serious griefing that I can not stop

Discussion in 'Spigot Discussion' started by draexo, Oct 6, 2019.

  1. I have a server. I use Bungeecord and it hooks to several servers.
    Somehow, a user is logging in an I believe obtaining OPs.
    They somehow spoof their IP address to 1.1.1.1 or 127.0.0.1 or 169.x.x.x
    I use Luckperms, but they are able to bypass permissions, so I assume they are gaining OPs somehow.

    Normally, I just roll back with Coreprotect. This time, they destroyed the Coreprotect database - they reset it - before they did their griefing, so I am restoring from an off-site backup.

    I need help to be pointed into the correct direction to stop this. Originally, this user was placing TNT and I was rolling back with Coreprotect. Apparently, I had not stopped TNT with Worldguard. Once, I did, they nuked the entire lobby and coreprotect.

    Any suggestions appreciated.
     
  2. 1. Did you set ip_forwarding to true in the config of BungeeCord and bungeecord to true in spigot.yml?
    2. Go to the server.properties and set the server ip to localhost.

    These methods should be enough to fix it. You don’t need an external plugin. But if you still want to use it, you can try OnlyProxyJoin or IPWhitelist. But as I said, you don’t need it.
     
    • Like Like x 1
  3. Yes, I have it configured this way. Maybe I will try one of these plugins. Somehow this person is getting OPs
     
  4. Perhaps you have a plugin which gives the player op. Could be possible.
     
    • Like Like x 1
  5. Run OnlyProxyJoin / a simmilar plugin on every subserver or setup a firewall if you own a dedicated server.
    What the user is doing is connecting to a subserver using ->your.serverip:{subserver_port} with an cracked minecraft launcher using your (or an opped player's IGN.)
    This is not fixed by bungeecord server software and is required a Firewall or a plugin simmilar to the one I mentioned above to be fixed.
     
    • Like Like x 1
    • Agree Agree x 1
  6. I have a dedicated server. Will OnlyProxyJoin fix this or do I need to set up the firewall on my server or both?
     
  7. AFAIK you'll also need a plugin (like IPWhiteList or OnlyProxyJoin) or a firewall config for that. At least that's what I had to do several years ago. Setting bungeecord to true won't fix it, since hackers can simply run their own instance of BungeeCord and set it to connect to one of your backend servers.
     
    • Like Like x 1
  8. ok. I also demoted OP in server.properties, so even if someone gets it, they can not do much.
    No real reason to use it when I am running LuckPerms
     
  9. I considered this. Most of my plugins are from here or Bukkit directly and seem to be reliable. Most of them are also premium. However, there is on in particular I am questioning. Anyways, I need to examine the logs.
     
  10. I checked the logs. They kept getting kicked but I do not know what plugin did it, but it prevented either of them from logging in.. They did spoof my OP username and then granted OP to 2 other accounts that they used to grief. Once the accounts had OP, the accounts did not get kicked.

    I have re-constructed the server and put it back on line. They were also stupid enough to share their youtube account. They have a youtube minecraft griefing channel.
     
  11. It is a common case scenario where "hackers" (lets just call them skids that think they hack people) abuse this bungeecord glitch, Upon bungeecord startup there is a warning for this that recommends you should run a firewall to prevent this exploit from happening. Best way to negate this is a Firewall or a plugin that prevents people from joining from ports (such as IpWhitelist, PreventPortBypass e.t.c).
    These skids pretty much check new servers / servers tagged under the [bungeecord] tag and try to exploit the port glitch to gain some attention, nothing new. If you just setup your PreventPortBypass they will be forced to use the normal IP everytime they want to login and by using the normal IP without any ports they will be automatically redirected to the Highest Priority Server in your Bungeecord config (most likely your hub) and will not be allowed to join via Cracked MC Launchers (just like a premium server).
     
    • Like Like x 2
  12. As I wrote above.. no need for external plugins.
    Just set bungeecord to true and ip forwarding to true and the server-ip on server.properties to localhost.
    By setting server-ip to localhost, you basically have your firewall.
     
  13. You are right, I didn't notice you suggested him changing his ip to localhost, but still sadly thats not enough. You are still vulnerable to people logging from cracked MC Launchers with your name Via a PORT. You are not secured without a Firewall or an external plugin on all of your spigot servers. Setting your IP to localhost will not solve the deal by any means. Setting your server IPs to localhost will still allow players to connect via a Port. localhost:25565 is still xxx.xxx.xxx.xxx:25565 (for the host server) so your Domain doesn't change. By setting your server's ip to localhost you have done baby steps regarding setting up a firewall. You still need to setup specific IPTables
    I would not suggest using external plugins either because you're never safe without a firewall but they will seal the deal most of the times.
    More Info on how to setup a firewall can be found here -> https://www.spigotmc.org/wiki/firewall-guide/

    Note: I just tried logging via ports with ips set as localhost and you can still log with PORTS even without a domain.
     
    • Like Like x 1
  14. Question: How did they know my OP username? I am guessing they saw me on there flying around.

    Also, the plugin ExploitFixer available here will stop cracked accounts from connecting. That is why they could not connect initially with their accounts.
     
  15. A plugin such as ExploitFixer might not even be needed. As long as you have verified they cannot connect via ports or have a firewall setup I don't think you need extra security. If you want to be 100% safe force all of your staff members to setup a 2FA or require Authentication (/login) so if you ever get griefed they will not access sensitive accounts.
     
    • Like Like x 1
  16. The funny thing is.... there are 10 people who know of this server. It is private. I was hoping to avoid griefing by being private. That did not work out well. No on has OPS. I did have OPs until this. Now there are no OPs only permissions. I use it to kill time in creative and I have a few games set up - Eggwars and Core Arena - to occasionally play with friends. I like to play Skyblock, so I play that also. I have hundred's of users connecting with hacked accounts over the last few months. I can only assume the IP belonged to another server. However, if I ever get to the point of having staff, I will keep that in mind. Maybe even make an auth lobby or require registration on some online forum to activate the account. Thanks again for all the help.

    I checked logs this morning and someone logged in and was also immediately kicked for Flying.
     
  17. Exactly how do I verify that? All I know is that Prevent Port Bypass is running correctly. I have no way to actually test it myself unless I did the hack on myself. Ethical hacking they call that, correct? I could go taunt them on their youtube channel and see if they attack again.
     
  18. Also this might be considered necroposting since this has already been figured out but I thought it would be a fun fact to say. Minecraft Monday was hacked the same way your server did because the administrator / developer team forgot to turn on the firewall and the hackers abused the port exploit (as stated by the minecraft monday administrator team on twitter) some hours after this post.
     
    • Funny Funny x 1