[Security Bulletin] Do not test/run op gain exploit programs!

Discussion in 'Community News and Announcements' started by EvilSeph, Mar 15, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph Retired Staff

    There is no way for anyone to illegitimately gain op on your server unless you are running your server in offline mode. Any program in existence that claims otherwise is trying to lure you into running it (in an effort to see if your server is at risk) to steal your information.

    You'll notice that in every video you either have to have the program running before you login or need to login, run the program and restart Minecraft. This is because these programs are designed to take the IP you enter into the ForceOP hack for testing, your username and password and send it to the creator. Even if this is not the case, it is fairly simple to put together a fake, convincing video by simply modifying the client to respond to "/op" and print local messages to make it seem like the user has gotten op.

    Regardless, any programs offered for download accompanying these videos or public reports of op force hacking or the like are usually sending the creator an email that says something like:
    "New server to grief: <IP you entered - usually your server, since you want to be sure your server is safe>
    Username: <you username>
    Password: <your password>"

    Every single time someone reports this issue, it turns out to be the same thing. A malicious program designed to fool server admins into thinking their server is at risk, running to try it out and make sure they aren't. Then later finding their server has been attacked by someone with op because they know your username and password, and thus can op anyone they want on your server.

    Until someone brings a real exploit that allows you to gain op to my attention, we'll have to continue stopping the discussion of and advising against the discussion of this 'hack' to slow down it spreading. We take every exploit report we get seriously and investigate each and every one. To this day, we have been unable to find a legitimate exploit to gain op in any server and every reported exploit has turned out to be a malicious program that collects your information in an effort to exploit you and your server.

    If you're looking to report an exploit, we advise people to stop posting exploit discussions publicly and, instead, contact one of my Admins, myself or create a private ticket on http://leaky.bukkit.org.
     
  2. Offline

    hammale

    lol i like the twist at the end...i could swear he was gonna get op'd!
     
    afistofirony likes this.
  3. Offline

    teetor

    Oh yeh i saw that vid... On some grief channel, it was goin round on MinecraftForums
     
  4. Offline

    ZachBora

    uhhh idk that video I was just quotting what people say when they login to my server
     
  5. Offline

    teetor

    Oh lol
     
  6. Offline

    propilot

    Sorry you're wrong :D
     
  7. Offline

    Ne0nx3r0

    Only in that it usually goes like:

    Code:
    E1it3H4x0r: hi im from planet
    E1it3H4x0r: planet mc*
    E1it3H4x0r has been banned for poor scamming skills
    
    I dunno about everyone else, but unless I'm in a comical mood I just don't even care to hear the rest of the story.
     
    afistofirony likes this.
  8. Offline

    ZachBora

    I had one the other day that said he made bukkit, or maybe it was minecraft. I logged on and banned him.
     
    afistofirony and Ne0nx3r0 like this.
  9. Offline

    propilot

    lmao what a fail, rrr I hate noobs that don't even try to make it look good.


    Anyway, why would anyone from Planet Minecraft join a server like mine? Where there are almost no players.
    Anyway, meh never happened to me, and ill never believe that someone from PM will join ma server, lol.


    Have a nice day
     
  10. Offline

    Franky1223

    I won't even op someone from Planet Minecraft >>
     
  11. Offline

    The_Minecast

    I went on a server called killercraft (wich has online-mode:true) and this guy had a force op hack. I'm not making that conclusion by the fact he griefed or anything, he acutally opped himself and deopped a co-owner. (I do know that it is online-mode:true, because I tried to connect when I was playing MC offline and it said: Failed to login: Bad login) so force op hacks might work. Now nobody can connect for 'Internal server error'.
     
  12. Offline

    ZachBora

    It's not because you write in Bold that you'll be taken seriously.
     
    afistofirony likes this.
  13. There's always the chance that the guy just stole an OP's info and logged in.
     
  14. Offline

    ZachBora

    I've once had one of the admin get his account info stolen (his password was cheese >.>) and he opped a griefer. Then later that guy logged on and opped other people. There's no server hacks in anything that happened there and it resembles what our bold friend above said.
     
  15. Offline

    Cannedbeefy

    Not even I'm op and I own my servers. Just for security, no one is ever op. Very limited control. only one other person has admin rights to plugins, and even those are limited. Just easier and more secure. I break up task to moderators so that not one person could destroy the whole server, but only a small fraction if they realllllly really tried. No one but me has WE/WG editing. If they have an issues that what help tickets are for and a moderator to move the player if needed. :)



    If that happens thank goodness for cloning my SSDs every 10 mins and SQL backups.
     
  16. Offline

    The_Minecast

    1. I always write in bold on the bukkit forums (except for now).
    2. It turns out he hacked a friends account and pranked us.
     
  17. #2 - Not to say anyone told you so, but.... :)
     
  18. Offline

    E.Conifer

    Sorry guys, I really don't mean to contradict, however, at approximately 12:30 AM today, a hacker (username: samjd101) managed to gain Operator access to the server. I can confirm that the server was in ONLINE mode when the incident happened. He was also able to whitelist the server at will. We've IP banned and firewalled him, however, he keeps coming back (most likely with a proxy). Right before this happened, in the console, I see giant blocks of random IPs losing connection, and then the legit players lose connection.

    Any help or answers you have would be greatly appreciated, as I've had to take the server down to prevent further damage.
     
  19. Offline

    andrewpo

    1. Don't be careless with security
    2. Get a plugin like NoCheatPlus and configure it to only let the /op command be used from the console
     
    afistofirony likes this.
  20. Offline

    E.Conifer

    Thanks for the reply, although "Don't be careless with security" is pretty vague advice ;)

    Anyways, we've figured out the problem. Saturday night, a hacker used an exploit to gain Op access to the server, while it was running in offline mode (This was due to problems with the MC auth servers at the time). However, before we banned him, he opped one of his friends, who was the hacker in question last night.

    Thanks for your time in any case!
     
  21. Offline

    cursedkid

    You know what i love about greifers?
    On your server they are the biggest pain in the arse to you.
    But in real life, they are this guy from gradeschool [​IMG][​IMG]
     
  22. Offline

    mindless728

    I had one like this the other day
     
  23. Offline

    ZachBora

    It's much more fun with yours. If that happened, I'd check the source and I'd put a plugin with the same name that does nothing. :p
     
  24. Offline

    mindless728

    I didn't think of that until afterwards and was like "damn"
     
  25. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı Retired Staff

    Set online-mode=true in your server.properties
     
  26. Offline

    afistofirony

    Another situation:

     
  27. Offline

    IonDrako

  28. Offline

    TnT Retired Staff

    Here are two scenarios:

    In the first scenario, you leave you house unlocked and invite everyone in. Once inside, you say "Please tell me if you should be here or not. If you're not supposed to be here, please leave."

    In the second scenario, you have a house that is locked up and no one has been able to break into before. You don't let people in, and therefor do not have to kick out any nasty guests. You only let in the people you want.

    Which one do you think is going to be more successful? You will get no support for online-mode=false because it is not possible to protect it, so it is not possible to support it as a secure server. Online-mode=true will protect you.
     
  29. Offline

    Pwnzsolo

    Im confused I thought people could get OP by using session stealing to log in on you and OP themselves. I mean since session stealing is deffinately real then its completely possible to do that and then log on as you and log with their own char and op themselves unless you have a plugin that makes OP only accessible through console. Though I still fear they could do other damage though thats not part of this posts topic.
     
  30. Offline

    TnT Retired Staff

    That is not a force OP.
     
  31. Offline

    exoforce

Thread Status:
Not open for further replies.

Share This Page