Spam attacked

Discussion in 'Server & Community Management' started by LiLChris, Dec 7, 2012.

  1. LiLChris

    LiLChris Retired Moderator
    Retired

    Seeing as this forum is still new, not sure how much we care to help each other with attacks.
    Hopefully posting this is ok, if not then sorry. md_5 :(

    Nobody has perms for italic/bold/color chat:
    http://i.imgur.com/njLlM.png
    How was this possible, and can it be prevented?
    Sadly I thought he was a fool like 99% of the "hackers, spammers, reviewers"

    Spammed chat messages, looks like it came from Wiki. :confused:
    http://pastie.org/5491836

    List of IPs we grabbed from the attack.
    http://pastie.org/5491843

    Some of the server log
    http://pastie.org/5491861

    Constant relog
    http://i.imgur.com/ruHwp.png



    Didn't suffer through lag though, TPS was 20 :D
    We had 60ish players before the bots joined in, and luckily TPS was steady 20.
    I gave all my members some money to make up for that, hopefully it was enough...
     
  2. Wish I had those on my server, those were some interesting facts..
     
    • Agree Agree x 1
    • Disagree Disagree x 1
  3. Puremin0rez

    Moderator

    NoCheatPlus should deter bot attacks like that, I've never had one so I've never put it to the test - but I know PWN4GE (the bot attack that was so popular awhile back) is pretty much stopped now by a few plugins.
     
  4. LiLChris

    LiLChris Retired Moderator
    Retired

    It did every often but most got through. (default config)
     
  5. md_5

    Administrator Developer

    This forum is for anything and everything related to Minecraft server administration. I won't bite, I promise.
    Going to move to server discussion though.
     
    • Funny Funny x 3
    • Like Like x 1
  6. LiLChris

    LiLChris Retired Moderator
    Retired

    If you check some of those IPs they actually show up in SFS.
    http://www.stopforumspam.com/ipcheck/116.93.12.104

    Which gives me an idea to cross reference SFS and put those IPs blocked on the server since my site is also preventing anyone from SFS to sign up. :)
     
  7. PhanaticD

    Patron

    when you get spambots connecting do they all come to one point grouped together like all standing at 0,0
     
  8. LiLChris

    LiLChris Retired Moderator
    Retired

    No idea, I was just spamming the /ban command.
     
  9. PhanaticD

    Patron

    okay, well I have made a commandhelper script that bans anyone who is exactly at 0,0 haha, it works too
     
  10. I programmed a plugin to disallow people from chatting if they're within 3 blocks of the sever's default spawning position.
     
    • Agree Agree x 2
    • Disagree Disagree x 1
  11. Puremin0rez

    Moderator

    I've actually seen a few servers do that and it's quite a great quick fix.

    If you don't want to do it with another plugin, and use WorldGuard, you can create a simple mini region in your spawn zone and deny chat-send (or something like that, it's a flag and it works because I use it for my jail :))
     
    • Agree Agree x 1
  12. LiLChris

    LiLChris Retired Moderator
    Retired

    Yup, did that after this happened. ;)
     
  13. Want something better than DDoS protection? costs no money at all?

    Turn off your server
     
    • Disagree Disagree x 11
    • Funny Funny x 1
  14. LiLChris

    LiLChris Retired Moderator
    Retired

    What does this have to do with DDoS? :rolleyes:
     
  15. In this case, I recommend you to whitelist momentarily your server until the hacker stops sending this hacked account to your server.
    If your machine is responding correctly, you're not getting DDoSed.
     
    • Agree Agree x 2
  16. LiLChris

    LiLChris Retired Moderator
    Retired

    It was a 1 time deal, I checked logs and his threat was not to post on PMC listing. o_O
     
  17. SuperSpyTX

    Supporter

    This is what my plugin's for, preventing these attacks from ever developing on your server.

    http://dev.bukkit.org/server-mods/antibot

    Classy thing to say.
     
    #17 SuperSpyTX, Dec 13, 2012
    Last edited: Dec 13, 2012
  18. Whoa. I had the exact same thing happen to my server, same guy too. I captured all the IP addresses and banned them. As far as I could tell he was using a bunch of stolen accounts. In total there were exactly 350 different ip addresses, and 1 ip address that he connected on. (Which I am going to assume is his actual IP address). I used nmap to scan his IP as well as some random ip's from the list and it looks like he has got a little botnet he's playing with.

    I used netcat and sent some garbage data back and forth to his IP vs one of the "bots", as I suspected the response from his IP is slight different than that of the bots. So I think his IP is the command and control server. If I had more time (and frankly a little more experience) I'd look into reversing his botnet... you know... for fun.
     
  19. PhanaticD

    Patron

    its proxies not a botnet
     
  20. =P Yes you're probably right.