Solved Fixing the UUID Spoofing Exploit

Discussion in 'BungeeCord Help' started by TechyGaming, May 14, 2020.

Thread Status:
Not open for further replies.
  1. EDIT: I have done some research and editing this shouldn’t bump it, but if this isn’t the case please ignore this thread, the issue is now solved. I reached out to my server host and asked about a firewall, and they delivered! Just wanted to clarify that the network is safe, and no personal info was accessed. The hackers just griefed a little and set a few peoples prefixes as owner. Thank you everyone who helped me during this stressful time, I really appreciate it!

    MODS PLEASE READ
    I am not deleting the thread content nor changing it, just explaining the situation properly with the correct terms and then later telling people how to fix it. I understand that you can be banned from Spigot for a week for deleting/changing thread content however that is not what I have done. I have just explained the problem in a different way (the correct way).

    Hi,

    My server has been hacked and someone is logging on with my account and running commands that grief the maps, set random players as owner and things like that. As soon as my friend told me it was happening I joined in an attempt to ban them but they had my username and it said "That player does not exist". They didn't hack my account, but used my username and uuid on my server.

    I instantly shut down the whole network in an attempt to stop them but I just didn't know what to do.

    I love my server and everything about it so any help is appreciated, I just really want to know what I can do to stop them from doing it again, and to make sure that they definitely cant log on.

    Any help is appreciated,
    Thanks

    I am editing this post to tell you what happened, and how to fix it if it happens to you. I have left the original post in the spoiler above so that I don’t get banned from Spigot for a week however, this is still about the same topic so I’m pretty sure I’d be fine anyway.

    The problem that happened to me wasn’t that my server or account was “hacked” or “compromised”, it was simply that I hadn’t prevented an exploit called UUID Spoofing (This is what happened in the Minecraft Monday event if anyone remembers people like Technoblade being banned from the server)

    Put simply, what happens is this:

    - A user with malicious intent finds the IP to one of your backend servers (For my situation this was easy as I had previously only had 1 server and then later updated to a bungeecord network. This means that the old IP was still listed on voting sites etc.)

    - That user with malicious intent found the username of a player with permissions such as /op and loaded up a cracked client with that username (Cracked = non premium account / unauthenticated account)

    - Since bungeecord requires backend servers to run in offline mode, there is no authentication meaning that you can join directly to the backend servers under any username and inherit all of their permissions

    - They have access to anything they need and generally end up griefing everything because these people for some reason enjoy making everyone’s life living hell

    So how can you prevent it?

    Add a FIREWALL!
    If you add a firewall to every one of your backend servers with 2 rules, you should be protected!

    Please don’t fall into the same trap that I did and think that using a plugin such as IPWhitelist or BungeeGuard on a 1.8 server will protect you as it won’t. These plugins rely on something called the PlayerHandshakeEvent which in super simple terms means that, the client and server shake hands and say, “Hey, this person is okay to join, the token ID that they gave me is the same”, however, this event was only introduced into Minecraft 1.9.4 and therefore loading the plugins on a version before this will not protect you.

    So, how do I setup my firewall?

    If your server host is nice enough to give you a webpage where you set it up then great, if not, you should follow the Spigot firewall guide, it has everything you need to know.

    The 2 rules you need are:

    ALLOW: Your proxy IP (High priority - Generally 25 but can be anything as long as it’s higher than the disallow rule)

    DISALLOW: 0.0.0.0 (Every other IP) (Low priority - Generally 1 so that the other rules are checked first before blocking everyone)

    If your firewall is configured correctly, when you attempt to join directly to your backend server, it should take forever, and then eventually time out.

    I hope that this helped a few people fix their issues and if I get banned from spigot for a week, I don’t really get why as this is literally the exact same topic and I’m just helping people to fix their issues but okay whatever

    ~ TechyGaming :)
     
    #1 TechyGaming, May 14, 2020
    Last edited: Jul 29, 2020
  2. Phoenix616

    Resource Staff

    Make sure that you have read and followed the Firewall Guide so that no one can connect directly to your servers behind the Bungee and use any name they want which it kinda sounds like what's happened to you.
     
  3. @Phoenix616 I am unable to setup a firewall due to the host i am using but would the plugin IPWhitelist also work?
     
  4. Phoenix616

    Resource Staff

    It can't protect you against people running a Bungee on the same host, no. I suggest trying to find a way to set a proper firewall (e.g. by contating your host) or using a plugin like BungeeGuard which does not rely on IPs.
     
  5. I have installed BungeeGuard and it is still happening, I don't know what to do
     
  6. Is it possible to have multiple plugins such as BungeeGuard and OnlyProxyJoin or would that break it
     
  7. Are you using BungeeCord and are you using shared host?
     
  8. You need to configure your firewall and you didn't have good configured your config.yml of your BungeeCord
     
  9. Yes i'm using BungeeCord
     
  10. Did you properly configure BungeeGuard? And are you running the required server versions for it (iirc Paper 1.9.4 and above?)
     
  11. Hi don't use IPWhitelist or OnlyProxyJoin it doesn't really work it is possible to bypass
    you need to block ports using iptables
    https://www.spigotmc.org/wiki/firewall-guide/

    I also recommend this protection plugin for your account via IP to prevent them from entering with your account
    https://dev.bukkit.org/projects/accountguard
     
  12. after days of working on this I have updated to 1.9.4 and it works because of the player handshake event, however, the server is pvp based and therefore 1.9.4 isn’t great. Is there any way I can introduce the event without using 1.9.4 as even using plugins that bring back old combat, still miss certain features such as block hitting.

    I really appreciate all of the support,
    Thanks!
     
  13. I mean you could probably compile paper 1.8 paper with the patch? Don't see why you wouldn't be able to
     
  14. Do you know where I could find the paper 1.8.8 and 1.9.4 source code?
     
  15. I have put exploit fixer on my bungee server and spigot server with the HamsterAPI but UUID spoofing still isn't fixed. Have I set it up wrong @Mugai ?
     
  16. Seeing as that didn't work, how would I go about patching spigot 1.8.8?
     
    • Agree Agree x 1
Thread Status:
Not open for further replies.