I had this before, and its not fun to solve. At first, they would try to convince you to keep letting them greif so more people to come on your server, but actually they are calling other greifers to come on your server and blow it up. Here is some signs of greifers coming:
    • There is usually a scout, and the name seems normal, it is easy to tell because of all of the weird questions like "How do I get op?", "Is this a cracked server?", "What people are admin?" and they try to give the information to the greifing team so they can figure out how to hack your server.
    • A unusual amount of people coming on your server and trying to op themselves.
    • Lots of people saying "OP ME! OP ME!" (These are usually the greifers that are attracted)
    Another thing, some people host servers that are MEANT to be greifed, which is most of the time not their server and people with hacked clients come in and destroy it. I keep seeing a lot of these, and I hate them as much as they are popular with greifers. Some other people like to go on servers or keep posting on the server thread "Ya know, I've been op on another popular server and could you op me? I could be a really big help! PLEASE? Its a popular server!" I keep seeing these, especially on planet minecaft. I keep reading a lot and seeing server owners being so stupid and oping them, regardless that they are hackers or greifers.

    Sorry to go off-topic for a moment, do you guys know about minecraftforfree.net? Someone needs to get a lawyer or someone to look at that, its breaking some copyright laws I expect. Whenever some paid software is distributed for free, anyone who does it usually puts "For educational purposes" which affects no one who uses it.
     
  12. Offline

    Jacek

    I'm more bothered by the people that sell hacked clients, one of the more popular ones recently made over £1000 in sales ! at least the pirates aren't really making a profit from it.
     
  13. Offline

    JohnTheRipper



    The feds/police never investigate DDoS/DoS attacks unless they're aimed at providers, like the recent Constantinos crisis on LET. Good luck getting them to do anything without having full detailed dox, and a lot of time to kill. Also, you can't filter DDoS/DoS traffic if it's a UDP flood — you need to have upstream do it for you. However, for a few limited types of floods, you can deal with them with just IPtables and similar tools.

    Or better yet, don't use OP, just use permissions.

    Why? If you're using LogBlock or a similar block logging plugin, then you don't need to worry about this.

    There are a few notable exceptions to this.

    Yes, this is a very good point.





    ^ agreed. It's quite annoying.

    Yes and no. It depends on what you use.

    Minecraft is a sandbox game. Notch himself supported griefing afaik. You'd end up reporting innocent people, as most griefers use hacked accounts. I myself cracked around 1400 of them for personal use several months back, it's extremely easy to do if you know how.

    Debatable, but yes.

    And how do you propose to do that?

    Only for people that don't know how to run a server correctly.

    Same issue as I already discussed. Most griefers use hacked accounts.

    And how will this solve anything?

    Same issue with banning innocent people.

    Online-mode = true in server.properties.

    [​IMG]




    Bullshit. Without a plugin or hacked account, it's impossible.


    JavaSun claimed he made something like $2k-$3k off of Static, and I know there are other clients with massive sales. It's their code anyways though.
     
    tyzoid and Nathan C like this.
  14. Offline

    Jacek

    It's about 3% their code.
     
  15. Offline

    JohnTheRipper

    You'd be surprised how much they write. I still have a older unprotected version of it, and there's a lot of custom non-vanilla code in there. At any rate, the amount doesn't matter, the function does.
     
  16. Offline

    fugue2005


    seems legit
     
  17. Offline

    Jacek

    I get that so many times, "I review servers, can I fly plz" *sigh*
     
  18. Offline

    TnT Retired Staff

    I use the specially crafted "Ban" command for that. Works like a charm.
     
  19. Offline

    Jacek

    Me too usually :)
     
  20. Offline

    Stirlitz

    How's a Linux system on an internal network that's behind a router firewall?
     
  21. Offline

    JohGoins

    In the state of the minecraft community, I think its so messed up.
     
  22. Offline

    BluePhase

    Not saying this is wrong at all, but how can you explain this.... A guy joins my server and a message in the log says "afeith: OPPING afeith" but I read this post and wasn't too alarmed, but I wanted to see what he would be doing. I just let him roam around some more, and then strange things began happening. He was able to teleport to other members, OP others, and even ban them. The logblock overload is just him greifing like crazy with a client. He removed over 320k blocks in the main world alone.

    http://pastebin.com/kkSTK5et
     
  23. Offline

    TnT Retired Staff

    BluePhase
    Full server.log please - from start of the server until (and including) that point.
     
