A
Admincraft•2y ago
Pingu

Constant connection attempts from a player called "cuute"

For the last couple of days I've had a constant disconnection feed from a player called "cuute", anyone know if it's a bot of some kind? It's ip has changed about 3 three times now. For context, I only opened my server up a few days ago and have not advertised it anywhere other than my local discord.
No description
69 Replies
Pingu
PinguOP•2y ago
Just for more information, we are a South African server and our discord only has South African players in it. The IPs connecting are from the US and Netherlands - so definitely not one of our players
Pingu
PinguOP•2y ago
Okay I see, I'll submit a ticket then Will leave this open for now in case there's more information? Resources: Submit a ticket to the hosting provider here: https://www.tzulo.com/crm/submitticket.php?step=2&deptid=1 Drop the ip: iptables -A INPUT -s 198.54.135.0/24 -j DROP < Linux More ips: https://discord.com/channels/348681414260293634/348681414260293635/1121653644505395220
Justin123
Justin123•2y ago
bots have always been a thing, you could ban them and/or block their ips if you have a dedicated/vps/game server with firewall
Pingu
PinguOP•2y ago
No description
Rhys Kitikion
Rhys Kitikion•2y ago
Mmm.. the fact that they are using a VPN makes this incredibly more difficult.. because if others are using the same VPN then you'll end up blocking them as well. Fantastic.
Pingu
PinguOP•2y ago
Yep... Not sure what to do from here. AFAIK Mullvad is pretty privacy orientated, so I don't even know if they could do anything?
QarthO
QarthO•2y ago
so far its been completely harmless on all my servers. Just make sure you have online-mode set to true
Rhys Kitikion
Rhys Kitikion•2y ago
Its been... mostly.. harmless to mine too, just incredibly annoying because it spams logs both on the console and on my discord. I've noticed that when this nonsense happens it has interfered with users ability to login from time to time. Not that my users have logged in for awhile anyways
QarthO
QarthO•2y ago
yeah, you might be able to filter out the discord messages using regex (idk what discord pluin ur using)
Rhys Kitikion
Rhys Kitikion•2y ago
discordsrv either way.... it did impact users in the past in my case.. so i'll need to block yet another ip range or two
Rio
Rio•2y ago
I haven't encountered that yet what is the impact of the bot thingy?
QarthO
QarthO•2y ago
just a person who setup a bot, that goes thru every single ip (yes every single possible ip) and detects if its a minecraft server, after attemps to connect (a LOT of times). The bot doesnt have an id (meaning it will fail to auth with mincraft). So if you're in online-mode, the bot can literally do nothing except spam. Usually these bots are looking for someone specific (streamer/popular person) after scraping ur server info (like playerlist) it'll just go on its way. This one is probably doing that, but also just tryna piss people off and spam after failing to join (or the dev of the bot is just bad) i have yet to see what "cuute" has done to a server that isnt in online-mode, so i dont know its real intent
Rhys Kitikion
Rhys Kitikion•2y ago
Yea, there were a couple other ones a little while back.. what.. a month or two ago now?
QarthO
QarthO•2y ago
but the pretty much worse it can do to u, is spam try and join, and clog up the auth servers from ur ip (ur server is what checks mojang to validate an account, but there is a rate limit) yeah @(mat) is notorious for these bots.. but hes completely harmless. he'll join the server and then message and let people know if they have any invulnerabilites (all as a bot)
Rhys Kitikion
Rhys Kitikion•2y ago
Hum.. interesting
Rhys Kitikion
Rhys Kitikion•2y ago
Well... never came across the Mat one.. but there were two others and it was causing auth problems then.
QarthO
QarthO•2y ago
yeah, they usually come and go. 99% of the time harmless there are services you can get that'll do a better job at stopping these stuff https://tcpshield.com/ never used this one, but i see it recommend alot here i believe someone posted a plugin that attempts to solve this... but theres like 100 of these exact threads so icant remember where
Rhys Kitikion
Rhys Kitikion•2y ago
(shrug) I will say, the previous ones I dealt with at least used the same singular IP.. this one is using a couple ranges. Having both a whitelist and online mode is at least keeping them from doing anything worse.
QarthO
QarthO•2y ago
https://discord.com/channels/348681414260293634/1121343365850603530/1121459149532831928 i havent tested this or really looked into it but someone rec'd it
Rhys Kitikion
Rhys Kitikion•2y ago
Oo.. now that looks promising. ..ah.. damn. Im a Bukkit/Spigot server.
QarthO
QarthO•2y ago
u dont have paper?
Rhys Kitikion
Rhys Kitikion•2y ago
Nope.
QarthO
QarthO•2y ago
upgrade bruh literally u do nothing but replace ur server jar and ur server runs 100x smoother some plugins mite break... but i doubt no harm in trying considering the performance increase is insane
Rhys Kitikion
Rhys Kitikion•2y ago
Yeah I think a few of my existing plugins would break
QarthO
QarthO•2y ago
i really doubt it
Rhys Kitikion
Rhys Kitikion•2y ago
And I haven't had any performance issues
QarthO
QarthO•2y ago
paper is a fork of spigot
Rhys Kitikion
Rhys Kitikion•2y ago
At least none to date.
