Server hacked through console (online mode is true)

Hi!

About an hour ago, the "server" de-opped me. I am the owner, so this freaked me out. I calmed down, immediately re-opped myself, stopped the server, changed the root AND Minecraft user passwords, disabled SSH access from the outside, and started the server again. I didn't see anything else for a while.

The second part is what my idiot friend did.

The point is, someone got in (even into the nohup) somehow. Before it happens again, I'd like to fix or find out what's happening so that it won't happen again.

Pastebin of server.log

I posted this here because I'm not sure if it's an exploit with Bukkit or Java (I boiled it down to these two things, but I may certainly be wrong).

Here are my specifications:

Hosted at home with SUSE Linux Enterprise (11 SP2) 32bit and Java 1.7 32bit (retrieved from this repo)

Bukkit Build:
Online mode was true.
rcon was on, but not accessible from the outside.
Querying was on.
The firewall was on (only services allowed: HTTP, CraftBukkit, and SSH)
SSH was accessible from the outside (until I turned it off).
It was port forwarded through my router.
Server run command: nohup java -Xmx2512M -Xms2512M -Xincgc -jar craftbukkit.jar
If you need anything else, I will be more than happy to give it to you.

Thanks a ton!

Update: Looking at the server log, I saw that I ran a command that I didn't. I was AFK eating a cheeseburger, so it's either something screwing up with the client, or something server-side happened.

Client details:

OS: Xubuntu 12.04
Java: 6, update 24 (1.6.0_24); OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1), OpenJDK Client VM (build 20.0-b12, mixed mode, sharing)
Client is vanilla

 

Yes, the server.log is very important. What server management tool are you using?

Did you check your ops.txt for any other ops?

 

Did you check for viruses, keyloggers, and so on?

 

it could also be due to a plugin you may have downloaded.

Did you download all your plugins from respected sources? or did you recently install a plugin that one of your users made for you?

 

Maybe offtopic but hopefully it can help anyways.

A short advice at this point (as you may have noticed further analysis needs parts from the server.log) if you think you get/got hacked or you experience some weird issues ...

1) don't (!) shut down the hardware or the server
2) don't make rash decisions ... monitor and try to get as many informations as possible

To do so prepare a bashfile that can capture a wireshark compatible tcpdump

Code:

#!/bin/bash
tcpdump -i <interface> -s 65535 -w /absolute/path/tpcdump_$(date +%s).dmp

Replace interface with eth0 (if thats your primary interface, check with ifconfig)

Let it run for some minutes and terminate the script when you are done.

If you think you got enough data then terminate the script. Now you can shut down external access to the server and it is more likely that you will get some info when you hide yourself instead of letting "the attacker" know that you know.

Analyise the dump file with wireshark on your computer and take your time to see what he did.

 

Update: the cursing out was my idiot friend. But the de-opping was legit. I didn't run the /deop command at all, so it's a bug client-side, or the server's packets are getting spoofed.

TnT - The pastebin. There isn't anyone new in the ops.txt file. Also, I used MilkAdmin for a while, but it wasn't accessible from the outside when the "hacking" happened.
midnightfang22 - Since I re-installed the OS a couple of days ago, there's a much less chance that there are any. I'll run a clamscan on the client and the server when I get to it.
ImDeJay - I only download from DevBukkit (or I code the plugin myself).
lycano - Thanks for the advice. Next time (if) it happens I'll follow it.

I'm not 100% sure if it's a client or server issue, so I'm not marking as solved just yet.

 

Unfortunately, with that small snippit of the log, its not really possible to analyze. Clearly it shows your username deopping you. Perhaps you have a plugin allowing you to run commands as another user? Is it possible someone in your house was messing with you?

 

Happened to me today as well. By any chance are you using Multicraft or Adminium?