[Security Bulletin] Do not test/run op gain exploit programs!

Discussion in 'Community News and Announcements' started by EvilSeph, Mar 15, 2012.

     
  1. Offline

    EvilSeph Retired Staff

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    There is no way for anyone to illegitimately gain op on your server unless you are running your server in offline mode. Any program in existence that claims otherwise is trying to lure you into running it (in an effort to see if your server is at risk) to steal your information.

    You'll notice that in every video you either have to have the program running before you login or need to login, run the program and restart Minecraft. This is because these programs are designed to take the IP you enter into the ForceOP hack for testing, your username and password and send it to the creator. Even if this is not the case, it is fairly simple to put together a fake, convincing video by simply modifying the client to respond to "/op" and print local messages to make it seem like the user has gotten op.

    Regardless, any programs offered for download accompanying these videos or public reports of op force hacking or the like are usually sending the creator an email that says something like:
    "New server to grief: <IP you entered - usually your server, since you want to be sure your server is safe>
    Username: <you username>
    Password: <your password>"

    Every single time someone reports this issue, it turns out to be the same thing. A malicious program designed to fool server admins into thinking their server is at risk, running to try it out and make sure they aren't. Then later finding their server has been attacked by someone with op because they know your username and password, and thus can op anyone they want on your server.

    Until someone brings a real exploit that allows you to gain op to my attention, we'll have to continue stopping the discussion of and advising against the discussion of this 'hack' to slow down it spreading. We take every exploit report we get seriously and investigate each and every one. To this day, we have been unable to find a legitimate exploit to gain op in any server and every reported exploit has turned out to be a malicious program that collects your information in an effort to exploit you and your server.

    If you're looking to report an exploit, we advise people to stop posting exploit discussions publicly and, instead, contact one of my Admins, myself or create a private ticket on http://leaky.bukkit.org.
  2.  
  3. Offline

    Kane

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Thankfully I just don't trust anything I ever see or hear but hopefully this will help out more the younger server admins and the ones that might be a bit more trustworthy to help prevent any issues with their future running of their servers.
    Juze likes this.
  4. Offline

    ZachBora

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I keep telling my people that such hacks is impossible, yet they keep using the words "he op hacked" when the person simply griefed or uses normal server command like /spawn. Reading the logs when these events occur convinced me people are gullible to an extend I didn't know was possible.
  5. Offline

    Echo4Sierra

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    So does this include Bukkit registered plugins? I hope this isn't a dumb question, but I'd atleast like to feel safe with any plugin that I downloaded from this site.

    edit: i guess what Im asking is if the Bukkit team/Mojang vet the plugins that get posted here before they go "live" ?

    This post has been edited 1 time. It was last edited by Echo4Sierra Mar 15, 2012.
  6. Offline

    Kanlaki101

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    @Echo4Sierra

    I pretty positive that every plugin/file uploaded to the forums/DevBukkit has been looked over by the staff, so that we don't have to worry about malicious plugins/features.
  7. Offline

    ZachBora

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    For all we know there could be a Plugin that did not boot you from being banned if you are a developper of said plugin.
    Some plugins contain a lot of code, so I doubt the approvers open the source of each of them to verify that it doesn't contain code like "if player.name = X then OP". Then again it could explain why some plugins take time to update on BukkitDev (Here I don't mean they do, I just mean it takes awhile for the dev to produce an update. I'm including myself).
  8. Offline

    Kanlaki101

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Ideas like that are the exact reason they do such a thing.
    They wouldn't offer a service, get lazy, and allow people to release plugins with malicious code added to it.
  9. Offline

    TheLimaBeanman

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I googled some stuff, found some on youtube. One that stand out of the fake 'OP' Plugin was from a griefing team called iCanHasGrief.
    I think we should Never install plugins that is NOT from bukkit.
  10. Offline

    Austin

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Damn, I did not even know things like this existed. Ill tell everyone I know about it.
  11. Offline

    eygptian

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    How do i know if my server is on online mode?
  12. Offline

    eygptian

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    in the properties, it says online-mode:true. if that meens that online mode is on, then how come the so called hackers could get op? does this meen someone who was opped betrayed the server? im confused, because u say people cant hack op in online mode, so how come they have op? can someone explain to me why they got op?
  13. Online

    Lolmewn Retired Staff

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    They can't. That's the whole point. If it's online-mode:false, then you might have a problem with this.

