Problem with some hackers
sorry if this isn't the right place for this, im just out of ideas
So last night, a server I help run had multiple hackers (one who even advertised about it in their discord bio), we're a small community who doesn't want to really grow much more, but it appears that something happened, main notes about the attack, its was ~4 total people (though probably more, just this is who we found),
1st just griefed, and that was that (though going through the logs they appear to have posted a discord link, and presumably that's where all of them were)
2nd/3rd were paired, one did light griefing (set some fires), and the other was "helpful" (though clearly friends with the 2nd, who had a youtube page where they brag about cheating)
4th joined while we were troubleshooting. (namely with a whitelist enabled, both via /whitelist on, and enforce-whitelist=true)
biggest concern is that they were able to bypass bans (both ip, and normal, though the ip was likely a vpn of some type), aswell as bypass the whitelist.
as far as we can tell the owner's account wasn't compromised, and they weren't showing up in the tab list, or even in the console, there were multiple instances of them being "on" the server like this (we were only able to see them due to dynmap, which let us see the user, and we were able to issue commands directed at them suchas /tp which did move us to them)
they were also able to make others say things (which shows up in the logs as "[Not Secure] <player_name> example
which they were able to do also while in this "online, but completely invisible" state, we had tested if maybe it was /vanish, but i was still able to be seen via the tab list (for the owner atleast), but not on dynmap
we've tried reaching out to the hosting service, but they didn't provide anything we could use (a link to something we had setup)
the picture atteched is the list of plugins (and afaik all that were enabled during this)
19 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by jjrulez159#0
also going to add, currently our plan has ended up being the current server owner is stepping down (stress), and someone whose trusted is going to start a new server with the same world, but im just wanting to make sure that we set it up correctly, so that we don't face this again
Are you running an "offline-mode" server?
no? server properties shows "online-mode=true"
also, they were able to de-op some people, just remembered this
Are you running a modded/vanilla/paper server?
paper
Check your OP list and check if one of their accounts has this "*" permission on Luckperms (if you do have one)
othr than that, they might be using a hack client with force op but idk specific clients that have those things but I'm aware that there are
where would i check the luckperms one? cause the ops list is only the 4 ppl who we should
check with lp editor and look for their names
ima be honest, idk what that is, all my previous experience w/ servers was setting up and self hosting for me and 1-2 other ppl, sorry, im tryna be as helpful for you to help me out as i can
is it in game we'd see it? or is it a file?
type it in console
then open the link provided
its just "lp editor" in console, correct? or smthn else?
they aren't even showing up in the luck perms?
did u download any pirated plugins?
or any plugins not from the official spigot/modrinth
and did u accept any plugins from someone directly instead of the official website
not as far as im aware, to my knowledge they were all from spigot, but i've tried asking, and server owner, and they said no.
would be best if the server owner were to answer these questions since they would kno
yee, unfortunately they aren't very technical, and are very stressed out :/
well players cant be op'd unless
somone with op or console access op'd them
this could also mean someone leaked their account, or somehow got access to console server is in offline-mode, etca plugin has a vulnerability
you downloaded a pirated plugin, or a plugin from an unofficial source, or just a poorly made pluginyou gave permission to op themselves
u unintentionally gave the permission via luckperms
alrighty, thx for the help, i'll see what we can find out
post closed!
The post/thread has been closed!
Requested by jjrulez159#0