Login System for Bungeecord

Discussion in 'BungeeCord Plugin Help' started by DavidJDM, May 21, 2015.

  1. Hi everyone. I am currently running a cracked bungeecord server but have a big issue with the login system. At first, I used Login Security which worked until I found out that people were able to use the compass and still teleport to other servers. So, to fix that, I switched to AuthMe Reloaded and disabled the /server commands. That was able to protect your inventory before you login. But the problem is, I have had my server griefed THREE times in the past a couple of days. The griefers even made a video on it and they were using the Hacked client Wurst. I decided to get it and see how they were able to bypass Authme and Hack into my account. Wurst has a feature that cracks authme somehow and you are able to login as an Owner, Admin, etc. It does not always work though. I even changed my password after being griefed and made it like 15 characters long. Also, I got an IP protector but I am guessing they pinged my server and found out my IP, changed it and still logged in. I really need help with this to stop these hackers. Please Help! I would be glad for any help! Thanks in Advance...
     
  2. I'm releasing a cracked system using anvils and guis (more secure) in the next couple of days using MySQL.
     
  3. They can't get your password, there are a lot of methods to Exploit a Minecraft Server and probably i will make a plugin to fix some of these.
    They probably used your UUID to join the server with your name or they just used Bungeecord to Join the servers on different Ports, where AuthMe isn't enabled.
     
  4. Your server has to be set as localhost, otherwise players can scan your ports to your server and login directly to them and use cracked minecraft and choose your username to get into your server. Note that they not are logged in to your account, they just have your username.
     
  5. Preventing people from directly accessing your Spigot server is childs play nowadays. I'm not entire sure, but I think it's even blocked by default these days. If not, any simple plugin can do that. You should not worry about running it localhost.
     
  6. i mean that if you run your server at localhost they are not able to login with cracked accounts and use your nickname. Sorry if i writed bad.
     
  7. Ah, now I see. That's indeed correct, and that is indeed the risk of a cracked server.

    I am starting to question the security of AuthMe if WurstClient is able to do such thing.
    It's running on SQL, which my guess is that SQL Injections might not be blocked? I can't check the code in detail at the moment, but does anybody know if AuthMe took care of injections? If not, someone has to teach the kid how to program...

    Never used AuthMe since I hate cracked. Does it hash passwords? If so, what provider? (MD5, SHA1, SHA256, etc)
     
    #8 MrDienns, Feb 23, 2017
    Last edited: Feb 23, 2017