[Security Bulletin] Do not test/run op gain exploit programs!

Discussion in 'Community News and Announcements' started by EvilSeph, Mar 15, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph

    There is no way for anyone to illegitimately gain op on your server unless you are running your server in offline mode. Any program in existence that claims otherwise is trying to lure you into running it (in an effort to see if your server is at risk) to steal your information.

    You'll notice that in every video you either have to have the program running before you login or need to login, run the program and restart Minecraft. This is because these programs are designed to take the IP you enter into the ForceOP hack for testing, your username and password and send it to the creator. Even if this is not the case, it is fairly simple to put together a fake, convincing video by simply modifying the client to respond to "/op" and print local messages to make it seem like the user has gotten op.

    Regardless, any programs offered for download accompanying these videos or public reports of op force hacking or the like are usually sending the creator an email that says something like:
    "New server to grief: <IP you entered - usually your server, since you want to be sure your server is safe>
    Username: <you username>
    Password: <your password>"

    Every single time someone reports this issue, it turns out to be the same thing. A malicious program designed to fool server admins into thinking their server is at risk, running to try it out and make sure they aren't. Then later finding their server has been attacked by someone with op because they know your username and password, and thus can op anyone they want on your server.

    Until someone brings a real exploit that allows you to gain op to my attention, we'll have to continue stopping the discussion of and advising against the discussion of this 'hack' to slow down it spreading. We take every exploit report we get seriously and investigate each and every one. To this day, we have been unable to find a legitimate exploit to gain op in any server and every reported exploit has turned out to be a malicious program that collects your information in an effort to exploit you and your server.

    If you're looking to report an exploit, we advise people to stop posting exploit discussions publicly and, instead, contact one of my Admins, myself or create a private ticket on http://leaky.bukkit.org.
     
  2. Offline

    Bluehog

    Security 101 People

    1 ) Only use the official Minecraft Client unless you really trust it (I tend to trust SpoutCraft as well)

    2 ) Use only mods/external programs you 100% trust

    3 ) NEVER believe the e-mails/videos claiming to increase your security.

    4 ) If you have ANY doubt of your account's security, change the password.

    5 ) Change your password on a regular basis.

    6 ) Run in ONLINE mode always

    7 ) Be EXTREMELY careful on who you give op/permissions to. Social Griefers make themselves seem nice then backstab once they have power.

    8 ) When in doubt, use your console to /deop anyone you suspect of fowl play

    9 ) Only use approved plugins from Bukkit.

    10) When someone is new to the server NEVER op them unless you know them personally. Regardless of the reasons they give.


    People who seem nice can be very malicious. We have had people several times join and ask for op, some claiming to be doing server promos. We send them a fake "You are now Opped" message from the console, and watch the commands they enter. The commands they tried to enter have ranged from banning the admins to spawning thousands of TNT to stopping the server to oping other new players who suddenly show up. And this is why we didn't actually give them op.
     
  3. Offline

    jaboy

    11. check your ops.txt to see if only the players you have given op to, is on it
     
  4. Offline

    Tanite

    Most kids that grew up with the Internet have never really learned to fear it properly.
     
    jtjj222, Don Redhorse and Jacek like this.
  5. Offline

    eygptian

    My server has recently had a huge court built to settle differences between people fairly, with statements, server log evidence given and any other information the jury of admins should know about. This seems to be a big target for griefers and proclaimed 'hackers'. Also, people that get angry over not being opped or people who arent treated up to their expectations. Does anyone else get people thinking admins should have to help them with every single thing they do. If some of the people get a response, im busy, ill help you later, a usual reply is im going to report you to planetminecraft, and they'll shut your server down. I dont think they realise how much of a lie this is, because they cant shut your server down, not without hacking it at least, and with not alot of evidence or anything, they cant take the word from someone whos probably a cocky 10 year old. Im not sure why they'd anyone would believe this, if you own a server, surely they'd think the owner must know something about computers, as port forwarding and configuring your router would be enough of a clue to tell you shutting a server down would be very complex, if possible. Im just seeing if anyone else gets this. Do you think I should ban people, especially those who dont come on the server very often, for giving this threat, because it does get anoying. People also claim if they've been jailed, they're going to use they're hacked client to op themselves, then grief everything. At that point, I tell them thank you for making a confession about trying to hack my server, then I tell them that my computer technition will say thank you as well, for giving him the information required to report them. Im only trying to scare them with this, like they're trying to scare me with hacking. They then try and say it was only a joke, dont get the police involved, then I sit back and laugh. Lol, anyone else use this trick?
     
