Constant connection attempts from a player called "cuute"
For the last couple of days I've had a constant disconnection feed from a player called "cuute", anyone know if it's a bot of some kind? It's ip has changed about 3 three times now. For context, I only opened my server up a few days ago and have not advertised it anywhere other than my local discord.
82 Replies
Just for more information, we are a South African server and our discord only has South African players in it.
The IPs connecting are from the US and Netherlands - so definitely not one of our players
Yeah you're not alone, read up here https://discord.com/channels/348681414260293634/348681414260293635/1121640231356092467
Okay I see, I'll submit a ticket then
Will leave this open for now in case there's more information?
Resources:
Submit a ticket to the hosting provider here: https://www.tzulo.com/crm/submitticket.php?step=2&deptid=1
Drop the ip:
iptables -A INPUT -s 198.54.135.0/24 -j DROP < Linux
More ips: https://discord.com/channels/348681414260293634/348681414260293635/1121653644505395220bots have always been a thing, you could ban them and/or block their ips if you have a dedicated/vps/game server with firewall
Mmm.. the fact that they are using a VPN makes this incredibly more difficult.. because if others are using the same VPN then you'll end up blocking them as well. Fantastic.
Yep... Not sure what to do from here. AFAIK Mullvad is pretty privacy orientated, so I don't even know if they could do anything?
so far its been completely harmless on all my servers. Just make sure you have online-mode set to true
Its been... mostly.. harmless to mine too, just incredibly annoying because it spams logs both on the console and on my discord. I've noticed that when this nonsense happens it has interfered with users ability to login from time to time. Not that my users have logged in for awhile anyways
yeah, you might be able to filter out the discord messages using regex (idk what discord pluin ur using)
discordsrv
either way.... it did impact users in the past in my case.. so i'll need to block yet another ip range or two
I haven't encountered that yet
what is the impact of the bot thingy?
just a person who setup a bot, that goes thru every single ip (yes every single possible ip) and detects if its a minecraft server, after attemps to connect (a LOT of times). The bot doesnt have an id (meaning it will fail to auth with mincraft). So if you're in online-mode, the bot can literally do nothing except spam.
Usually these bots are looking for someone specific (streamer/popular person) after scraping ur server info (like playerlist) it'll just go on its way.
This one is probably doing that, but also just tryna piss people off and spam after failing to join (or the dev of the bot is just bad)
i have yet to see what "cuute" has done to a server that isnt in online-mode, so i dont know its real intent
Yea, there were a couple other ones a little while back.. what.. a month or two ago now?
but the pretty much worse it can do to u, is spam try and join, and clog up the auth servers from ur ip (ur server is what checks mojang to validate an account, but there is a rate limit)
yeah @(mat) is notorious for these bots.. but hes completely harmless.
he'll join the server and then message and let people know if they have any invulnerabilites (all as a bot)
Hum.. interesting
Well... never came across the Mat one.. but there were two others and it was causing auth problems then.
yeah, they usually come and go. 99% of the time harmless
there are services you can get that'll do a better job at stopping these stuff
https://tcpshield.com/ never used this one, but i see it recommend alot here
i believe someone posted a plugin that attempts to solve this... but theres like 100 of these exact threads so icant remember where
(shrug)
I will say, the previous ones I dealt with at least used the same singular IP.. this one is using a couple ranges.
Having both a whitelist and online mode is at least keeping them from doing anything worse.
https://discord.com/channels/348681414260293634/1121343365850603530/1121459149532831928
i havent tested this or really looked into it
but someone rec'd it
Oo.. now that looks promising.
..ah.. damn. Im a Bukkit/Spigot server.
u dont have paper?
Nope.
upgrade bruh
literally u do nothing but replace ur server jar
and ur server runs 100x smoother
some plugins mite break... but i doubt
no harm in trying
considering the performance increase is insane
Yeah I think a few of my existing plugins would break
i really doubt it
And I haven't had any performance issues
paper is a fork of spigot
At least none to date.
so in theory
every spigot plugin works on paper
but yea, id atleast try (ALWAYS backup first tho)
......oh ffs.. seriously?
