user somehow got op? [edit: glitched citizens npc]
does anyone know of any existing force op exploits? just had a situation occur a few hours ago. nothing to do with signs, books, etc - normal forceop exploits.
there’s a potential that it’s plug-in related, but I’ve done malware scans on my plugins and have spoken directly w the authors of plugins that might have been the cause.
for context: the user joined, accessed our playerwarps plugin.. and then was just opped.
server is not running offline, almost everything is properly updated. all plugins have been scanned for malware or potential vulnerabilities. we do not download anything from random people saying they made this plugin, etc (been at this for over 8 years.. bases are covered, I promise)
any ideas?
311 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by bdav0#0
are u behind a proxy
DNS is run through cloudflare
Not what he means
i meant proxy like waterfall/bungee/velocity
that’s it then lol
nope
just using purpur
forgot to add the “not on proxy” in context
are u using a host or vps/dedi?
dedi
if vps/dedi possibly grep all your log files for the player's name
to see all his commands/actions
we have CoreProtect.. just from the initial logs he joined for the first time ever, accessed /pw (playerwarps plugin) and then was op
but, I do need to check all of our files on the machine
haven’t had a chance to do that yet, I don’t quite have the keys to the full machine unfortunately
is it managed?
wrongly setup permission or an admin who is trolling?
none of that
no admin was online at the time, and all of our “opped” / full perm users are vetted and have proper access levels
and it’s not managed per se, I just don’t have the access I need to the machine rn
I mean I wish I had more information but we literally cannot figure this out
i would recommend possibly grepping/looking through the logs to see what he did
if its just playerwarps ig u gotta just wait for the authors answer
yeah he answered. asserts that it wasn’t his plugin
and it makes sense… but I have no clue at this point
can you send the plugin that you said he accessed so we can take a look at it
lucky for you, the author made it closed source and obfuscated it. :)
It’s PlayerWarps by Olzie
obfuscated free plugin
I’ve smoke tested it a bit and cannot see any feasible way the user would have gotten op like that
is a straight no
yep
I know lmfao
I’ve had this conversation twice today
wait what
thats allowed?
spigot doesnt really care about tos breaking plugins other than straight malware, paid plugins without public source is against gpl afaik
yeah thats just straight up not allowed on spigot
im saying spigots own rules
ah
nobody really cares abt gpl issues lets be honest
for the record, I’ve been told it’s obfuscated. haven’t had a chance to check for sure. but it’s def closed source
so maybe its "exceptional circumstances"
whoever told you was telling the truth
thought so
yeah haven’t had a chance to throw it in jdgui
wait no its allowed
its just name obfuscation technically
cause those arnet junk packages
those are just renamed
well there’s concerns with
this bit here
i doubt a dev would go out of their way to taint their name though when this plugin has been being made for so long
and for what to get op on a few servers
lol
what class is this?
uhh not super sure, like I said I haven’t explored it myself. that was just sent to me as I was having this conversation with other people earlier
also the standard spigot malware scan detects changing op
as in the one you probably used
the common one
it specifically flags setting op
SpigotMC - High Performance Minecraft
Spigot Anti-Malware
yeah that
yeah
well it wasn’t flagged
i think
maybe
I can share the results of that
did you get anything?
for the record: fUtils is a custom plug-in done by us as a work around for another plugin - we have since removed it since it’s not needed anymore, but I don’t think it was the problem anyway
https://bytebin.lucko.me/xRAzJvERGj
even with a deobfuscated one doesnt detect anything
looks fine to me
yeah I know 😭
i legitimately dont think theres some sorta crazy forceop exploit thats happened
or if it is then its not like a plugin thing it wouldnt make sense from your description and the malware scans from what i know
yeah using the term forceop here probably isn’t correct
like this is just too weird
did they like have op or just perms?