  6. Offline

    BluePhase

    I am absolutely sure he was OPP'd. I check the OP.txt file and he was in there. Which concludes that it is possible for them to OP themselves. I'd rather not post my full log TnT it stretches before February at least. And I have noticed a large increase in the amount of whiney hackers there are on my server. Not to mention my server is posted on 3 grief websites including MineGrief, Griefit, and HACKFORUMS.. I mean come on now. It's getting a bit ridiculous that these things are happening. I don't advertise my server at all, and all we get is about 15-20 people per day that we ban because of a grief attempt. It's just outrageous.
     
  7. Offline

    Jacek

    Only if they know the password of an OP. Remove all your OPs and change your password :)

    Instead of moaning about it do something to stop them. I had the same problem on my server and found that the people that came on from those sites were really dumb and didn't bother to check /pl. So I wrote AutoMod and all was well :D
     
  8. Offline

    sam501

    I seriously disagree, its called unsecure hosts.
    Have you recognized hosts never promise 100% security?
     
  9. Offline

    Jacek

    Because silly admins set the passwords to "minecraft" ;)
     
  10. Offline

    sam501

    Its quite funny actually.. Cause my friend has force opped himself on popular servers :p
     
  11. Offline

    Jacek

    Bet he can't do it on mine ;) The lesson is not to use a server that other people have access to.
     
  12. Offline

    sam501

    Id say the solution is get "Nocheat" and some packet watcher thingy even though nocheat does that.
     
  13. Offline

    JohnTheRipper

    That's why you rent a VPS or dedi and set it up yourself to ensure maximum security.
     
  14. Offline

    LinkterSHD

    Thanks for the tutorial but why not just remove the OP Function through permissions
     
  15. Offline

    Don Redhorse

    far better would be a default config in bukkit.yml opmode=off which disables OP completly,


    OP togehter with the * permission is something I did never understand from an IT admin point of view, you use it because you are lazy, have no clue what you do, or... don't know any other valid reason.

    If you run a small privat server, whitelist it, and use online mode... if you don't do that it is your own fault if you don't use permissons and other plugins which help you against griefers.

    And big servers should use nocheat, antiguest, online mode and permission from the start... if you don't like that well...
     
    tyzoid and MuisYa like this.
  16. Offline

    LinkterSHD

    If you disable it could you still op people from the OP TXT file
     
  17. Offline

    Don Redhorse

    nope.. it would disable op completely.. only permission would work... BUT.. wishful thinking..
     
  18. Offline

    Rich Boos

    [​IMG]
     
  19. Offline

    Lolmewn

    I've got a feeling.
    Too much blah, and too little Minecraft.

    Something like this never happened to me :)
     
  20. Offline

    sekjun9878

    Guys Please!!!! Our server has been hacked as well. And he was on Get Promoted To User Status permission. How is this possible???? We are both High schoolers (16+) and we are tech-savvy and I have no idea how he was able to do it!
     
  21. Offline

    TnT

    Post the full server.log please.

    Why do people always post this without providing any evidence or proof to back up the claims?
     
  22. Offline

    eygptian

    Lol, anyone?
     
  23. Offline

    Lynxdragon

    When I had a server, This is generally what happened;
    Code:
    Noob: Can I have OP?
    Lynx: No.
    Noob: Give me OP or ill hack you.
    Lynx: Really, How do you plan to do that?
    Noob: I have a hacked clinet.
    Lynx: Really, Well I have your IP Address.
    Noob: No you don't its hidden!
    Lynx: Really... Its 202.168.51.92
    Noob: What? Doesn't matter you cant do anything im going to hack you!
    At this point, I roll a dice! Number on the dice corresponds to my answer.
    Code:
    [1] Lynx: Well, I could DDoS you with your IP address and break your modem and internet connection.
    Lynx: I don't think you could hack me without internet.
    Noob leaves the game.
     