Paper forked Spigot which forked Bukkit? Yeeeeesh
yeah
paper 2x more popular
spigot is dying
feels like the only people that reall use it are the old guard that are afraid switching
that or they hate paper's patches
well if u dont mind waiting an extra week after updates, thats what purpur is for
You do gotta admit its annoying how they somewhat decide whats a "bug" and patch it with no option to enable it
ye.. i really dislike how they try and police
Also idk why ppl hate purpur
I usually either go for purpur or pufferfish, paper on test servers or rly small friend ones.
if you prefer some of the stuff like using silktouch spawners, controlling mobs or funny barrels then purpur is something worth using
btw this thread (the "cuute" bot) is brought up like 5+ times a day, any chance you're able to make a new thread with just info, then lock it so peple cant type and pin it to the top so less people keep reposting
^
I'll add it to my TODO but tbh im pretty sure i was supposed to make a lil wiki page on r/admincraft about it but we ended up doing the protest + i wanted to do research on it
ah... well unforunately i'm not a follower on the subreddit š¦
tbh the only ppl that can see it mods
oh ok
If i do end up updating the wiki i'll probs restrict it, wayback it then private it or something
Maybe just pin something temp for now - that you're looking into it etc...
@QarthO if you're interested
theres a server about the scanning lol
you want an invite?
sure
can dm
if your server host doesn't have console history and only displays the last 50 lines or so like mine, this bot wipes out console history.
I get this too
You should still have the latest.log file
Just a little update for some people. Here is a list of bot subnets I've collected so far and the commands to firewall them.
Is anyone still experiencing this? I haven't had 'cuute' attempt to connect for the past 17 hrs or so
they happen at random intervals
its cause the bots scan the entire IPV4 range basically and try to locate mc servers
I understand that, but before this silent period it was every few minutes for literal days and it just stopped suddenly
Iām still getting them, last one was about an hr ago
Can I get an invite?
Got a new one, name 'ServerSeeker'
May I get an invite to, I'm quite curious about the antics of cuute
no š”
That's me lol
Was about to ping you lol
Add 45.128.232.0/24, 31.13.211.0/24, 84.54.51.0/24, 193.35.18.0/24 (https://ipinfo.io/AS202685)
All of these belong to pfcloud, it's not like anyone uses their servers except for scanning
AS202685 Aggros Operations Ltd. details - IPInfo.io
AS202685 autonomous system information: WHOIS details, hosted domains, peers, upstreams, downstreams, and more
I use their servers for vpns >:(
you are basically a bot though
sorry
:aSob:
Oh yeah be sure to use banaction route if you go this route
Since iptables doesn't work if you use docker
Pun not intended btw
I also got connection from cuute via
162.33.178.0/24
and
176.58.106.0/24
INteresting that they are all from pfcloud - as well - Ihave never chekced but there was anohter bot a few months ago by the name of pfcloud/pfclown that used ips from that list. Likely the same person...pfclown/pfcloud/original cuute is a different person, I know them
pfclown and pfcloud are two different people as well
Oh
I switched from a EU server to a US server and was pinged by a different user (used to be Cuute now its ServerSeeker) I'm sure its been established it's based on geography just thought I'd further cement it.
ServerSeeker is me. Cuute probably didn't discover your new server.
Be assured, ServerSeeker should not harras you, it only joins once a week if no players are online
Have you published any info about ServerSeeker?
I'm curious about the roles of server scanning bots in the mc ecosystem
It's a public discord bot, .gg/serverseeker
I don't want to advertise if not allowed, feel free to delete that if it's not allowed
Thank you for sharing this information š
iptables -I DOCKER-USER -s 0.0.0.0/24 -j DROPiptables -I DOCKER-USER -s 0.0.0.0/0 -j DROP :trolley:Ye i just use route
Bypasses iptables so its p fast