Exactly, if there was a forceop exploit it definitely wouldn't be used on a low profile server like yours before we've heard about it
i know for sure it wasn’t like a hacked client using some ass backwards way to get op.
but I also know for sure it wasn’t someone currently opped or with access to our machine / ptero panel opping the person
how do you know
wait ptero has logs
do you mind shareing the username maybe we can find something about him
check what changed the ops txt file
or whatever its called i forgor
yes
activity logs
give me a sec
ops.json
if it actually was op
Based on what @bd said in #general they have a backdoor
Check when the ops file was edited and send the latest.log of that time
nope
also i would reccomend disabling op anyways
i do not believe it to be a backdoor - unless some random public spigot plugin has a backdoor
for sure
It's almost guaranteed to be a backdoor plugin or one of your Admins messing with you
I forget exactly the way I identified it when this happened to me but there was some way that they avoided server logging by using some alternative chat format that gets intercepted by a plugin
oh yeah for sure
My money is on the former.
or a mixture of the two
One way to check this is download your server (in a VM), run it. Try removing plugins. If one of them magically gets reinstalled you know what happened
They usually install two plugins that reinstall each other
Not always but sometimes
its not a backdoor i dont think though
What anticheat do you use @bd
Spartan?
none lol
spartan is ouch
ill list my plugins right now
one moment
What's wrong with Spartan @ProGamingDk
oops
i think its an admin trolling honestly
support is monthly paid, it has meh detections, and very unoptimised
heres the user
Pastebin
Plugins (58): AdvancedEnchantments, AuctionHouse, AutomaticBroadcas...
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
list of active plugins
Yeah. Are there any places where the messages would all be logged
i mean, in the latest log
i can provide that from startup
Check that
Hastebin
Hastebin is a free web-based pastebin service for storing and sharing text and code snippets with anyone. Get started now.
heres a shortened version of it
Again, I forgot exactly where we found it when it happened to us but it was in some log file
i honesrly dont think its a backdoor
not exactly from startup - but i can provide that too
i dont think it is either
we dont download any plugins from random people nor do we find 'cracked' premium plugins.
all of our plugins made are either done by myself or someone else
just checked ptero logs - nothing indicates edits of our
ops.json except when an admin removed the user from itBro if this guy is abusing a backdoor he is the most innocuous hacker of all time
i mean
he literally barely griefed spawn
random people, "made by someone else"
¯\_(ツ)_/¯
does one of the names ring a bell:
Name History
5 GummyMango 6/17/2020 • 9:49:36 PM 3.0y Copy
4 TudiousTebes 4/13/2020 • 2:36:42 AM 65d Copy
3 Cheefu_ALT 4/13/2019 • 3:43:54 PM 1.0y Copy
2 Rowan_Artifex 2/18/2016 • 2:23:08 AM 3.1y Copy
1 kreepykidz Copy
hm?
Cheefu
3 Cheefu 7/17/2018 • 11:33:54 PM 4.9y
2 xXSuper_DerpzXx 6/18/2016 • 10:55:22 PM 2.0y
1 SuperDerpz
well i mean in the sense of, i dont just solicit random people to make plugins, nor do i accept plugins from people who say 'i made this plugin'
or any of these
What is that name history from
none of them tbh
namemc
namemc ?
That was what I said when it happened to me, then realized my coowner installed a random "anticheat" plugin from a discord dm 🤣
tbf, our server has been around for 6 years
....
Does anyone else have plugin install permissions
yeah, none of that lol. we vet all of our plugins and download from spigot exclusively
We or you
are u using a trust worthy dedi host
ovh
who has access to it if u dont
for context, i previously owned the server. i stepped down to focus on other things and gave my friend, who is a developer and works for shockbyte, ownership
at the moment, myself and him have console / ptero access - he has dedi access
no one else has dedi access
The thing that is a bit weird about this that makes me think it isn't the backdoor software that I've seen is that the commands are logged normally
ask him to check /var/log/auth.log (if ur on a debian based distro)
if the dedi uses password auth it could have been bruteforced
interesting..
that is a possibility
buuut
@bd Do you have command blocks enabled?
if that was the case... would we not see other issues
no
i would expect if someone bruteforced our machine... we would have bigger issues than the dude randomly having op and then breaking a few blocks in spawn
any datapacks?
we ipbanned him.. and that was that lol
negative
no dps
is his ip from a vpn or isp/residential
seemed to be residential isp. ill pull it again
GitHub
GitHub - lthoerner/sshy: [CISS 360 - Assignment 1] A simple script ...
