[Security Bulletin] Do not test/run op gain exploit programs!

You don't know what I'm talking about:

I'm not talking about any plugins, all permissions plugins are good to some extent, I am talking about the default Bukkit permissions.yml without any permissions plugin.

I didn't realize that file even did anything. I've never heard of it being used or saw documentation on it.

That's because it's not very practical, which is what I've been trying to say the whole time lol

Ok. On that I agree with you.

An excerpt from the daily life of server owners:

lol i like the twist at the end...i could swear he was gonna get op'd!

Oh yeh i saw that vid... On some grief channel, it was goin round on MinecraftForums

uhhh idk that video I was just quotting what people say when they login to my server

Oh lol

Sorry you're wrong

Only in that it usually goes like:

Code:

E1it3H4x0r: hi im from planet
E1it3H4x0r: planet mc*
E1it3H4x0r has been banned for poor scamming skills

I dunno about everyone else, but unless I'm in a comical mood I just don't even care to hear the rest of the story.

I had one the other day that said he made bukkit, or maybe it was minecraft. I logged on and banned him.

lmao what a fail, rrr I hate noobs that don't even try to make it look good.


Anyway, why would anyone from Planet Minecraft join a server like mine? Where there are almost no players.
Anyway, meh never happened to me, and ill never believe that someone from PM will join ma server, lol.


Have a nice day

I won't even op someone from Planet Minecraft >>

I went on a server called killercraft (wich has online-mode:true) and this guy had a force op hack. I'm not making that conclusion by the fact he griefed or anything, he acutally opped himself and deopped a co-owner. (I do know that it is online-mode:true, because I tried to connect when I was playing MC offline and it said: Failed to login: Bad login) so force op hacks might work. Now nobody can connect for 'Internal server error'.

It's not because you write in Bold that you'll be taken seriously.

There's always the chance that the guy just stole an OP's info and logged in.

I've once had one of the admin get his account info stolen (his password was cheese >.>) and he opped a griefer. Then later that guy logged on and opped other people. There's no server hacks in anything that happened there and it resembles what our bold friend above said.

Not even I'm op and I own my servers. Just for security, no one is ever op. Very limited control. only one other person has admin rights to plugins, and even those are limited. Just easier and more secure. I break up task to moderators so that not one person could destroy the whole server, but only a small fraction if they realllllly really tried. No one but me has WE/WG editing. If they have an issues that what help tickets are for and a moderator to move the player if needed.



If that happens thank goodness for cloning my SSDs every 10 mins and SQL backups.

1. I always write in bold on the bukkit forums (except for now).
2. It turns out he hacked a friends account and pranked us.

#2 - Not to say anyone told you so, but....

Sorry guys, I really don't mean to contradict, however, at approximately 12:30 AM today, a hacker (username: samjd101) managed to gain Operator access to the server. I can confirm that the server was in ONLINE mode when the incident happened. He was also able to whitelist the server at will. We've IP banned and firewalled him, however, he keeps coming back (most likely with a proxy). Right before this happened, in the console, I see giant blocks of random IPs losing connection, and then the legit players lose connection.

Any help or answers you have would be greatly appreciated, as I've had to take the server down to prevent further damage.

1. Don't be careless with security
2. Get a plugin like NoCheatPlus and configure it to only let the /op command be used from the console

Thanks for the reply, although "Don't be careless with security" is pretty vague advice

Anyways, we've figured out the problem. Saturday night, a hacker used an exploit to gain Op access to the server, while it was running in offline mode (This was due to problems with the MC auth servers at the time). However, before we banned him, he opped one of his friends, who was the hacker in question last night.

Thanks for your time in any case!

You know what i love about greifers?
On your server they are the biggest pain in the arse to you.
But in real life, they are this guy from gradeschool

I had one like this the other day

It's much more fun with yours. If that happened, I'd check the source and I'd put a plugin with the same name that does nothing.

I didn't think of that until afterwards and was like "damn"

Another situation: