Possible bukkit/spigot permissions exploit

Discussion in 'Systems Administration' started by invincible64, Dec 20, 2014.

Thread Status:
Not open for further replies.
    • Agree Agree x 2
  1. I guess anything is possible, but it just seems so unlikely that we could have a injection like attack on our hands. What really worries me is you don't have any small unknown plugins that I could see containing something like a force op.
  2. Exactly and that is what worries me as well... And the fact that the same command (The "kneesnap works" message), is being used in both instances, sounds to me as if it's a string of text, that people can copy from somewhere on the internet.
  3. The text "kneesnap works" just can't be injection code of any sort. It has no attribute that would make it that. While like I said anything is possible, I am still leaning more towards our run of the mill force op plugin. Hopefully the OP posts his plugins soon.

    If it was text someone was copying from the internet I think it would be spreading like wild fire and Google would have found something, but it didn't.

    Edit: @Puharesource Do you run Multicraft?
  4. Well, of course "kneesnap" works, wouldn't really carry any attributes, however, there might be some other text, that does indeed make the console run the command, to send the player that message, where that message is just there to tell the attacker, that the server is vulnerable.

    And no, we don't use a Control Panel.
  5. My bad, I thought you were inferring "kneesnap works" was the injection code.

    I would suggest to check your SSH logs, but if your "hacker" was like the one the OP had, then he only typed /op to gain attention from the other ops... Which means he had op some how before that. So maybe he modified the op file it self? So some form of a SSH brute force or shell shock is possible. Check your logs, use the latest version of Bash, make sure your box wasn't exploited some how.

    I would like to hear @frash23 thoughts on this.
  6. We have already checked through the system, to see if anyone had connected, but with to prevail.
    Regarding a bruteforce attack, that would be rather hard as we've got Fail2Ban installed.
    Also, the last time we updated our system was about a week ago, though it's possible that an exploit has popped up since, I find it quite hard to believe that the attacker would of used that, to gain access to the entire machine. Not to mention, if the attacker had access to the machine, I think the damage that he did would of been way worse.
    • Agree Agree x 1
  7. My apologizes if this was resolved, but I just thought that I would point out that this is not likely the case at all, because the logs would show that another op or staff member issued the /sudo command, as shown below.
    "[23:46:41 INFO]: rocket0191 issued server command: /sudo tylerjrich op tylerjrich"
    • Agree Agree x 3
  8. How about you start by explaining what or who the fuck you are and why hacking my server is in your best interest.
    • Funny Funny x 6
    • Agree Agree x 1
  9. I sent you a PM with a list of my plugins. Knowing which one has the backdoor would be great.
  10. What the hell dude? Did you even read what I said? Let me quote it for you.
    In case that needs further clarification, I was pointing out that your friend that claimed that he might have been "/sudoed" was not.
  11. Thats your username. I assumed you were just another alt of this dude taunting me. Im getting a little paranoid.
    • Funny Funny x 1
  12. The line was taken from my own server. I simply copied that line from my server's console to show you what to look for in your console log. If you didn't find it in your logs, your "friend" was lying to you about being /sudoed.
  13. All I know is that every time I log off for an hour, I come back to see that my server has been conveniently destroyed by the hacker again. So Ill just keep restoring from the backup until this dude gets the message that I don't give a fuck and he/she will never take my server down forever. In the meantime, finding out which plugin has the malicious code would be nice not just for me, but for other people who might have the same plugin(s).
  14. Are you able to post a list of your plugins? That would help.
  15. Great now the hacker gets to see it:
    As far as I know, these plugins are reputable. If not, enlighten me.
  16. I'm not sure about PlgDisableCmd. A quick Google search brings me to a forum post on BukkitDev. I was unable to find an official BukkitDev page for the plugin and it seems like it's 3 years old. I would recommend getting a newer plugin.
  17. Out of the 3 years ive been running my server its never failed me... and if it had a backdoor it would have been exploited long ago. As long as it still works, ill keep it.
  18. This looks like a malcious plugin. If the user had console access, it wouldn't say "Ron__ issued server command: ...".
Thread Status:
Not open for further replies.