Today around 20:00 server time, which is +5:00 hours, my server's spawn jail was greifed. I was afk at the time, but after scanning through the server log, I came across the following outputs:
19:37:47 /126.96.36.199 connected
19:37:47 /188.8.131.52 logged in as f09840985j098r809243809if092385j098728gj904368gfg987450985j94ge
Oh my... moments later...
19:37:55 [console] admins: say Rules:
-Rules snipped to save space-
19:38:02 Cara says: agree to them
19:38:06 f09840985j098r809243809if092385j098728gj904368gfg987450985j94ge says: No
But strangely enough, it didn't end there
19:38:56 Kicking XenonMan (/184.108.40.206): You logged in from another computer.
19:38:56 /220.127.116.11 logged in as XenonMan
You may have noticed that XenonMan logged in from the same IP address as mister garbletext. This player then proceded to take over different players until he got to an op, at which point...
19:43:21 /18.104.22.168 connected
19:43:21 /22.214.171.124 logged in as jake951716
19:43:32 jake951716 admins: op Herrode
19:43:32Takeover prevention triggered by jake951716
19:43:32 [console] admins: deop jake951716
19:43:32 [console] admins: deop Herrode
19:43:32 [console] admins: say jake951716 ran: op Herrode
So I believe that Herrode is the username of this villian, but I can't be sure it's not just some account he/she pilfered.
He/She doesn't stop there though:
19:44:46 jake951716 says: Who is op?
19:44:57 Cara says: me
19:45:02 jake951716 (/126.96.36.199) lost connection suddenly. (java.io.IOException: An existing connection was forcibly closed by the remote host)19:45:41 Kicking Cara (/188.8.131.52): You logged in from another computer.
19:45:41 /184.108.40.206 logged in as Cara
19:45:41 Cara (/220.127.116.11) disconnected
Well, /18.104.22.168 then exploded my spawnjail, and then left. All things considered, it was easy enough to undo, but it could have gone a lot worse. A LOT WORSE. I suggest everyone adds his/her IP address to the banIP.txt file, since his/her name is likely to change, or be completely unpredictable, as was the case when he/she first appeared. Don't believe me? That's ok. I don't mind, but it's your server at risk, not mine. I'll be submitting this to Notch as a security bug, if anyone has seen/experienced this, please let me know or post on this topic to let others know.
Here's a screenshot of the jail, post greif, if anyone was wondering. Nothing else was greifed.
My friend Greatak says this guy showed up on his server today too, did pretty much the same thing. Funny thing is: Scotrobot (The user talking in the screenshot) was on Greatak's server at the time of attack as well. Can anyone vouch for this guy?
Well I encountered him and know what he is doing and how he is doing it. hell its very simple to do.
All he is doing is modifying packets. So he joins a server modifys packets such his name and just changes it to one that is an OP if you get disconnected because you were logged in from another computer dont worry all he did was change his name to yours through packet sniffing / changing. He also crashes WOM servers this way with a name that includes hex character F5. I have proof in a shitload of screenshots of what he was talking about heres the media fire link for the zip full of screenshots.
He uses a program called WPE Pro to sniff/modify packets. He has a friend named "James" That joined the server. for whatever that is worth. Sorry for the horrible grammar and punctuation im trying to get this done ASAP.
Hell even He got disconnected and rejoined saying "HAHAHA I think the real notch tried to log on because it told me that i was logged on from another computer"
Oh and it would be a good idea to add DungeonMaster to your Banlist He really wanted to know how the hacker was doing it and well he showed him the hacker even gave him his custom scripts or whatever.