This kid tried to gain OP access to my server with some basic social engineering . It failed, and I thought it was funny so I guess I'll post it here
I won't tell you how it works, because I don't know. But there are so many people that think they can get OP on my small, peaceful, little server by giving out an IP/DNS for an admin (with OP permissions, but not OP themselves) to connect to.
Apparently this has been removed since the new versions of Bukkit, but people still try.
It did happen once to me, won't name names... (chappro, cakespam, veraldz)
but I banned them and got over it, you know, as you have to.
So anyway, here is a bit of a guide to help you out a bit.
Just a notice, this IS NOT the people that managed to hack me before, this is recent. (Plus I lost the logs for chappro etc)
Oh, and I wasn't even online when this happened. One of teh best admins in the world was dealing with this guy (5rovert is amazing)
Obviously don't go on the server this guy was advertising, its clearly a ForceOP server. (btw, it has to have the server IP or DNS it wants to ForceOP on, so it'll be safe, you just won't be able to connect)
GUILTY LEVEL 1:
Checking if there efforts will go to plan, they need somebody to actually have OP permissions.
GUILTY LEVEL 2:
The bait, they need to work up some anger or outrage.
GUILTY LEVEL 3:
The DNS/IP to connect to is revealed, and a bit more rage. (I don't allow click-able chat links)
GUILTY LEVEL 4:
Some backup to his story, and a bit of 'lol' to make him/her seem friendly.
GUILTY LEVEL 5:
A bit of urgency now, getting impatient. This is the point where you can act like a total jerk and ask stupid questions, like "whats the IP?". You know, have a bit of fun
(NOTE: mc.stratuscraft.net is my old DNS, not the ForceOP server)
GUILTY LEVEL 6:
Just seriously 'out there'... Nobody believes this guy now, but I'll keep going, just in case...
GUILTY LEVEL 7:
Practically this guy is crying on his keyboard now, but its still fun to mess with him. For larger servers, you should have banned by guilty level 3, or the time he/she advertised the IP.
*Banned mid-scentence*
I won't tell you who this was.. But just note if you right click on one of the images and view image URL (whatever) you MAY or MAY not see the username
I hope this helps you stay safe from those nasty players
[Minecraft] How to know if somebody is trying to 'ForceOP'
Re: [Minecraft] How to know if somebody is trying to 'ForceO
Urgh, I hate these people. Although they can be quite amusing sometimes.
I made a point of not joining any server that anyone tells me in game until this bug is fixed.
It's actually a man in the middle attack, the way the Minecraft server joining works is
I made a point of not joining any server that anyone tells me in game until this bug is fixed.
It's actually a man in the middle attack, the way the Minecraft server joining works is
- Server generates a random number knows as the server id (different for every join)
- Client tries to join the server
- Server sends it's random ID to the client
- Client sends the ID to minecraft.net
- Server asks minecraft.net if the player can join the server (if the client sent the right ID basically)
- Client joins
- Target server generates a random number knows as the server id (different for every join)
- Client tries to join the attackers server
- Attackers server poses as a client and tries to join the target server to get the server ID
- Attackers server sends the target server's ID to the client
- Client sends the target server ID to minecraft.net
- Attackers server lets them join without the minecraft.net check
- Client joins
- Attackers server continues the join process to the target server
- Target server thinks the attackers server is the client because it sent the server ID and lets it join
- Attackers server sends the chat packet "/op <bad_guy>" and leaves
Re: [Minecraft] How to know if somebody is trying to 'ForceO
Fairly amusing
However, I'm more interested in your signature! That's awesome!!
However, I'm more interested in your signature! That's awesome!!
Re: [Minecraft] How to know if somebody is trying to 'ForceO
My signature?EcazS wrote:However, I'm more interested in your signature!
The source code is below, but I mashed it all up into one line :/ (Its quite messy)
<? srand((double)microtime()*1000000);define("IMAGE_WIDTH",450);define("IMAGE_HEIGHT",24);define("MAX_LINE_WIDTH",10);define("COLOR_DEVIATION",18);$img = imagecreate(IMAGE_WIDTH,IMAGE_HEIGHT);$lr = $lg = $lb = 127;function cmax($x) {if ($x > 255) { return 255; }elseif ($x < 0) { return 0; }else { return $x; } }function ncolor($x) {return rand($x - COLOR_DEVIATION, $x + COLOR_DEVIATION); }while($p < IMAGE_WIDTH) {$linecolor = imagecolorallocate($img,$cr = cmax(ncolor($lr)),$cg = cmax(ncolor($lg)),$cb = cmax(ncolor($lb)));$linewidth = rand(1,MAX_LINE_WIDTH);imagefilledrectangle($img,$p,0,$p+$linewidth,IMAGE_HEIGHT,$linecolor);$p = $p + $linewidth;$lr = $cr;$lg = $cg;$lb = $cb;}header("Content-type:image/png");imagepng($img);?>Hehe, I just played around in Komodo for around 4 hours, using the auto-complete thing
-
- Posts: 534
- Joined: Thu May 05, 2011 8:19 pm
Re: [Minecraft] How to know if somebody is trying to 'ForceO
Jacek, you'll have to change it slightly to get it to do it.
Add a uniqid() in there too, and it will change abit more
Like
(int) md5(uniqid())
Will get a random string of numbers.
Add a uniqid() in there too, and it will change abit more
Like
(int) md5(uniqid())
Will get a random string of numbers.
I don't like to brag, but I wasn't circumcised. I was circumnavigated.
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Re: [Minecraft] How to know if somebody is trying to 'ForceO
Get it to do whatbowersbros wrote:Jacek, you'll have to change it slightly to get it to do it.
This ?
-
- Posts: 534
- Joined: Thu May 05, 2011 8:19 pm
Re: [Minecraft] How to know if somebody is trying to 'ForceO
jacek wrote:Get it to do whatbowersbros wrote:Jacek, you'll have to change it slightly to get it to do it.
This ?
[lotta images]
Yep
I don't like to brag, but I wasn't circumcised. I was circumnavigated.
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9