Possible bukkit/spigot permissions exploit

Discussion in 'Systems Administration' started by invincible64, Dec 20, 2014.

Thread Status:
Not open for further replies.
  1. So you wont even try to remove it to see if it resolves anything, just because you don't want to get rid of it?
    • Agree Agree x 1
  2. its opped sending packets, i think so.., but im not sure who receive these packets, check for chat related plugin
    • Friendly Friendly x 1
  3. I decompiled PlgDisableCmd and it seems to be fine, time to look at a different plugin.
    • Like Like x 2
  4. Is RCon enabled?
  5. I doubt this is a legitimate exploit in bukkit, why would the hackers target you and not i.e. mineplex?
    • Agree Agree x 2
    • Funny Funny x 1
  6. please upload the permissions.yml
  7. Try to update spigot a recent issue has been patched. Although it could be a malicious plugin if you have any way for the player to place a block in creative mode you may want to update.
    • Like Like x 2
  8. Nope.
  10. Try to remove all command blocks (or disable them in the server.properies file.) Also don't forget to de-op and remove him from the whitelist afterwards.
  11. Sorry it was a false alarm.
  12. I can report that this has happen to someone other than you, and it is extremly bothersome, creative server with command blocks enabled, kneesap works.
  13. JamesJ


    Are you running an offline mode server?
  14. Probably has something to do with creative mode
  15. Bungeecord, servers are behind a hardware firewall with ip based filtering
  16. JamesJ


    Have you enabled bungeecord in Spigot.yml?
  17. For now I have solved the issue by disabling command blocks, I was told by @Thinkofdeath, that this is a vanilla bug, but that spigot released an update that fixes this. For now all vanilla servers and servers not running a very recent spigot update are at risk, if command blocks are enabled and any of there players are in creative mode.
  18. This just happened to my servers for a few hours ago. Same guy, same message. All we know that he did it from CommandBlocks in our Creative server then he used a plugin we got for Bungee called CommandSync. There is no way to spawn Command Blocks, we don't understand how we did this. But I also believe it was something with Spigot that made him do this. I remember the @a @p ect tags didn't work in Spigot then it got fixed for two weeks ago or so. I guess it's something around that.

    This guy broke so much and wiped our logs so we are unable to rollback everything. Hope we can get this issue solved somehow.
  19. On the protocol level you can spawn in whatever block and whatever nbt date he wants to spawn in if he is in creative mode. Because previously there was no stopping non-op players from placing command blocks but now it has been patched so just recompile spigot and now non-op players can't do this anymore.
  20. For me it was the player "pokemaster879" that did this to me, you should still be able to get the logs from the logs folder, if they were wiped, I would be very interested to know how he did that without access to the control panel or your system.

    I did not ban the guy, and am waiting to see whether the problem is fixed. BTW I disabled command blocks in the server.properties, as I am the only person that uses them.
Thread Status:
Not open for further replies.