Help with a Kickall Exploit

Discussion in 'Server & Community Management' started by Alterego, Jun 2, 2017.

  1. I have been having problems with a small group of Italian hackers who seem to target our server with no reason. They apparently got there hands on some sort of kickall exploit that boots all the players from a server. Here's their video:



    I've tried searching all over but I haven't been able to find any solution at all, so I was wondering if anyone here might have an idea on how to stop this.

    The best luck I've had so far was finding this older thread: https://www.spigotmc.org/threads/crash-exploit.211220/

    However, there doesn't seem to be an actual solution posted there. One of the videos recommends setting tab-complete to -1 in spigot.yml, but that didn't seem to work for our server.
     
    • Informative Informative x 1
  2. Celebrimbor

    Patron

    Is it a crash or an actual /kick run in console? Your console should show more info on the disconnect.
     
  3. info dump:
    it looks like its trying to log in every person or something

    Disconnecting ----------------------- §cYou have to join through the proxy.

    does that for every single person on the server
    generally people get that message if they try to directly connect to my servers via the ip instead of bungee
    the ip's it show is the same ip with a different port each time

    [​IMG]

    it seems like it takes a list of all the players then tries to force those usernames to connect to the ip directly
    which causes them to get kicked
    maybe if theres a way I can cause it to reject the new client instead of kicking the one that is currently online then I can stop the players from being kicked?
     
    • Agree Agree x 1
  4. Firewall off the spigot servers. You should do that anyway as they could've chosen to use a similar method to hijack your account and get op
     
  5. How i can do? Please i need your help
     
  6. How do you do what? Firewall off the servers?
     
    • Like Like x 1
  7. Yes please, idk about firewall in debian...
     
    • Like Like x 1
  8. I think your assumption is fully correct here. This hack probably gets a list of online players in the current Spigot server and then starts up a crap ton of offline clients and it connects them to your server directly. Although I wonder why the player is still kicked if the login event is cancelled by OnlyProxyJoin...? Maybe a bug in the plugin? Cancelling a login event shouldn't kick a player if he's already online, right?

    Anyhow, to fix this you'd probably want to do what @DotRar suggested; make sure you firewall the server properly. If everything runs on the same machine, you could start hosting your Spigot servers on localhost. That would solve it. If that's not the case, you may have to do some tricky firewalling.

    What do you suggest @DotRar, use IP tables so block any connection on <spigot port> if the connecting IP is not the same as the BungeeCord IP? Would that work?
     
    • Agree Agree x 1
  9. Code (Text):
    iptables -I INPUT ! -s $BUNGEE_IP -p tcp --dport $SERVER_PORT -j DROP
    I'd share my setup if my server hadn't just gone down randomly. oshit wat.
     
    • Like Like x 1
  10. Is the port needed in that rule?

    Also, I just checked out some comments in this video. He says he used forceop. I personally question that statement. @Alterego, do you have any logs stating he became/is an op?
     
  11. yh the port is needed
     
  12. Hey i'm from the server staff, and no they can't get OP its just impossible, we have a plugin which bans everyone when detects op or any * permission, also UUID spoof glitch is fixed. The user in the comments is just a scammy bastard to be honest.
     
  13. Give me the IP and the owner's name, I'll prove you can.
     
  14. play.randomcraft.org
    We use a custom panel which I believe should set up our firewalls for us. heres the output of iptables:

    [​IMG]
     
  15. Lmao why censor everything important that we need to see to help? No point censoring anyway, I can see that your IP is
    149.202.86.220 and the following ports are open:
    25565/tcp open minecraft
    25566/tcp open unknown
    25655/tcp open unknown
     
  16. yes, i just ran a pentest myself like 2 hours ago.
    I am just trying to figure out if this firewall isn't configured correctly, and if it isn't what I need to do to fix it.

    [​IMG]
     
    #17 Alterego, Jun 3, 2017
    Last edited: Jun 3, 2017
  17. SuperMonis

    Supporter

    Fixed*
     
    #18 SuperMonis, Jun 3, 2017
    Last edited: Mar 4, 2018
  18. The 127.0.0.1 IP is probably there because they're hosting a fake bungeecord proxy on 127.0.0.1 on their own PC's, and connecting to your server using that proxy.
     
  19. I have ipwhitelist, which fixes the problem of people joining with their own bungeecord/fake bungeecord server. kick problem is not fixed though.