ForceOP ? Hack client ? Help me .

Discussion in 'Spigot Discussion' started by Rudeyz, Jan 8, 2015.

  1. Sory my poor english.
    apologies if this is in the wrong place, I wasn't entirely sure where to put it.

    Im still dont belive force op . But after this , i cant say anymore .

    Fist hack by add permision to he acount permisionsex *
    Im block by use script disable all comand /pex /pemisionsex /permisiones:pex
    Chage all my pasword . Authme . Pasword server cpanel and client panel ( mcprohost )

    And second attack .
    He stop my server . Restart and reload ..
    Same like befor add more skript plugin . Restar reload mv skript disable , add plugin IPauth

    After that he attack by give "donation tools" n delete all world

    Any one know this ? Where's bug :(
    My server spigot 1.7.10 r03
    Offline mode .
    Plugin authme reload . Permisionsex

    Please help me :(


    Skype : rudisai
    GMT +7 indonesia
     
    #1 Rudeyz, Jan 8, 2015
    Last edited: Jan 8, 2015
  2. Okay, let me tell you something beforehand: There IS, and will NEVER be a ForceOP.

    So, after you know that, let's track down the problem:

    Let's assume that you've set up the control panel and Authme right, then the problem lies at PEX.
    There might be these problems (at least the ones I got in my head right now)
    • The player was in the wrong group.
    • The group of the player has critical permissions
    • You accidently added some administrative permission node to the wrong user.
    If none of this is the cause of your problem, it could be Authme, but I don't know anything about it, sorry.

    So, the problem could also be on the "other side" of the server. Let me list the problems there:
    • Your password got bruteforced/"rainbowtable-ed".
    • You gave the access data to some untrustfull person.
    • Someone you trusted, gave the data to a 3rd person.
    • It was one of your admins.
    Other then that, I can't think of anything else right now, sorry.

    Greetings,
    Freack100
     
    • Optimistic Optimistic x 1
  3. I agree that there is no ForceOP, but there are other exploits that can let the server execute commands, like the sign- and commandblock-exploits.
    They are fixed in Spigot 1.8, and there is nearly no support in previous versions, so you should update to Spigot 1.8 like lots of other people do.
    These exploits should only work if the players have access to creative-mode(disabling commandblocks doesn't change anything, only updating helps).
     
  4. yes . i really dont belive about that .
    i read all they log . and i believe the "Bug" its our staff
    but right now im really need looking for some one make skript.sk for cheap . but cant posting until have 20 posting
     
    • Like Like x 1
    • Funny Funny x 1
  5. joshwenke

    Wiki Team

    I would be happy to help you out making a Skript. Please send me a private message on the Spigot Forums and we can get started.
     
  6. It's most likely KneeSnap, update Spigot.
     
    • Agree Agree x 1
  7. If you need help setting your server up correctly let me know I've been doing it since alpha and no I don't charge I like helping community members my skype is socomftb21david
     
  8. Yea, just re-run buildtools.jar and take the new spigot output.
     
  9. Offline mode. You got your problem there.
     
    • Optimistic Optimistic x 3
    • Agree Agree x 1
  10. yeah but we cant set to online . from our country from 100 player only 1 - 3 have premi acount
     
  11. What you're trying is not going to work. MCProHosting doesn't fix your issues also.
    Do you use BungeeCord/Know how it works? If you have BungeeCord, is it on the same machine then your Spigot Servers?
     
  12. I'm not sure I can said I'm know how it work . but right now have several error come up on console . no I'm use defrent server . loby and bugecord server .

    Are you sure its not working ?
     
  13. All your Spigot Servers that are linked to your BungeeCord have a Port, for example: mc.example.com:698, which your BungeeCord Server at mc.example.com:25565 connects to.

    Every other Person with a little BungeeCord knowledge can open their own BungeeCord Server and add mc.example.com:698 to their setup, open their BungeeCord in offline-mode and avoid your xAuth or AuthMe. It's that easy, you ain't believe it.

