Hackers Opping Themselves

I have been forced to make this thread after using Google yielded no definitive results. What has been happening on my server is users are able to login and OP themselves straight away. Every day i remove several users that i have never heard of from my Ops.txt file. It is usually one person that is opping others. This is what it looks like in the console (The user BARAA is the default permission rank and has only just logged into the server for the first time:

2012-02-01 13:39:56 [INFO] BARAA: Opping gedaa
2012-02-01 13:58:01 [INFO] BARAA: Opping xxpado

Is this a known bukkit/Minecraft bug? It is very serious because it means that people can grief almost anything and pretty much do whatever they want. I have changed the WorldEdit config so that OP's cant get worldedit privellages but the OP's can still stop the server, ban people, mute people, kill people, use god mode etc. It seems to be the same hack as the one in this thread: http://www.minecraftforum.net/topic/829949-my-server-keeps-on-getting-hacked/
Information that is required in a help post below.

I do not know what OS or architecture my server is because it is hosted by BeastNode and I dont have SSH access. Same with Java version.

I am not using any Wrappers for the server, but the Beastnode CP (It is not a server wrapper from what I understand)

Using CraftBukkit recommended build #1846 R3 (MC 1.1)

I am not sure what command is being used to run the server, because I don't have SSH access and I use the CP to start/stop the server

I am using the plugins AuthMe, AutoMessage, Backup, BuyCraft, BuyMagic, Chat Manager, EasyBan, Essentials (Spawn, Protect), LagMeter, Minequery, PermissionsEX, Spamguard, Worldborder, WorldEdit and WorldGuard.

I am not getting an error but the message in console is:

2012-02-01 13:39:56 [INFO] BARAA: Opping gedaa
2012-02-01 13:58:01 [INFO] BARAA: Opping xxpado

I have tried: Using Google, looking for plugins, getting all admins to change their passwords, deopping and baning and IPbanning the original Opper

Using vanilla server i don't know because nobody stays on the server when it is vanilla and I do not want to leave it on vanilla for long enough for someone to try to use the hack.

I always update to the latest build when they come out.

This has happened since i started the server on 1.8, and i keep my plugins as up to date as i can

Hopefully this issue can be resolved, and please dont Flame me if there is an obvious stupid answer. Thanks

 

The forum post you linked to is from a guy that had his kid's computer hacked, he hosted the server on his kid's computer, that's why hackers could op themselves.
There is no proof of a flaw in Bukkit in regards to hackers opping. Your issue is different than his, he was claiming hackers could op out of nowhere.

Have you tried changing the password for the main host account?

What you can also do, is using a permissions plugin to give admins rights they need. And then just de-opping everyone. Make sure nobody but you has the right to op or change permissions from command.

Also use the free version of Malwarebytes to scan your computer, just to be sure.

 

I am using PermissionsEX for permissions and the server is hosted by a hosting company. I have changed my Minecraft password and asked all of the other Admins to change theirs (I know them IRL and trust them) And yes i have changed my Game Panel password and my FTP password to something secure that noone could guess. I am not keylogged or anything like that. EDIT: Also, there are not meant to be ANY op's on the server it is all meant to me through Permissions. However there are still people in the Ops.txt and they have permissions to use most commands (Except WorldEdit and WorldGuard because I set no-op-permissions to true)

 

install ipf.w

 

What does ipf.w do? and where can i get it? (I will look on google OFC but i might aswell ask)

Nope, can't find it.... What is it/what does it do?

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Provide a little more information, like on how to get this thing.

 

It's on a remote linux host

 

Have you tried setting

Code:

online-mode=true

 

Do you download plugins from a unofficial link?Sometime unoffical downloads conatin "virus" which allows hack client users to op themselves

 

I can't... Why would it help?

No I always use the official links from bukkit forums/bukkit dev

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Anyone can connect to your server as you now, or any other op. So it probably will help.