[CISS 360 - Assignment 1] A simple script to make SSH login records easier to read. - GitHub - lthoerner/sshy: [CISS 360 - Assignment 1] A simple script to make SSH login records easier to read.
So you can parse it rq
Lol
well not entirely needed
99-181-19-171.lightspeed.rcsntx.sbcglobal.net
at&t corpas just seeing a login at all
is not good
No, just helps to cut down on all the garbage in
auth.logtrue ig
You should turn your SSH to key-only regardless
And no root access
^^
yeah... that im not sure about. idk what auth he has setup on the machine rn.
but again.. id expect more problems if our entire machine was compromised
also.. we're a small server
lol
/etc/sshd/sshd.conf I think
Something like thathe doesnt have dedi access..
nah, it's
/etc/ssh/sshd.confYes
That
His friend does
I only know because I get it wrong every time by trying that
well yeah
yeah, i mean he'll check these things once hes done working
i gave him a link to this thread
how up to date is your pterodactyl?
im just baffled. no one has ANY idea or any clue as to what happened
like wings version/panel version
not entirely sure. cant see that from the panel itself
if you have admin in the panel you can
where’s it located?
not sure if I am an admin actually
admin main page shows it here
I think my account is just for our server in the panel
yeah I don’t have full admin on ptero
😔
unfortunate, yes
I want to say it’s probably up to date
unless a version released in the past month and a half
we just switched to our dedi
You should definitely try removing plugins and seeing if they reinstall each other though. Or look for plugins which have a name you don't recognize
last CVE was in May
looking at the logs it doesnt look like he tried abusing it much and was wondering why he had perms:
We really do be responding to Minecraft cybersecurity incidents
right I know
that threw me off too
but that one only mattered if someone had access to pterodactyl
he acted like he had no clue what happened
I don't believe that for one second
But maybe I'm wrong
It would suck if I was
yeah
I mean
People say whatever. I don’t give too much credit to the user
who didn’t have op when they first joined then somehow had it
i mean if he wanted to abuse it why would he write that he has perms in chat
To cover for himself Idk
I wish we could have talked to the user more… but our gut reaction was “o fuk - ban”
When I caught the backdoor users in my server they acted clueless too
@bd Do you have bungeecord setup?
no
no proxies, not offline, etc
figured that would've been different anyways if you did, but worth asking
fair enough
we probably do need to disable op anyhow, to mitigate something like this. but that doesn’t answer the question of how this was accomplished
luckperms has a easy way to disable it luckily
(op)
yeah, likely if they can op themselves, they probably could give them luckperms permissions still
got our auth.log back
need to comb it. lots of fluff :/
ig
oops ping
what papi extensions do you have?
quite a bit. I can pull them if you think they may contain vulnerabilities
I mean, I've seen someone give themselves items with papi extensions before
checkitem
This is not 100% guaranteed to work because I made it for a school assignment lol
But it would be a good idea to try it at least
also tokenenchant had some sketchy shit in it and was obfuscated
I guarantee it is not a backdoor
but still got approved
for some reason -.-
wasn’t it listed on songoda tho
which is a rat hole
tokenenchant?
yeah maybe I’m thinking of something else
i meant tokenenchants papi extension lol
it was doing nms and accessing your player speed etc lol
and entities
ahhh gotcha
got it to get re-reviewed
lol
a free papi extension shouldnt be obfuscated with zelix klassmaster
more like
a papi extension shouldn't be obfuscated.
just found out that our console feedback gamerule was disabled. which is why we didn’t see any messages related to that person getting op from console 😅
yeah, still doesn't explain how he was opped without running a command
for sure. just thought about that. the only thing I can think is that in /pw there are chat based interactions that do not get logged in any way
what is /pw anyways?
so it’s possible there’s a compromise / vulnerability in the playerwarps plugin. but I was assured by olzie (the developer) that it should not dispatch any console / server commands
playerwaprs
Warps*
Configuration
Here you can view all the configuration and options for Player Warps.
