[Security Bulletin] Do not test/run op gain exploit programs!

Discussion in 'Community News and Announcements' started by EvilSeph, Mar 15, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph

    There is no way for anyone to illegitimately gain op on your server unless you are running your server in offline mode. Any program in existence that claims otherwise is trying to lure you into running it (in an effort to see if your server is at risk) to steal your information.

    You'll notice that in every video you either have to have the program running before you login or need to login, run the program and restart Minecraft. This is because these programs are designed to take the IP you enter into the ForceOP hack for testing, your username and password and send it to the creator. Even if this is not the case, it is fairly simple to put together a fake, convincing video by simply modifying the client to respond to "/op" and print local messages to make it seem like the user has gotten op.

    Regardless, any programs offered for download accompanying these videos or public reports of op force hacking or the like are usually sending the creator an email that says something like:
    "New server to grief: <IP you entered - usually your server, since you want to be sure your server is safe>
    Username: <you username>
    Password: <your password>"

    Every single time someone reports this issue, it turns out to be the same thing. A malicious program designed to fool server admins into thinking their server is at risk, running to try it out and make sure they aren't. Then later finding their server has been attacked by someone with op because they know your username and password, and thus can op anyone they want on your server.

    Until someone brings a real exploit that allows you to gain op to my attention, we'll have to continue stopping the discussion of and advising against the discussion of this 'hack' to slow down it spreading. We take every exploit report we get seriously and investigate each and every one. To this day, we have been unable to find a legitimate exploit to gain op in any server and every reported exploit has turned out to be a malicious program that collects your information in an effort to exploit you and your server.

    If you're looking to report an exploit, we advise people to stop posting exploit discussions publicly and, instead, contact one of my Admins, myself or create a private ticket on http://leaky.bukkit.org.
     
  2. Offline

    Jacek

    The best one I ever saw was rnyspace.com. Bit off-topic but it impressed my 12 year old self :)
     
  3. Offline

    alexistough

    Sadly sir you are wrong I was hacked.
     
  4. Offline

    TnT

    We have still not seen a force op hack we could replicate. We're not saying its impossible, just unknown at this time. The ones popularly shown on Youtube are all fake.
     
  5. Offline

    bbq

    IP BANNING IS USELESS!
    How many times must I say this?? 99% of the time the person you IP ban will have a dynamic IP address, which means it is simply a matter of unplugging the router and restarting it so that there ISP automatically gives them a new IP. Oh and then there IP maybe allocated to a legit player (but that is very unlikely).
    Whether they have the IQ to do this is a good point thou.

    Also as for MCBans I personally think if your to lazy to manage your own ban list then you shouldn't be running a server.
     
  6. Offline

    intel5271derpz

    actually this can happen one of my dumb friends did it he was de-oped and the server is running in online mode and he oped himself so either theres a hidden bug in bukkit or a plugin is screwed up so you tell me that its not true and PROVE it else it is true. nuff said

    as for the MCBans i think you sir are correct

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 24, 2016
  7. Offline

    Jacek

    He probably knew your password.
     
  8. Offline

    TnT

    The burden of proof lies with you I am afraid. You must prove, or at least provide evidence proving this is the case.
     
  9. Offline

    zathrus

  10. Offline

    lukegb

  11. Offline

    zathrus

    ah, I didn't see the original post... the one from MCBans originates a while ago, thus my confusion, sry
     
  12. Offline

    [qwerty]

    Yeah, that's true. I like the new account migration though, that's a step in the right direction :)
     
  13. Offline

    Jacek

    It's a temporary fix, All they have done it change all of the usernames. The problem of people using alt accounts will come back once the people doing the cracking change their strategy to find emails and crack based on those.
     
  14. Offline

    MXO10

    Thanks for the info now i know that it wont work because my friend was trying to do that and he got a virus!
     
  15. Offline

    fredghostkyle1

    who reads the adds that come out of that???? i think i am smart to see the hack,

    you can't, it is in the vanilla it is in bukkit AND most people use that, and some don't have plugins w/ permissions so.......... you can't.
     
  16. It's pretty easy to write a Bukkit plugin that removes the /op command.
     
  17. Offline

    Kainzo

    Nifty teapot analogy / theory.
     
  18. Offline

    PandazNWafflez

    Bukkit can remove it if they want to, and besides, Bukkit technically has permissions built it, just they aren't very good.
     
  19. Offline

    TnT

    Really? Did you know PEX, bPermissions, PermissionsBukkit all use this API? It may have its quarks, but its far from "not very good".
     
  20. Offline

    fredghostkyle1

    kk, i think the people who add the plugin that lets others to be OP, without using console is dum... wether they know it or not. and to TnT, he is right.
     
  21. Offline

    PandazNWafflez

    Sorry, that was not worded the best way, I meant that it is impractical for server owners to use the default permissions.yml file without a plugin that allows for groups and other options.
     
  22. Offline

    fredghostkyle1

    what is the premissions.yml for?
     
  23. Impractical? My permission plugin doesn't even save runtime changes I've made to permissions. No groups, all files hand edited. That suits some of us just fine.
     
  24. Offline

    PandazNWafflez

    Then.. your permissions plugin is terrible? And anyway, how many people are on your server? I mean, look at a server like Super-Earth (thousands of players), if they had to write out all players permissions by hand, how long would it take them? And they use prefixes, which Bukkit doesn't support in permissions.yml by default.

    People that run very small servers that have the time to write out all the permissions separately for each player and don't need prefixes or suffixes.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 24, 2016
  25. I wrote the permissions plugin for my personal server which consists of approximately 4 people on at a time max. It's a perfectly practical plugin for MY server. I was arguing your application of "impractical" to all servers.
     
  26. Offline

    fredghostkyle1

    ok, i will have to do that... LOL
     
  27. Offline

    PandazNWafflez

    You don't know what I'm talking about:

    I'm not talking about any plugins, all permissions plugins are good to some extent, I am talking about the default Bukkit permissions.yml without any permissions plugin.
     
  28. I didn't realize that file even did anything. I've never heard of it being used or saw documentation on it.
     
  29. Offline

    PandazNWafflez

    That's because it's not very practical, which is what I've been trying to say the whole time lol :p
     
  30. Ok. On that I agree with you.
     
  31. Offline

    afistofirony

    An excerpt from the daily life of server owners:

     
    andrewpo, hammale and zathrus like this.
Thread Status:
Not open for further replies.

Share This Page