Also, you failed to understand me earlier:
1. Only YOU should be in op.txt, nobody else.
2. I meant to say you should run Malwarebytes on your own computer. That Linux host probably already has ClamAV for virus scanning, or at least it should.

 

As has been said, you really should have online-mode set to true. With it players can fake usernames.

 

If online mode is false, you need to get a plugin to not allow anyone to login as an admin's name...

 

what is means that online mode is false means that the server doesn't check for logins, so people can log in as any name. I do not know what the error you are getting is, but they may be somehow logging in as a player who has the permissions to op people and they may be opping themselves

 

Sorry I misunderstood you there. Nobody at all is in the Op.txt, because I use PermissionsEX for permissions. I have reinstalled my OS and have AntiVirus etc. software installed on my computer. The thing is that users can OP themselves from their own name (they are not logging in as an admin or using the console)

If people cannot log in as an Admin, how can they OP themselves from their own account (That has no admin permissions at all)

I already have this... The plugin is AuthMe. The thing is users that are OPing themselves are NOT logged in as an Admin. They can just OP themselves after they login on their own name, with no permission to do so. If the server is online-mode=false does that make the server more vulnerable in any other way than users being able to log in under different names?

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Uhm yes, its the only way to login (Without someone elses username/password)

 

There are only two reasons online-mode should EVER be set to false.
Minecraft.net is down. (And I don't do it when it is anyway
OR you pirated minecraft

Personally, I think if you're running a cracked server you deserve it.

 

+1

 

In my opinion kick the ones using pirated programs off the forums. we shouldnt have to deal with pirate complainers. Like my boi JimDaRulah said you deserve it.

Also EvilSeph there should be some type of tracking on bukkit to see if the program is legit or cracked. Make is so cracked users cant use bukkit.

 

But then there are legitimate times when you want online-mode: false (minecraft.net is down) It's not that easy. But yea, the argument is valid

 

I support this plan of action. You don't pay, you don't play.

 

http://xenforo.com/community/threads/minecraft-identity-service.15943/ ?

 

yes i 100% understand that you will need offline mode for when the minecraft.net is down but there has to be a way to know when the client is correct or not.

Bukkit should add methods for PlayerLoginEvent.

.isPremium();

Code:

public void onPlayerLogin(PlayerLoginEvent event){
Player player = event.getPlayer();

if(player.isPremium()){
//allow to connect
}else{
player.dissallow(Result.KICK_BANNED, " You are not premium");

 

Agreed. Then again, is kicing non-premium users in the scope of Bukkit?

 

I think so. Bukkit should be a priviledge to those that payed the extremely reasonable price for this amazing game.

 

http://www.minecraft.net/haspaid.jsp?user=kaise123

I bought the game.

So are you saying that it is because the server is 'offline mode' that the hackers can make themselves OP? Is there a way to stop people from faking names inside minecraft itself?

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Then set online-mode to true. There is absolutely no reason to have it off right now.

Yes, by turning online-mode to true. -_-

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

i think you just gave us devs a major break through. that link you posted is the key to understanding if players are legit.

"http://www.minecraft.net/haspaid.jsp?user=" + player.getName();

this would work but how would you phish a website to check?

Code:

String info;
String lines;
 
public void onPlayerLogin(PlayerLoginEvent event){
Player player = event.getPlayer();
URL address =new URL("'http://www.minecraft.net/haspaid.jsp?user=" + player.getName());
InputStreamReader pageInput =InputStreamReader(address.openStream());
BufferedReader source =newBufferedReader(pageInput);
 
while( info = lines.readLines();
if(info.contains(" true "){
player.allow();
//allow connect
}else{
if(info.contains("false"){
player.dissallow(Result.KICK_BANNED, " You are not premium");

EDIT: corrected bbcode f up

 

Not without online-mode true afaik

 

And have some sort of verification system to see if minecraft.net is down, if it's not down, the server should not be allowed to run in offline mode