    I suggest you contact MCProHosting, asking to only allow the Ports of your Spigot Servers, for example mc.example.com:698, to be accessed from localhost and/or 127.0.0.1, if they are running on the same machine. If not, then let them know you want the Ports only to be accessed from the IP of your BungeeCord Server, according it's a static IP.

    They will have to block your Spigot Ports from all other IPs and only allow BungeeCords default 25565, so only your own BungeeCord Server connects to your Spigot offline-mode Servers.
     
  14. Instead of on move make it on any command and don't kill the player just cancel the event you may also want to make an all player loop that does /deop %player% and /op (your username.) And as for the error please leave a log of it.
     
  15. What o_O....
     
  16. thx mate . i know that . but more but . every Server im set Authme . so ppl use they own Bugecord still need login .

    thx for information but the "Hacker" cant do that far hope that . because he not as good hacker from US or other country . he use our habit use same pasword all server use Auth


    so skript.sk make event on any command .
    some one helping me make cskript can detect IP and nick for runing Comannd
     
  17. It's probably the KneeSnap thing going around. Update spigot.

    However, I wrote the skript I think you're looking for as a hopeful temporary fix, and a decent way to add a lightweight layer of protection to the server. It saves by UUID so if you're in online mode it will use UUID's. If you're in offline mode, be sure not to change the case of your name.

    If you wanna kick some money my way for the time, you can "show some love" on my server store. ;) (use my name if you don't have a premium account, same as spigot name) This is pretty simple so I decided to just write it, but I couldn't half-ass it and it took a bit to test lol, and I wanted others to be able to take advantage of it.

    Code (Text):

    command /staff <text="list"> [<offlineplayer>]:
        usage: /staff <add/remove/list/clear> [player]
        executable by: console
        trigger:
            if arg 1 is "list" or "l":
                message "Listing Staff:"
                if size of {staff::*} is less than 1:
                    message " No staff added. Add them with /staff add <player>"
                else:
                    loop {staff::*}:
                        message " %loop-value% - %loop-index%"
            else if arg 1 is "add" or "a":
                if {stafflocked} is true:
                    message "The staff list is locked. It cannot be modified"
                    stop
                set {staff::%uuid of arg 2%} to arg 2
                log "%arg 2% - %uuid of arg 2% ADDED to the staff list"
            else if arg 1 is "remove" or "r" or "del":
                if {stafflocked} is true:
                    message "The staff list is locked. It cannot be modified"
                    stop
                delete {staff::%uuid of arg 2%}
                log "%arg 2% REMOVED from the staff list"
            else if arg 1 is "clear":
                if {stafflocked} is true:
                    message "The staff list is locked. It cannot be modified"
                    stop
                delete {staff::*}
                log "CLEARED the staff list"

    command /lockstaff:
        executable by: console
        trigger:
            set {stafflocked} to true
            log "The staff list has been locked."
            log "This can only be undone by manually deleting the variable,"
            log "or by writing a skript command that includes:"
            log "> 'delete {stafflocked}' "

    on command:
        if player is op:
            if {staff::%uuid of player%} is not set:
                log "EXPLOIT?!"
                log "%player% is OPed and is NOT listed as staff"
                cancel event
                log "%player%'s command blocked"
                execute console command "/deop %player%"
                execute console command "/pex user %player% remove *"
                execute console command "/pex user %player% add -*"
                log "%player% was DE-OPed and given permission '-*'"
                message "Unknown command. Type ""/help"" for help."
        if player has permission "*":
            if {staff::%uuid of player%} is not set:
                log "EXPLOIT?!"
                log "%player% had permission '*' and is NOT listed as staff"
                cancel event
                log "%player%'s command blocked"
                execute console command "/deop %player%"
                execute console command "/pex user %player% remove *"
                execute console command "/pex user %player% add -*"
                log "%player% was DE-OPed and given permission '-*'"
                message "Unknown command. Type ""/help"" for help.
     