    [2] Lynx: Well, I could contact your ISP and report you as threatening to hack me.
    Lynx: They would cut off your internet, and you wouldnt be able to get internet under your own name ever again.
    Noob leaves the game.
     
    [3] Lynx: Hmm, Well I could trace your IP. How do you feel about me knowing where you live?
    Lynx: Think about all the things I could do.
    Noob leaves the game.
     
    [4] Lynx: Well, I could just add your IP to my firewall.
    Lynx: Then you wouldn't be able to connect from any account on that internet connection.
    Noob leaves the game.
     
    [5] Lynx: Well, With your IP address I could trace you and find out your Name, Address and ISP.
    Lynx: I could then report you to the authorities, And tell then your trying to illegally gain access to my data.
    Lynx: Data theft is a serious offence, 20,000$ Fine and up to 5 years in jail. Aswell as loss of your computer.
    Noob leaves the game.
     
    [6] Lynx: Well, I could give Chuck Norris your IP Address. And he could send you a kick in the face.
    Lynx: Speaking of kick in the face, here is one now!
    Lynx: /Kick Noob From Chuck Norris.
    Noob leaves the game.
    Noob joins the game.
    Lynx: /Kick Noob That's the recoil from the Chuck Norris kick.
    Noob leaves the game.
    Noob joins the game.
    Lynx: /mute Noob
    Noob is now muted.
    Lynx: Seems Chuck Norris broke your jaw with that kick. I guess you can't talk. Better get that looked at!
    Noob leaves the game.
    So yeah... Generally what happens. That or I just troll them till there boring. If you use CommandHelper with the Chatas script. You can also make them say things, And make them embarrass themselves. Highly recommend it.

    After that I roll another dice, If I get 1-5 I ban them. If I get 6, I ban them.
     
  24. Offline

    TheVarmari

    Lynxdragon
    Literally, man.
    You just made my day.

    (I would also permban their ip from any website you own and block them on YouTube. This works VERY well, if they're your fans and love your videos but don't know that your their idol :p)
     
    Lynxdragon likes this.
  25. Offline

    eygptian

    I almost feel sorry for hackers. They spend so long destroying, then when I use my regular backups to restore the map, it gets rid of all their hard work. Lol.
     
    afistofirony likes this.
  26. Offline

    TheMoose

    This is why I like Administrative plugins that allow you to roll back the damage ;).
     
  27. Offline

    Lynxdragon

    No Problem Dude. Girefers are fun, Keep it that way. There our entertainment, Were not theirs.
     
  28. Offline

    TheVarmari

    Lynxdragon
    Entertainment huh...?

    5 secs later:
    CONSOLE: Player stabbi joined the server
    stabbi: "op plz"
    stabbi: "i am here to review this server for minecraft moendays"
    stabbi: "any ops here? i need ops."
    me: "I'm not gonna give you ops."
    Player stabbi muted quietly
    stabbi: "ok"
    stabbi: "btw, i'm a c***who**!!"
    stabbi: "and ezzu is st0pid"
    stabbi: "im leavin'"
    me: "nope."
    /qkick stabbi
    Player stabbi left the game quietly
    stabbi: "y cant i leav"
    stabbi: "ill tel the policce"
    stabbi: "helo?"
    me: "Ok, enough, bed jail time for little kids"
    CONSOLE: Player stabbi is now in jail-grief
    CONSOLE: Teleporting Ezzuu to stabbi
    me: "having fun?"
    stabbi: "yea, i'm f**king myself :3"
    /ban-ip @old:stabbi
    Player stabbi has been ip-banned (left the server 2 minutes ago)
    stabbi: "ok, byez :3 contact me if you want _it_ hardcore ;) ;) ;)"
    CONSOLE: Player stabbi left the game
    ERROR: Banned player stabbi tried to join the game
    :3
    Entertaining huh?
     
  29. Offline

    Lynxdragon

    Not bad, but that's not trolling him any where near enough.
     
  30. Offline

    ZachBora

  31. Offline

    Deleted user

    Wow. Just... wow.
     
Thread Status:
Not open for further replies.

Share This Page