QarthO
QarthO•2y ago
so in theory every spigot plugin works on paper but yea, id atleast try (ALWAYS backup first tho)
Rhys Kitikion
Rhys Kitikion•2y ago
......oh ffs.. seriously? Paper forked Spigot which forked Bukkit? Yeeeeesh
QarthO
QarthO•2y ago
yeah
QarthO
QarthO•2y ago
paper 2x more popular spigot is dying feels like the only people that reall use it are the old guard that are afraid switching well if u dont mind waiting an extra week after updates, thats what purpur is for ye.. i really dislike how they try and police btw this thread (the "cuute" bot) is brought up like 5+ times a day, any chance you're able to make a new thread with just info, then lock it so peple cant type and pin it to the top so less people keep reposting
Pingu
PinguOP•2y ago
^
QarthO
QarthO•2y ago
ah... well unforunately i'm not a follower on the subreddit 😦 oh ok
Pingu
PinguOP•2y ago
Maybe just pin something temp for now - that you're looking into it etc...
QarthO
QarthO•2y ago
sure can dm
OhSoGamer
OhSoGamer•2y ago
if your server host doesn't have console history and only displays the last 50 lines or so like mine, this bot wipes out console history.
wiw
wiw•2y ago
I get this too
Justin123
Justin123•2y ago
You should still have the latest.log file
Baezor
Baezor•2y ago
Just a little update for some people. Here is a list of bot subnets I've collected so far and the commands to firewall them.
[
"213.136.71.0/24",
"18.159.108.0/24",
"20.4.48.0/24",
"185.156.46.0/24",
"207.244.245.0/24",
"191.255.70.0/24",
"3.71.50.0/24",
"198.54.135.0/24"
]
[
"213.136.71.0/24",
"18.159.108.0/24",
"20.4.48.0/24",
"185.156.46.0/24",
"207.244.245.0/24",
"191.255.70.0/24",
"3.71.50.0/24",
"198.54.135.0/24"
]
iptables -I INPUT -s 213.136.71.0/24 -j DROP
iptables -I INPUT -s 18.159.108.0/24 -j DROP
iptables -I INPUT -s 20.4.48.0/24 -j DROP
iptables -I INPUT -s 185.156.46.0/24 -j DROP
iptables -I INPUT -s 207.244.245.0/24 -j DROP
iptables -I INPUT -s 191.255.70.0/24 -j DROP
iptables -I INPUT -s 3.71.50.0/24 -j DROP
iptables -I INPUT -s 198.54.135.0/24 -j DROP
iptables-save
iptables -I INPUT -s 213.136.71.0/24 -j DROP
iptables -I INPUT -s 18.159.108.0/24 -j DROP
iptables -I INPUT -s 20.4.48.0/24 -j DROP
iptables -I INPUT -s 185.156.46.0/24 -j DROP
iptables -I INPUT -s 207.244.245.0/24 -j DROP
iptables -I INPUT -s 191.255.70.0/24 -j DROP
iptables -I INPUT -s 3.71.50.0/24 -j DROP
iptables -I INPUT -s 198.54.135.0/24 -j DROP
iptables-save
stargate9591
stargate9591•2y ago
Is anyone still experiencing this? I haven't had 'cuute' attempt to connect for the past 17 hrs or so I understand that, but before this silent period it was every few minutes for literal days and it just stopped suddenly
QarthO
QarthO•2y ago
I’m still getting them, last one was about an hr ago
MonkeySaint
MonkeySaint•2y ago
Can I get an invite?
stargate9591
stargate9591•2y ago
Got a new one, name 'ServerSeeker'
Userofthinkpad
Userofthinkpad•2y ago
May I get an invite to, I'm quite curious about the antics of cuute
mat
mat•2y ago
no 😔
dami
dami•2y ago
That's me lol
Shrecknt
Shrecknt•2y ago
Was about to ping you lol
dami
dami•2y ago
Add 45.128.232.0/24, 31.13.211.0/24, 84.54.51.0/24, 193.35.18.0/24 (https://ipinfo.io/AS202685) All of these belong to pfcloud, it's not like anyone uses their servers except for scanning
AS202685 Aggros Operations Ltd. details - IPInfo.io
AS202685 autonomous system information: WHOIS details, hosted domains, peers, upstreams, downstreams, and more
Shrecknt
Shrecknt•2y ago
I use their servers for vpns >:(
mat
mat•2y ago
you are basically a bot though sorry
Shrecknt
Shrecknt•2y ago
:aSob:
Deauthorized
Deauthorized•2y ago
No description
Deauthorized
Deauthorized•2y ago
Oh yeah be sure to use banaction route if you go this route Since iptables doesn't work if you use docker Pun not intended btw
lerokko
lerokko•2y ago
I also got connection from cuute via 162.33.178.0/24 and 176.58.106.0/24 INteresting that they are all from pfcloud - as well - Ihave never chekced but there was anohter bot a few months ago by the name of pfcloud/pfclown that used ips from that list. Likely the same person...
dami
dami•2y ago
pfclown/pfcloud/original cuute is a different person, I know them pfclown and pfcloud are two different people as well
lerokko
lerokko•2y ago
Oh
Userofthinkpad
Userofthinkpad•2y ago
I switched from a EU server to a US server and was pinged by a different user (used to be Cuute now its ServerSeeker) I'm sure its been established it's based on geography just thought I'd further cement it.
dami
dami•2y ago
ServerSeeker is me. Cuute probably didn't discover your new server. Be assured, ServerSeeker should not harras you, it only joins once a week if no players are online
Userofthinkpad
Userofthinkpad•2y ago
Have you published any info about ServerSeeker? I'm curious about the roles of server scanning bots in the mc ecosystem
dami
dami•2y ago
It's a public discord bot, .gg/serverseeker I don't want to advertise if not allowed, feel free to delete that if it's not allowed
Userofthinkpad
Userofthinkpad•2y ago
Thank you for sharing this information šŸ™‚
Justin123
Justin123•2y ago
iptables -I DOCKER-USER -s 0.0.0.0/24 -j DROP
Shrecknt
Shrecknt•2y ago
iptables -I DOCKER-USER -s 0.0.0.0/0 -j DROP :trolley:
Deauthorized
Deauthorized•2y ago
Ye i just use route Bypasses iptables so its p fast

Did you find this page helpful?