My server was hacked. [Exploit?]

Discussion in 'Systems Administration' started by DeletedAccount, Jan 4, 2015.

  1. Hello,

    I've been seeing so many servers hacked recently, I go out, come back and the server's been hacked. T.he server is in online mode, running bungeecord version below, and I can't log in to the server via the direct IP and port.

    [​IMG]

    Here's what happened in order:
    • AdamEnglish logs in to my hub server and runs "/bungee" and "/server" - probably to check the version of Bungee.
    • AdamEnglish's IP at that time was: 146.185.28.212
    • AdamEnglish stays on the hub server not talking for 4 minutes then leaves.
    • AdamEnglish logs into creative directly with IP 127.0.0.1.
    • AdamEnglish leaves
    • Dinnerbone logs direct into creative (not possible usually) with the IP 127.0.0.1
    • Dinnerbone's UUID is 4d258a81-2358-3084-8166-05b9faccad80 and his skin is steve.
    • Dinnerbone doesn't chat for a while
    • User PJoke1 logs in to the hub server with IP 212.183.34.92 and asks why Dinnerbone is logged in
    • Dinnerbone starts talking
    • PJoke1 logs out
    • My players think he is fake and start questioning him
    • Dinnerbone is not in TAB and says stuff like: "You won't be able to see me on tab because I've been coded to not show in tab on 1.8".
    • One of my players ask for proof and Dinnerbone sends them this (this is a screen of his client on my server, as you can see there are no client modifications):
    • [​IMG]
    • Dinnerbone acts like a real player, he tpa's to people, talks to people and tries to convince them he's a dev by saying stuff like "this x feature will be in 1.8.2" etc.
    • He issues no weird commands.
    • He says "I've got to go, I'm skyping Cristiano" and leaves the game.
    • A hour or so later my account logs in (I am actually watching a film at this moment) with the IP 46.166.186.217 and this message shows up in console:
      Code (Text):
      [10:54:17] [Server thread/INFO]: [Essentials] Found new UUID for EvenSafe789. Replacing 0adc9cdc-08ec-4c6e-b0a3-d7abd50a1e0d with c1f307ac-7259-3286-8588-da16888daba7
      [10:54:17] [pool-13-thread-1/INFO]: Creating empty config: plugins/Essentials/userdata/c1f307ac-7259-3286-8588-da16888daba7.yml
      This must mean it's offline mode I guess.
    • The thing that's also odd is he logged in at the world named "world" which isn't the default spawn point.
    • My account issues commands like "/v" and "/gmc" and doesn't talk to anyone.
    • My account disconnects.
    • My account reconnects with the IP 184.75.223.58
    • My account never chats, it only TPs to people and nothing else.
    • It gets kicked for spam.
    • It logs back in with the IP 184.75.221.82.
    • The staff start getting nervous and run IP checks on me but can't ban as I have *.
    • My account logs out and logs back in with 162.219.179.79
    • Agueroooo16 logs in with the IP 82.47.65.249
    • My account types /p reset and clears the spawn.
    • Agureoooo16 types /spawn probably to see the damage.
    • Agureoooo16 says "the spawn is gone"
    • My account switches to the games server
    • Cristiano tries to log in, but I see the kick message in console because we banned the IP 127.0.0.1, he tried to log in to creative via 127.0.0.1.
    • They all log out, and get banned.. that's the end.
    I did some more checks.. I ran the IP-Check command on localhost and got this:
    [​IMG]

    There may be more to this story, it's hard to look at the log files for 3 servers and a proxy and shift through them to find the stuff.

    No one was added to ops.json, and none of those players had *.

    - Even
     
    #1 DeletedAccount, Jan 4, 2015
    Last edited: Jun 20, 2015
    • Informative Informative x 2
  2. Had the same problem before and discovered what was the problem. Can you post your spigot.yml file?
     
  3. Do you block the Ports using IPTables?
     
    • Agree Agree x 1
  4. Have you attempted logging into one of your offline-mode servers directly?

    This could be an issue with you improperly securing your server back end.
     
    • Agree Agree x 4
  5. Code (Text):
    # This is the main configuration file for Spigot.
    # As you can see, there's tons to configure. Some options may impact gameplay, so use
    # with caution, and make sure you know what each option does before configuring.
    # For a reference for any variable inside this file, check out the Spigot wiki at
    # http://www.spigotmc.org/wiki/spigot-configuration/
    #
    # If you need help with the configuration or have any questions related to Spigot,
    # join us at the IRC or drop by our forums and leave a post.
    #
    # IRC: #spigot @ irc.spi.gt ( http://www.spigotmc.org/pages/irc/ )
    # Forums: http://www.spigotmc.org/