The plugin connects to my webserver, if this webserver is offline or your plugin cannot access it, then the configuration files may not be updated or downloaded.This is also pretty sus imo if the web server gets hijacked.. configs can change. but I checked through the configs to try to find ANY sort of exploit or vulnerability. nothing came up
yea.. looked into it being dsrv too. we did notice some JDA error logs from dsrv shortly after they joined
you can find out of memory errors in those logs
thought that was interesting
no i think he was just pointing out he was willing to let you know/figure out what happened..
oh LOL that too
maybe we add them and talk to them
the only thing with the person wanting to “help us figure it out” is that we have NEVER had this happen before
if we were a new server and barely had an established community and didn’t have things tested properly - okay, I’d buy that they didn’t know what happened
but we have players on constantly using /pw and other commands… and have NEVER seen this
maybe its something diffrent and /pw was just the first thing they used afterwards
i think the logs show the timing - the distinction is the number before people’s rank tag. if you’re an op, it defaults to 0. if you’re a new user, it is 1
so they joined, said something, and they were level 1… meaning not opped.. ran /pw… said something again, and then their chat had level 0
I mean, it's possible that he might want to possibly help you? I know a while ago, I was bored and wanted to see if I could exploit an unprotected bungeecord network and after like 50 random servers on a random server list, found a network that didn't have required protection
snow ubuntu pro wants a convo with your bio
talked to the owner and helped him fix it
I was looking and there were a lot of errors around the time that he got op
discordSRV specifically I think, right?
it looked almost like it might have been like a buffer overflow(if they were attacking)
DiscordSRV was most of it
their was two others though
It also could have been that due to the plugins having memory issues it accidently assigned the wrong value(unlikely but possible) to the player(or they did something that caused it( intentionally or not)).
it’s possible I suppose. just seems like unhinged behavior
I was just bored, knew exactly how the attack worked, made a poc locally and wanted to see how long it would take to find a vulnerable server
could it be that simple though? I don’t see how anything like that could have happened - unless a plugin forces op for some reason. which something like citizens can or deluxe menus
bungee bypass is scarily easy
we use both, but both were not involved
we had a UUID spoof happen a LONG time ago on the server. moved off of bungee very quickly after that
velocity and modern forwarding + internal connections only
and ur goochi
well discordSRV can actually allow console control through discord which would mean it would have all the necessary code for it to do that 🤷but as I said its unlikely
Would you be willing to send me the IP so I can join?
try a few things
yeah, I modified bungeecord itself to pull it off when I did it, but I know clients could also do it, just wanted the simple solution
did they send anything in the discord in that timeframe?
i just ran a normal waterfall instance on a oracle cloud instance
sure, I believe discordSRV and player warps are disabled right now.
give me a second
just changing the config.yml to the target and ur done
yeah, I just also added a command to change my uuid/username while connected to bungee
meh meteor or prism does that for me so eh
the main issue is finding the owners username/a op person unless u have a server scanner
that logs that
ip is mcfriendly.us
is it latest version?
1.20.1 yes
Yeah, this is what I coded to do it
apparently I just made a bungee plugin
waterfall/bungeecord normal + meteor works fine for me
I believe skins were scuffed, but that's just bungee being bungee
well I know how to glitch your pw plugin
do explain 😂
lol
if you go into the search button
and then go out
it no longer works properly
oh yeah.. I noticed that. I almost wondered if that was the source
I couldn’t use the search function. it just defaults to nothing
doesn't appear to allow me to do anything
uh
?