    First, you have to add all your staff members to the staff list in the console (can't be used in-game) with /staff add <player> to prevent them from being blocked. Once you've added them all, I recommend running /lockstaff in console, to prevent the staff list from ever being edited (mainly by command blocks) unless you manually remove the variable that commands sets.

    Here's what it will do when a player has OP, the * permission, and when the player has been listed as staff, (with "harmlesspermission" substituted for "-*" in the command for my testing). I made it very verbose, and you can easily search for "EXPLOIT?!" in your logs, and made it respond to the player with the default "Unknown command" format.

    Code (Text):
    >op Absentee23
    [02:29:07 INFO]: Opped Absentee23        # OP-ed, NOT listed as staff
    [02:29:11 INFO]: Absentee23 issued server command: /pex gimmealltheperms
    [02:29:11 INFO]: [Skript] [staffprotect.sk] EXPLOIT?!
    [02:29:11 INFO]: [Skript] [staffprotect.sk] Absentee23 is OPed and is NOT listed as staff
    [02:29:11 INFO]: [Skript] [staffprotect.sk] Absentee23's command blocked
    [02:29:11 INFO]: De-opped Absentee23
    [02:29:11 INFO]: Permission "*" removed!
    [02:29:11 INFO]: Permission "harmlesspermission" added!
    [02:29:11 INFO]: [Skript] [staffprotect.sk] Absentee23 was DE-OPed and give permission '-*'
    >pex user Absentee23 add *                 # added * permission, NOT listed as staff
    [02:29:33 INFO]: Permission "*" added!
    [02:29:38 INFO]: Absentee23 issued server command: /pex gimmealltheperms
    [02:29:38 INFO]: [Skript] [staffprotect.sk] EXPLOIT?!
    [02:29:38 INFO]: [Skript] [staffprotect.sk] Absentee23 had permission '*' and is NOT listed as staff
    [02:29:38 INFO]: [Skript] [staffprotect.sk] Absentee23's command blocked
    [02:29:38 INFO]: Could not de-op Absentee23
    [02:29:38 INFO]: Permission "*" removed!
    [02:29:38 INFO]: Permission "harmlesspermission" added!
    [02:29:38 INFO]: [Skript] [staffprotect.sk] Absentee23 was DE-OPed and give permission '-*'
    >staff add Absentee23               # NOW listed as staff...
    [02:30:51 INFO]: [Skript] [staffprotect.sk] Absentee23 - 0d06b99e-e784-4847-bde2-a9a51d4eb7cf ADDED to the staff list
    [02:30:51 INFO]: Unknown command. Type "/help" for help.
    >op Absentee23
    [02:30:54 INFO]: Opped Absentee23
    [02:30:58 INFO]: Absentee23 issued server command: /pex gimmealltheperms


    I guess this is a good time to share another quick patch I made a little while back before KneeSnap was fixed (and it still blocks the currently working sign exploit, as well as usage of books, minecart command blocks and just in case), but this fix can be a inconvenience for players as it blocks usage of books and signs... BUT this exploit is only very effective on a creative server. If you aren't running creative you need to pour over your logs to figure out how they got in...

    Code (Text):
    on right click holding minecart with command block or command block or book or sign:
        log "KNEEBRACE: %player% tried to place %player's tool%"
        remove all minecart with command block from player's inventory
        remove all command block from player's inventory
        cancel event
        message "&d&oKneeBrace &7» &aYou can't use that here."
        message "&d&oKneeBrace &7» &eThis is a TEMPORARY fix for an exploit."

    on right click:
        target block is a sign
        cancel event
        message "&d&oKneeBrace &7» &aYou can't use that here."
        message "&d&oKneeBrace &7» &eThis is a TEMPORARY fix for an exploit."  


    These are all temporary fixes and you should find the cause of the intrusion and fix it.
     
    #20 Absentee23, Jan 9, 2015
    Last edited: Jan 9, 2015