    config-version: 8
    settings:
      save-user-cache-on-stop-only: false
      bungeecord: true
      late-bind: false
      sample-count: 12
      player-shuffle: 0
      filter-creative-items: true
      user-cache-size: 1000
      int-cache-limit: 1024
      moved-wrongly-threshold: 0.0625
      moved-too-quickly-threshold: 100.0
      timeout-time: 60
      restart-on-crash: false
      restart-script: ./start.sh
      netty-threads: 4
      attribute:
        maxHealth:
          max: 2048.0
        movementSpeed:
          max: 2048.0
        attackDamage:
          max: 2048.0
      global-api-cache: false
      debug: false
    messages:
      whitelist: You are not whitelisted! The server is under construction.
      unknown-command: Command not found! Type '/help' for help.
      server-full: The server is full!
      outdated-client: Outdated client! Please use 1.8
      outdated-server: Outdated server! I'm still on {0}
      restart: The server is restarting
    commands:
      tab-complete: 0
      log: true
      silent-commandblock-console: false
      spam-exclusions:
      - /skill
      replace-commands:
      - setblock
      - summon
      - testforblock
    stats:
      disable-saving: false
      forced-stats: {}
    world-settings:
      default:
        verbose: true
        entity-activation-range:
          animals: 32
          monsters: 32
          misc: 16
        entity-tracking-range:
          players: 48
          animals: 48
          monsters: 48
          misc: 32
          other: 64
        hopper-alt-ticking: false
        ticks-per:
          hopper-transfer: 8
          hopper-check: 8
        hopper-amount: 1
        random-light-updates: false
        save-structure-info: true
        max-bulk-chunks: 5
        max-entity-collisions: 8
        dragon-death-sound-radius: 0
        seed-village: 10387312
        seed-feature: 14357617
        hunger:
          walk-exhaustion: 0.2
          sprint-exhaustion: 0.8
          combat-exhaustion: 0.3
          regen-exhaustion: 3.0
        max-tnt-per-tick: 100
        nerf-spawner-mobs: false
        growth:
          cactus-modifier: 100
          cane-modifier: 100
          melon-modifier: 100
          mushroom-modifier: 100
          pumpkin-modifier: 100
          sapling-modifier: 100
          wheat-modifier: 100
        anti-xray:
          enabled: true
          engine-mode: 1
          hide-blocks:
          - 14
          - 15
          - 16
          - 21
          - 48
          - 49
          - 54
          - 56
          - 73
          - 74
          - 82
          - 129
          - 130
          replace-blocks:
          - 1
          - 5
        mob-spawn-range: 4
        item-despawn-rate: 6000
        merge-radius:
          item: 2.5
          exp: 3.0
        arrow-despawn-rate: 1200
        enable-zombie-pigmen-portal-spawns: false
        wither-spawn-sound-radius: 0
        view-distance: 4
        hanging-tick-frequency: 100
        zombie-aggressive-towards-villager: true
        chunks-per-tick: 650
        clear-tick-list: false
     
    How did you fix yours?

    I have no clue how to do this, but when I try and log into the direct IP and port it says "to enable ipforwarding please enable it in the bungee config" and doesn't let me in.

    If you mean the IP and port of the backend servers, then yes I have and it gives me the msg I described above.

    It's a very weird thing that happened, but what I wanna know is why the first guy who was hacking typed "/bungee" to check the version.`
     
    • Funny Funny x 1
  6. People can create a BungeeCord on their computer and add your IP if they done a Port check, then connect to their BungeeCord which is offline-mode, change username - Done.

    You must use IPTables (Linux/Debian) or Windows Firewall to block the Server Ports, only allow BungeeCord's port (Propably 25565)
     
    • Agree Agree x 10
    • Informative Informative x 3
    • Winner Winner x 1
  7. Wow, I didn't know that was even possible.

    How can I make it so 25565 only (I still want votifier, ssh, web etc. open) can be accessed via local or whatever it needs?

    I use CentOS 6.5.
     
    • Funny Funny x 1
  8. Yeah, do what @iksDeeh_ said or put your server's IP address in server.properties. (server-ip=<your IP here>).
     
  9. Replace 1.1.1.1 with your bungeecord IP and the portrange with the one you actually uses.

    iptables -A INPUT -p udp --src 1.1.1.1 --dport 25000:25500 -j ACCEPT
    iptables -A INPUT -p udp --dport 25000:25500 -j DROP
    iptables -A INPUT -p tcp --src 1.1.1.1 --dport 25000:25500 -j ACCEPT
    iptables -A INPUT -p tcp --dport 25000:25500 -j DROP

    Twice as many commands as needed because I can't remember if Minecraft is TCP or UDP
     
  10. http://wiki.centos.org/HowTos/Network/IPTables
     
  11. Minecraft is always TCP.
     
  12. @EvenSafe I think it's against the Spigot rules to include IPs.
     
  13. So where it says this currently
    Code (Text):
    server-ip=0.0.0.0
    actually change it to my IP from OVH on every server and in the bungeecord config where it says
    Code (Text):
      host: 0.0.0.0:25565
    Should I also change the actual parts where the servers are defined from localhost:port to realip:port?

    Instead of doing that and me risking screwing something up, is it ok if I do what @Lubenica suggested - will that be fine?
     
  14. I don't know, if you feel like you can try. Make sure to test later.
     
    #15 Externalizable, Jan 4, 2015
    Last edited: Jan 4, 2015
  15. Confirmed.
     
  16. Someone told be Dinnerbone was on that server, I went on to see but shortly after that I was like "nope, thanks for trolling"
     
  17. Yes, for example if your server's IP is 1.123.123.123, you will change
    server-ip=0.0.0.0 to server-ip=1.123.123.123 in all your servers in server.properties files.
    Also, put in your BungeeCord's config your IP.
     
  18. Well, if it is then I'm sure the spigot mods will remove it.

    Who..?

    Ok, I'll do that in a moment.
     
    • Agree Agree x 5
    • Like Like x 2