Today around 20:00 server time, which is +5:00 hours, my server's spawn jail was greifed. I was afk at the time, but after scanning through the server log, I came across the following outputs:
19:37:47 /70.57.42.167 connected
19:37:47 /70.57.42.167 logged in as f09840985j098r809243809if092385j098728gj904368gfg987450985j94ge
Oh my... moments later...
19:37:55 [console] admins: say Rules:
-Rules snipped to save space-
19:38:02 Cara says: agree to them
19:38:06 f09840985j098r809243809if092385j098728gj904368gfg987450985j94ge says: No
But strangely enough, it didn't end there
19:38:56 Kicking XenonMan (/71.201.47.152): You logged in from another computer.
19:38:56 /70.57.42.167 logged in as XenonMan
You may have noticed that XenonMan logged in from the same IP address as mister garbletext. This player then proceded to take over different players until he got to an op, at which point...
19:43:21 /70.57.42.167 connected
19:43:21 /70.57.42.167 logged in as jake951716
19:43:32 jake951716 admins: op Herrode
19:43:32Takeover prevention triggered by jake951716
19:43:32 [console] admins: deop jake951716
19:43:32 [console] admins: deop Herrode
19:43:32 [console] admins: say jake951716 ran: op Herrode
So I believe that Herrode is the username of this villian, but I can't be sure it's not just some account he/she pilfered.
He/She doesn't stop there though:
19:44:46 jake951716 says: Who is op?
19:44:57 Cara says: me
19:45:02 jake951716 (/70.57.42.167) lost connection suddenly. (java.io.IOException: An existing connection was forcibly closed by the remote host)19:45:41 Kicking Cara (/99.50.203.231): You logged in from another computer.
19:45:41 /70.57.42.167 logged in as Cara
19:45:41 Cara (/99.50.203.231) disconnected
Well, /70.57.42.167 then exploded my spawnjail, and then left. All things considered, it was easy enough to undo, but it could have gone a lot worse. A LOT WORSE. I suggest everyone adds his/her IP address to the banIP.txt file, since his/her name is likely to change, or be completely unpredictable, as was the case when he/she first appeared. Don't believe me? That's ok. I don't mind, but it's your server at risk, not mine. I'll be submitting this to Notch as a security bug, if anyone has seen/experienced this, please let me know or post on this topic to let others know.
EDIT:
Here's a screenshot of the jail, post greif, if anyone was wondering. Nothing else was greifed.
My friend Greatak says this guy showed up on his server today too, did pretty much the same thing. Funny thing is: Scotrobot (The user talking in the screenshot) was on Greatak's server at the time of attack as well. Can anyone vouch for this guy?
If the guy have the skills to do this thing of invasion i think that at least he is using some kinda of proxie, making ipban not realy a solution, notch need to fix this someway.
Well I encountered him and know what he is doing and how he is doing it. hell its very simple to do.
All he is doing is modifying packets. So he joins a server modifys packets such his name and just changes it to one that is an OP if you get disconnected because you were logged in from another computer dont worry all he did was change his name to yours through packet sniffing / changing. He also crashes WOM servers this way with a name that includes hex character F5. I have proof in a shitload of screenshots of what he was talking about heres the media fire link for the zip full of screenshots.
He uses a program called WPE Pro to sniff/modify packets. He has a friend named "James" That joined the server. for whatever that is worth. Sorry for the horrible grammar and punctuation im trying to get this done ASAP.
Hell even He got disconnected and rejoined saying "HAHAHA I think the real notch tried to log on because it told me that i was logged on from another computer"
Oh and it would be a good idea to add DungeonMaster to your Banlist He really wanted to know how the hacker was doing it and well he showed him the hacker even gave him his custom scripts or whatever.
Oh my... moments later...
But strangely enough, it didn't end there
You may have noticed that XenonMan logged in from the same IP address as mister garbletext. This player then proceded to take over different players until he got to an op, at which point...
So I believe that Herrode is the username of this villian, but I can't be sure it's not just some account he/she pilfered.
He/She doesn't stop there though:
Well, /70.57.42.167 then exploded my spawnjail, and then left. All things considered, it was easy enough to undo, but it could have gone a lot worse. A LOT WORSE. I suggest everyone adds his/her IP address to the banIP.txt file, since his/her name is likely to change, or be completely unpredictable, as was the case when he/she first appeared. Don't believe me? That's ok. I don't mind, but it's your server at risk, not mine. I'll be submitting this to Notch as a security bug, if anyone has seen/experienced this, please let me know or post on this topic to let others know.
EDIT:
Here's a screenshot of the jail, post greif, if anyone was wondering. Nothing else was greifed.
70.57.54.79
70.57.42.167
168.103.203.224
67.41.125.35 (not 100% about this one)
Same person. He attacked my server as well.
O.o
Crap.
Former #minecraft channel operator.
Apparently all five of them are came from same company (Qwest).
Now he's spamming illegal characters in servers to crash the clients of everyone connected.
Contains Pachebel's Canon made with noteblocks, a working Rubik's cube made with pistons, and the ultimate TNT cannon.
Strangely enough, /70.57.42.167 has been in my ipban list for a while.
I'm known as Kakashi, Kaka, KS, and the Coal Ninja =)
All he is doing is modifying packets. So he joins a server modifys packets such his name and just changes it to one that is an OP if you get disconnected because you were logged in from another computer dont worry all he did was change his name to yours through packet sniffing / changing. He also crashes WOM servers this way with a name that includes hex character F5. I have proof in a shitload of screenshots of what he was talking about heres the media fire link for the zip full of screenshots.
http://www.mediafire.com/?mmwwvqqkgjt
He uses a program called WPE Pro to sniff/modify packets. He has a friend named "James" That joined the server. for whatever that is worth. Sorry for the horrible grammar and punctuation im trying to get this done ASAP.
Hell even He got disconnected and rejoined saying "HAHAHA I think the real notch tried to log on because it told me that i was logged on from another computer"
Oh and it would be a good idea to add DungeonMaster to your Banlist He really wanted to know how the hacker was doing it and well he showed him the hacker even gave him his custom scripts or whatever.
EDIT:
Just done in a significantly inefficent way.
Quality of output = Skill * Effort