Someone keeps hacking my server

Discussion in 'Spigot Discussion' started by BlokWhisperer, Jun 11, 2017.

  1. Hello,

    Someone keeps hacking my server and in the latest hack, they were able to delete the logs directory, all plugins and start the server with a new map.

    These are the plugins I have:
    Essentials
    Grief Prevention
    Holographic Displays
    PermissionsEx
    TimeVote
    Vault
    Worldedit
    Worldguard

    Pretty basic setup, default user doesn't have any extra permissions. Any thoughts as to how they are doing this?
     
  2. Are you running your server in offline mode?
     
  3. Check to see if anyone else has access to your server files / hosting service (multicraft/ftp)
     
  4. I'm not running in offline mode and im the only person with access. It's weird because earlier this month, someone hacked the server via some exploit with the Dispensator plugin, gave themselves op etc. I've since removed that plugin and cleared ops but (im guessing its the same people) they found another way. :(
     
  5. Did you try to change password to Ftp ?
     
  6. I didn't yet, but I will now.
     
  7. If you are 100% sure you dont have more plugins than this, then there is no way of them to reset the map (they would need a plugin like multiverse for that), unless that have access to the servers files therefor it is safe to assume that they have access to the server files.

    there are multiple ways for them to get in
    1: If you are on a shared host (aka you only have access to the minecraft server and nothing else on the machine) then your password might have been hacked, or one of the hosts administrator accounts has been hacked (or the host is simply being a troll, and griefing you)

    2: If you own the machine it's running on, you one of your accounts has been compromised, and you need to fix that urgently, possibly even reinstall the machine, as you don't know what they might have installed on it or had access to.

    if you need further help, you need tot tell us who your host is
     
    • Useful Useful x 1
  8. This is really strange idea but the OPSign and OPBook exploits work with Pex. Did someone gave you a book or did you place a sign for somebody? Look who's OP

    The book and sign exploits works like this, you gotta look in Pex if someone has OP perms. Removing OPs from the yml file doesn't always work
     
  9. Hey, if you can send me some of your machines information through a private message
    I can try a few things I've learned as an owner, and see if your machine is venerable to common hacking methods.

    Information:
    IP:
    Port:
    Hosting:
    Platform: (Windows/Linux)
    Installation Type: Manuall / Automatic (Did your server come pre-setup, or did you manually create it inside a windows or linux screen?)
     
  10. Hey... sorry, I just checked in this morning. I completely wiped the server via ftp and uploaded a fresh server with newly downloaded copies of plugins, reduced the plugins (Essentials, PEX and Griefprevention) and whitelisted the server. This morning I logged in and the server was no longer whitelisted and the logs directory is gone. It's got to be someone at the service provider. It's xenonservers.
     
  11. It is interesting, this user managed to op themselves and set themselves as "owner" in pex.
     
  12. Write to them, tell them what problem you have havin, so they can get the correct security measures taken
     
    • Agree Agree x 1
  13. Did you check if there is a sub user on your account? They may not be logging into your account on your host, but a sub user account that they created using your account in the past.
     
  14. If the user is still opped, please post there username here. If you'd like to go through another host such as an OVH VPS SSD, for $7.50/4GB's, I'd be glad to teach you how to setup a Linux/Ubuntu 14.04 machine with the basics; Java 8, Apache2 (Web Server), etc.
     
  15. BananaPuncher714

    Supporter

    Actually, have you downloaded any fishy software recently or opened any strange webpages? The most likely thing is that someone installed a keylogger and found out your server credentials and used that to "hack" you.
     
  16. If you copy the files from pex, yeah the person still has op perms... I really think someone with the wurst book and sign exploit did this
     
    • Funny Funny x 1
  17. Never give your ingame character permissions capable of managing a server to the file-level. If you're a security freak, everything should be done through SSH and SFTP. If you could try to completely wipe your current account registered as an owner from all the databases and observe what's happening to the server through a dummy account, that would be useful. When there's no physical way of obtaining a powerful account with all the perms granted and the said player still manages to hack your account, this comes down to a host problem. If they manage to do such thing, you should reconsider installing some measures against third party individuals trying to gain unauthorized access to your host machine, eventually hacking you and making you post these threads. Do what I said earlier, let me know how it does. If it still happens, tell me and we'll continue this conversation.

    Good luck!
     
    • Informative Informative x 1
  18. Change all your server passwords, make sure none of the plugins have backdoors. Have you tried ip banning the person who is hacking your server? Try ask your server host support for help.
     
  19. What OS are you running anyway? OS and version and all that? Might want to be weary for local exploits too. Main reason I run FreeBSD: keep the whole Minecraft service inside a jail (virtual instance) where it can't do any damage. Heck; you can even set it up that the process can create files (logs) but not delete 'm.
     
  20. Are you using BungeeCord?