    This post has been edited 1 time. It was last edited by Lolmewn Mar 15, 2012.
  14. Offline

    HunterT

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I'm glad I wasn't a victim of this scam. I would have believed it and cried to Bukkit.
  15. Offline

    black_ixx

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    WTF ......
    1. Never install plugins, which are not tested/ not from bukkit
    2.Make backups of plugins and worlds
  16. Offline

    black_ixx

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    They gave the serverowner a plugin, which allows the command /meop (I think that was the command) With this, the became OP.
  17. Offline

    eygptian

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    My server was definatly on online mode. they still got op. all my plugins are from bukkit. so does this meen that someone who was given op that we thought we trusted has been opping the hackers?
  18. Offline

    Snipes01

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Why would a player be doing that? Also I'd only have one person be OP and not multiple. Using a permissions plugin, only one person really needs to be OP.

    edit to fix typos.

    This post has been edited 1 time. It was last edited by Snipes01 Mar 15, 2012.
  19. Offline

    Sexykorn

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Indeed. To add to this even in offline mode you can be perfectly safe with a plugin such as xauth/royalauth.
  20. Offline

    Cicadia

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    For those of you who are worrying about your server's security, I hope I can offer some assistance without being torn apart by security-savvy techs.

    - It would be preferred to run your server on a Linux system, behind a strict firewall, and not on an internal home network where other computers are present.

    - Always use DoS protection. Some devices list this as a feature, but as if! The more resources you have, the better off you will be. Never respond to ICMP pings. DoS is a very dangerous tool on the internet, and you have legal rights to incriminate those who do this to you (as far as US law goes).

    - Never "OP" someone unless you trust them to the extent of the privilege. I would have to say that 90% of the issues I have seen with server "griefings" are premature decisions in rank-ups.

    - It's the golden rule! Never allow guests to build, unless there are specific areas you-and your players-don't really care about.

    - Never allow OFFLINE mode, and if you feel a need to then use authentication protection like xAuth. (Just throwing a name out there, not supporting)

    - Always download plugins from the dev.bukkit.org website, and don't be fooled by embedded links into other download locations.


    I am a plugin developer myself, and security across any application is incredibly important. I can't stress it enough: If someone is determined enough, chances are they can get past security barriers. The trick is, you have to make it as difficult as possible for anyone who wants to try your system.

    Good day! Cicadia.

    This post has been edited 1 time. It was last edited by Cicadia Mar 16, 2012.
  21. Offline

    -_Husky_-

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I run in online mode, but personally, xauth can make your server safer then online mode. as only 1 user has 1 password. hence you can't get people stealing accounts :O
  22. Offline

    JJoHH

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    With such auth plugins such as AuthMe, xAuth etc. Think there MIGHT be a slight chance of them still hacking into us if i may say.
  23. Offline

    -_Husky_-

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    the Client Program can't "chat to" the server. unless a malicious plugin.
  24. Offline

    JJoHH

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    So you just need to worry about the plugins that you install?
  25. Offline

    ZachBora

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Usually people running those plugins have the server in Offline mode
  26. Offline

    Nathan C

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Thanks for clarifying this.

    There are too many kiddies out there running home-hosted, offline mode servers and just OPing everyone, instead of using permissions and then complaining of being "hacked".

    This post has been edited 1 time. It was last edited by Nathan C Mar 16, 2012.
    yttriuszzerbus and battlekid like this.
  27. Offline

    ZachBora

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I'm from planetminecraft, give me op
    PigOnGrass, TyrOvC, edragy and 3 others like this.
  28. Offline

    serban25

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Thanks for posting this! Maybe now there will be less comments about self op hack. Unfortunately not less of this: Hi im from planet Minecraft can i be op? I hate that so much XD. *Right after i posted this i saw someone say this comment right above me XD*

    This post has been edited 2 times. It was last edited by serban25 Mar 16, 2012.
    ZachBora likes this.
  29. Offline

    luckdemon

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I just watched that griefing video... funniest thing ever. But seriously, permissions was invented for a reason. And so was common sense.
  30. Offline

    ZachBora

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I wish everyone had common sense.
    tyzoid likes this.
  31. Offline

    CombatWiZ

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Why not just remove the OP function? Let those people learn how to use Permissions...

Share This Page