I would like to understand what these hackers are using to gain access to OP powers to go on a griefing rampage. Not for personal use, but from a server admin's view. I'd like to understand so I can try help stop them.
I've been playing minecraft for about a month now and ever since the 3rd day I've been running my own server. I love being an admin and giving players a safe place to build and developing a community.
A griefing occurred on my server and the username was Dotix1 with IP 69.117.82.244 (in case you want to ban).
He managed to re-arranged my jail spawn and grief for a good 25 minutes. The only other people in the server at the time were one regular user and one AFK OP.
I don't have the server.log anymore because I rolled back and restarted the server.
I have verify names set to TRUE.
I wasn't much bothered by this griefing because I have backups every 10 minutes.
I too am unsure how it's working - the only thing I could see being a problem was if the server software is forgetting to check admin permissions locally at some point.
Client tells the server that it is an OP and the server doesn't check if it was verified or -
Client tells the server it is someone else (for example I am logged in as Zuriki and I send a packet with Notch's signature that gives the /OP command to me.
That's some scary stuff right there. Unfortunately, I have no idea how to stop it.
Rollback Post to RevisionRollBack
At the end of the day it's the chair I trust
The cushion is comfy and the works don't rust
With a straight line of vision to my Elvis bust
Watch the kingdom, eat the bread crust
When a player logs in the server sends them a value that determines if they are an Op or not, they are overwriting this value allowing them to tell the client they are an Op and can destroy adminium. The server doesn't check when it gets the request to break it.
I fixed this on our custom server by checking if a person is an Op when trying to remove adminium, which was hilarious when a hacker came and tried our system and ended up getting kicked repeatedly. End solution is to poke notch to do the same since its only a small code fix for servers.
When a player logs in the server sends them a value that determines if they are an Op or not, they are overwriting this value allowing them to tell the client they are an Op and can destroy adminium. The server doesn't check when it gets the request to break it.
I fixed this on our custom server by checking if a person is an Op when trying to remove adminium, which was hilarious when a hacker came and tried our system and ended up getting kicked repeatedly. End solution is to poke notch to do the same since its only a small code fix for servers.
This is a massive security oversight on Notch's behalf and he needs slapped wristies about it. I'm calling Elin.
Eh, it just happened again but I was there to catch it, he made a hole in the bottom of my spawn jail and let 2 suspected griefers out that I was keeping in jail. Starting to be a pain in the ass.
I've been playing minecraft for about a month now and ever since the 3rd day I've been running my own server. I love being an admin and giving players a safe place to build and developing a community.
A griefing occurred on my server and the username was Dotix1 with IP 69.117.82.244 (in case you want to ban).
He managed to re-arranged my jail spawn and grief for a good 25 minutes. The only other people in the server at the time were one regular user and one AFK OP.
I don't have the server.log anymore because I rolled back and restarted the server.
I have verify names set to TRUE.
I wasn't much bothered by this griefing because I have backups every 10 minutes.
Just looking for a way to combat this.
Using the latest cMss modified by mail
Client tells the server that it is an OP and the server doesn't check if it was verified or -
Client tells the server it is someone else (for example I am logged in as Zuriki and I send a packet with Notch's signature that gives the /OP command to me.
Something like this.
The cushion is comfy and the works don't rust
With a straight line of vision to my Elvis bust
Watch the kingdom, eat the bread crust
I fixed this on our custom server by checking if a person is an Op when trying to remove adminium, which was hilarious when a hacker came and tried our system and ended up getting kicked repeatedly. End solution is to poke notch to do the same since its only a small code fix for servers.
This is a massive security oversight on Notch's behalf and he needs slapped wristies about it. I'm calling Elin.
Brandon_Heat 71.54.253.1