Strange grief

Discussion in 'Systems Administration' started by gb_factory, Jul 21, 2018.

  1. Hello, today my server hub was griefed in a very strange way.
    This is the part of the latest.log when the griefer get the permissions https://hastebin.com/xutidoqire.md

    I have a plugin that ban all people that get opped and get the permissions *
    But he can bypass the ban
    Code (Text):
    [11:30:46] [Server thread/INFO]: [0;37;1mPermission "*" removed![m
    [11:30:46] [Server thread/INFO]: Banned player Sifilide
    [11:31:12] [Server thread/INFO]: Sifilide issued server command: //br sphere lava,bedrock 5
    As you can see in the log he used world edit to grief, but i don't have world edit in my plugins
    [​IMG]
    [​IMG]
    Code (Text):
    [11:31:12] [Server thread/INFO]: Sifilide issued server command: //br sphere lava,bedrock 5
    Later I found a rellay interesting thing in the directory of the hub server
    [​IMG]
    There are those plugins but there aren't in the plugin folder, the time coincide with the time of the grief so my theory is that the griefer uploaded those plugin in some ways but he used the wrong slash. For the directory is used / but he used \, so those plugins remained here but the actual plugins used for the grief uploaded in the plugin directory got deleted after the grief.
    So he uploaded those plugins and enabled them to grief and spam messages with worldedit.

    Another thing is that why i got those spam of messages
    Code (Text):
    [11:37:56] [Server thread/WARN]: [WorldEdit] Error while reading CUI init message: For input string: "[36mSense
    Sense
    Sense
    I relly don't know hot it's possible, someone can help me?
     
  2. I didn't check the plugin list but did you download a illegal/not self paid version of a plugin? Because people sometimes add extra code and destroy your server.
     
  3. Have you tried to change your username and password from your host? Has this happened before?
    EDIT: From what i have seen on youtube about "cashploit3" it is only possible to install only if the user had access to your server or only if you had a backdoor that gave him the access
     
  4. I saw the same thing, i doubt that someone has access to the server because i use generated password with 16+ characters, and i changed the password yesterday, but the files are from today. I'm the only person that can access the server
     
  5. Probably caused by the 1.8 server running in offline mode and not properly configured to be secure.
     
  6. Probably what mrfloris said.
    If you are running it on BungeeCord AND cracked, its pretty unsafe, yes. If you are running in BungeeCord and online mode, maybe get a plugin like JoinOverBungee or IPWhitelist. There is a bug where you can join your server from another Bungee and get admin permissions.
     
  7. I know, and I also know that bug doesn't allow people to upload files on the server
    And the bungeecord bug on my server is fixed and staff members can join ONLY from their premium launcher thanks to a plugin that do that

    Another thing that I saw is thay my permissions ex got changed with another one
    [​IMG]
     
  8. Okay, wow. Wipe your server I would say.. you should probably check ALL plugins, and dont use any you dont know. Also change the servers password..
     
  9. Yes, i was thinking the same, but i will check only the date of other plugins
     
  10. Just dump the host you're with, set up from scratch, don't use leaked plugins, upgrade to 1.12.2, and review everything as you go.

    Nothing wrong with learning from the experience. Then thank the hacker for pointing out a flaw in the system and that it helped you improve your network. No need to mention him by name, he didn't do this the right way.
     
  11. @mrfloris I need to thanks this hacker? Is from 3 days that he's spamming my console with a bug, when i got this bug fixed, he hacked into my dedicated server to install backdoors to use this bug again. I need to thanks this person?
     
  12. No, that guy can go screw itself.. What I mean with thank him.. is that he pointed out your stuff isn't sorted properly, and you can move forward more positively from this. Like i said, he doesn't deserve a mention by name for it.

    Assume the host being compromised, just get ya stuff, move to a new box, start fresh - and do a better job this time so he and others can't abuse. In the meantime, i dunno if you guys are a company but unauthorised computer access is still a federal offense, ask a lawyer what any of your logs about this is worth a case against this person to go seek damages.
     
    • Agree Agree x 1
  13. I have a dedicated server from ovh, next month i'll buy a different server, but it's possible that someone hacked into the server without knowing the password? I use generated passwords with 12+ characters, i'ts impossible to try all password and find that one.
     
  14. Loads of unauthorized access happens these days without knowing any password. An outdated wordpress instance can do the trick for injecting a shell.php file and run / upload rootkits that way.

    Who knows what you've misconfigured or have running that you don't have to, or is outdated and can be exploited.
     
  15. Just to be clear:

    Why is Minecraft server running to the public as a full fledged root:root user in the first place?
     
  16. Because I use the root account, but now i will configure another user
     
  17. Strahan

    Benefactor

    Because people, on the whole it seems, don't really know what they are doing. No offense OP, not a personal dig just a general observation :)