TheDarkDeuce Posted December 21, 2014 Posted December 21, 2014 Sup Guy's We are running a tekkit server wich has 2 Admins, me and my brother. Tonight 2 people joined on our server first with some username, then they relogged 3x times and then somehow had the username "ADMIN1" and "Admin2" (Example) They had all rights we have, our inventorys, they gave themself god mode, gamemode and nuked our hole spawn and our own bases. Our server.loghttp://pastebin.com/V2J8Q1ja (I changed our nicknames to ADMIN1 and ADMIN2) How is this possible? How could they fake the usernames and use the same rights as we have?
Discord Moderator plowmanplow Posted December 21, 2014 Discord Moderator Posted December 21, 2014 What server JAR are you using? The Tekkit.jar (basic forge) from the download provided by Techinc? MCPC+? If MCPC+, which build?
disconsented Posted December 22, 2014 Posted December 22, 2014 Whats the bet someone gave them OP or you're running offline mode
Discord Moderator plowmanplow Posted December 22, 2014 Discord Moderator Posted December 22, 2014 It might just be my ignorance, but I'm not familiar with a MCPC+ #244 build. This is the version I'm using: mcpc-plus-legacy-1.4.7-R1.1-SNAPSHOT-f534-L70.jar MD5 Sum: 96ffb259dc6efbcd06c8eb766af1de3a I believe versions prior to this have a flaw in the way session validation happens which allows someone using a particular hacked client to connect as any user. Every since I updated to that version we never had any more issues of that sort. Even though I believe the flaw to be fixed, I still require any player over the rank of Veteran to use the LoginSecurity Bukkit plugin for a second form of protection. TheDarkDeuce 1
TheDarkDeuce Posted December 22, 2014 Author Posted December 22, 2014 It might just be my ignorance, but I'm not familiar with a MCPC+ #244 build. This is the version I'm using: mcpc-plus-legacy-1.4.7-R1.1-SNAPSHOT-f534-L70.jar MD5 Sum: 96ffb259dc6efbcd06c8eb766af1de3a I believe versions prior to this have a flaw in the way session validation happens which allows someone using a particular hacked client to connect as any user. Every since I updated to that version we never had any more issues of that sort. Even though I believe the flaw to be fixed, I still require any player over the rank of Veteran to use the LoginSecurity Bukkit plugin for a second form of protection. Thats the answer I searched for. Thank you, might wanna share this jar with me?
Discord Moderator plowmanplow Posted December 22, 2014 Discord Moderator Posted December 22, 2014 Unfortunately, that server JAR is covered by the DMCA takedown of all things Bukkit server related. I provided the MD5 sum so you can check against anything you happen to find floating around the internet.
TheDarkDeuce Posted December 22, 2014 Author Posted December 22, 2014 Found it, anyway thanks! We already tought about something like a Authentication Plugin for admins only, but didnt found one that has the possibility to request login only for specific groups
Discord Moderator plowmanplow Posted December 22, 2014 Discord Moderator Posted December 22, 2014 LoginSecurity can provide that.
Venema Posted December 23, 2014 Posted December 23, 2014 maybe the server had a plugin which could be exploited by the players, i believe this happened to a server i played on about a year ago (i can remember most of the details of what happened that day) interestingly enough, there were two players that day, and one was Adolfhitler, who coincidentally nicknamed me "APoorHelplessJew"
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now