  24. Offline

    MuisYa

    My point of view:

    There are some 16 - ∞ people who are owning a server. Those are enjoying to run the server, and thinking about what they do. If something like this happens they will do research about it, and if they can't fnd anything than they will post something on Bukkit.

    Tough there are also some 0-11 year old kids which are hosting a server at home, (Or maybe with some money from their dad on a Game server) in offline mode, OPing everyone who comes on. They don't know ANYTHING on HOW to setup permissions, or even about a config file.

    And that's where it goes wrong, when something is wrong with their server they will immediately start screaming at everything. For instance at Bukkit that there are glitches in their systems etc etc, i think these kids just need to be ignored. And that no one here ever wastes time on theire screams...

    Server behind router: Never do that on a public one.

    BluePhase Are you sure he actually was OP?

    When you ban someone:
    Code:
    2012-03-19 20:14:16 [INFO] [PLAYER_COMMAND] BluePhase: /ban afeith
    2012-03-19 20:14:16 [INFO] Reached end of stream
    2012-03-19 20:14:21 [INFO] Disconnecting afeith [/166.248.128.26:6981]: The Ban Hammer has spoken!
    
    When he tries to ban someone:
    Code:
    361.2012-03-19 20:13:12 [INFO] [PLAYER_COMMAND] afeith: /ban thedesstroier 
    Nothing actualy happends when he tries to perform this command.

    Can he even teleport around?
    Code:
    2012-03-19 20:02:50 [INFO] [PLAYER_COMMAND] afeith: /tp richs
    2012-03-19 20:02:53 [INFO] <thedesstroier> sure what
    2012-03-19 20:02:58 [INFO] [PLAYER_COMMAND] afeith: /tp richs302
    
    SInce he is tping 2 times, in 8 seconds to the same person. Seems like it's not working?


    Tough it seems like he is able to OP other players...
    Code:
    2012-03-19 20:07:56 [INFO] [PLAYER_COMMAND] thedesstroier: /tpaccept 
    2012-03-19 20:07:56 [WARNING] thedesstroier was denied access to command.
    2012-03-19 20:08:03 [INFO] <thedesstroier> i cant accept :)
    2012-03-19 20:08:09 [INFO] <thedesstroier> :(
    2012-03-19 20:08:12 [INFO] <thedesstroier> *
    2012-03-19 20:08:14 [INFO] afeith: Opping thedesstroier
    2012-03-19 20:08:20 [INFO] [PLAYER_COMMAND] thedesstroier: /tpaccept 
    
     
  25. Offline

    fugue2005

    i don't ban, i have a special permissions group for them, it allows people to ridicule them until they leave by themselves.
    they only have one chat channel they can speak in and it's not the default one, they can't break or build and they can't damage players or mobs and they can't use items. normal players however can freely harm them.
     
  26. Are you insane? You should always have a router between you and the internet. Running without a hardware firewall is senseless because the hardware firewall can filter out most of the predictable garbage automatically.
     
    hammale likes this.
  27. Offline

    andrewpo

    What?!
     
  28. Offline

    MuisYa

    Seems like i understood that wrong, haha. Well i heard that from a guy who was hosting at home that it was better if you wouldn't have a router inbetween... Whatever :3
    Moral of the story: ALWAYS CHECK YOUR SOURCE.
     
  29. Offline

    TnT Retired Staff

    It is easier - but not better. Easier because you don't need to port forward at your router. Worse because you lose that one layer of security.
     
  30. Offline

    unimatrix Bukkit Sponsor

    lol serious ? people believe those videos ? if they do then they deserve everything coming to them
     
  31. Offline

    maces006

    I would never download files or plugins from video links unless it goes to the official bukkit website, but even then i'd still usually type in the bukkit address myself. I think if people are going to host servers they should also ensure that they have a good firewall (i myself use the Panda Anti Virus Firewall). But i have also had my fair share of people who join my server and ask to be op, which i never op people i don't know.
    I have also recently banned someone from my server who was using a hacked client which allowed this person to fly (even though fly was set to false) and this person was also able to break blocks very fast using a wooden pickaxe (i had no plugins installed, and this person was not an op), also my server is always in online mode.
     
Thread Status:
Not open for further replies.

Share This Page