I was stuck in the ah menu for a while
then it let me out
I couldn't find anything
the only thing is the search feature. I noticed after that person left.. it was broken
so I’m assuming maybe that was used in some way?
was it working before?
maybe not. not sure lol
it might just be broken in general
halflove is here oh boy
The thing I noticed is that the search feature doesn't return you to the right menu
ohhh gotcha
you can still actually search
and it works fine
in what way. cuz yes
they didn't /op themselves
logs and that users permissions
they just suddenly had perms
suddenly had op
he sent the log file
yes. no admins on at the time. logs show they weren’t opped and then opped
they had joined for the first time when it happened
or so the game said
again.. our console feedback gamerule was disabled. so we cannot see if there was a command somehow issued at server level
but there are no direct commands
shouldn’t what be in logs
most of the commands were still logged
maybe.. I’m not too sure about that. I would assume so
it should yeah
it’s almost like the ops.json was just edited. but we have NOTHING on that
I believe you’re right
it only disables in game feedback
yea
okay so it’s still logged in console. so wtf then
ye
the logs from earlier listed it as such and deop worked on him
yes
100%
wo reload yeah
Their were a lot of memory issues around the time the player got op
Plugin could add to ops.json without being logged
This screams backdoor to me
yeah… everything potentially points to plugin compromise
but would have to reload the entire server(which does get logged)
yes a whole reload needs to happen for thag
even if it was a plug-in
if its a memory exploit of some kind
all of our plugins have been scanned.. and vetted. I don’t think any of them have a back door that direct
maybe memory exploit
?
I should say.. they are still public plugins and are not 100% safe
Horses not zebras
If you look through the logs at the time of the person getting op their were a lot of errors relating to memory that potentially could have been related 🤷
Memory exploits are pretty rare, obviously not impossible but I doubt someone is BOFing your server lol
Just to
/give themselves 64 woodthey didn't do that...
.
at least not as a player in game
what would I be looking for specifically there?
Random question, does anyone outside your staff have the ability to view your config files
as in…? like panel access?
no
Like have you ever posted configs here, or anywhere else public
Not that I know of
yeah.. not to my knowledge. Even if they were, the information would be limited
nothing with IPs, sql database info, etc
need to look into voting more
haven’t even considered that a possibility
rcon-password=doesnt matter if rcon is disabled
Voting username code injection lol
if that’s the case.. wouldn’t we be able to see this ?
there were a bunch of errors with DiscordSRV-1.26.3 but the latest release form DiscordSRV i can find is 1.26.2
No
Not necessarily
I just use EssentialsDiscord instead
Snapshot maybe
looking into discordsrv rn
I think it was a snapshot
our snapshots are 1.26.3 right now
ah
@Halflove
definitely a snapshot trying to find the exact link from where i got it sec
edit definitely got it from snapshot.discordsrv.com by clicking the link to it on the DiscordSRV spigot page
no i just got here
looks like normal OOM stuff to me
OOM or pid?
Additional Configuration | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
ive never seen a pid error knowing it was a pid error
i think that’s fairly safe to assume
that’s the gist. and yes, olzie asserts it wasn’t his plugin but I just don’t know
it’s closed source and uses a level of obfuscation as a free plugin
yeah that was sort of my conclusion
Fair enough. I’m just so surprised that we’ve only now run into this. We’ve been using that particular pwarp plugin for a WHILE now
What is Pw
Playerwarps?
command alias for player warps: https://www.spigotmc.org/resources/%E2%AD%90-player-warps-%E2%AD%90-%E2%9E%A2-let-your-players-set-warps-1-7-1-20.66692/
Ah
Yes
well. I’ve tried to reach out to the person on discord
I guess we’ll see where that goes
we cracked the case
the user clicked our NPC that runs this command, which has "run as op" set to true - and for some reason.. they never had op removed
lol
why did u have it set to run as op
honestly only reason i can think of is maybe it was used when testing it but never removed?
No one every clicked that NPC then !?
i am right now LOL
im actively talking to them - which led me to this conclusion
either way, glad it turned out to be something relatively simple (to fix), thank you everyone for your help
well, its crazy that it left them as op. we've used op: true for commands before - and recognized the risk but thought it would never cause something like this
obviously not now. that shits false
yes
they didnt lol, it was mistakenly set
are we meant to still be able to talk
yes