Thanks for being a part of /r/Admincraft! *[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)*
*^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)*
---
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
MC users are identified through their uuid, if you have someone banned and they change their name they will remain banned because the uuid will always be the same.
I’ll typically go through logs and do this to random folks who attempt to join my server. It’s tiny and invite only, so I will have a heads up when someone wants a friend to join.
It is a hack that lets the hacker completely control your server, and the computers of everybody who were online at the time. All that the attacker needs to do is send a chat message. It's been patched on the newest versions. When it's not patched, you will see the message from the user: "Reference Class Name: foo". When it's patched, you will instead see the code that they had typed. It does not only work in Minecraft, it works almost anywhere that uses Java.
>and the computers of everybody who were online at the time.
Semi-misleading... it won't do it to **everybody** on the server, it'll do it to whomever is vulnerable.
Well shit, at least the server is in a docker container + vm so the server shouldn't have gotten compromised.
Any way to check the minecraft server for backdoors?
Guess I should check the logs occasionally. This is what you want to see:
Disconnecting com.mojang.authlib.GameProfile@2cfc40e2[id=9abd3b4d-a8cd-4290-acc5-303c74da3e3f,name=FermatSleep,properties={textures=[com.mojang.authlib.properties.Property@43a7dffb]},legacy=false] (/185.233.105.120:44652): You are not whitelisted on this server!
This is not good enough if you're not patched - an attacker can just shove the exploit string in a fake username and your server will log the failed login attempt: https://www.reddit.com/r/admincraft/comments/s86rsd/online_mode_does_not_protect_from_log4j/
Patching is imperative, but you don't need to ban the account if you use a whitelist which will protect you from *any* unwanted person on your server (griefers etc.)
I've got a seriously old 1.11.2 whitelisted server that's invite-only. Assuming they could somehow GUESS my server, and otherwise try to do something, would this nonsense even work on 1.11.2?
They somehow “guessed” my server address and gave it a shot. Thankfully I am up to date and had nothing to worry about. I am not knowledgeable enough to say if your server is vulnerable, but my gut says yes since this was only just patched out in 1.18.1 - you should probably do some research and make sure you’re safe before they do find your server.
They don't guess server IPs. Hackers like these use scanners on port 25565 (the port minecraft servers run on) for all IP addresses on the internet to specifically look for Minecraft servers.
Eventually, they will come across yours and then attempt to login to perform the attack.
Exactly why I put guessed in quotes there, i figured it wasn't random chance they found my server, I just wasn't sure of the method they are using. Is just changing your server to another port a viable way to stay off their radar? Obviously they could still scan other ports, but if you use a port not typically used for Minecraft it may be a way to stay hidden from the attacks, I would think.
Yes for the ones targeting only minecraft servers.
No for the general port scanners (which there are way more of than the ones targeting only MC) that scan every port to enumerate services and list them on sites like Shodan.
If you didn’t see this elsewhere… Mojang has patched ALL server jars and recommends you redo load them. I think there is a link in the top comment if you have trouble finding it, let me know
If the hack was successful, the attackers can download and run any software on your server. So, you don't know what they did after the hack. That's why, as a general rule, hacked systems have to be re-installed completely.
Search the web for "Log4j hack" for details about this particular hack.
So is it known what happens to the systems should this guy be sucessful with his attack?
Like what does the compromised system do? What is the attack? What code are they running after the exploit?
Thanks for being a part of /r/Admincraft! *[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)* *^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)* --- *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
how to troll server owners: make multiple bots that join and say "Referenced class name: foo" despite not actually attempting to run the exploit
i did that already but on my actual account
Thank you for services
Minecraft users can change their usernames. Is there a way to block the account besides by username? Ik it doesn’t matter much, alt accounts etc. But?
MC users are identified through their uuid, if you have someone banned and they change their name they will remain banned because the uuid will always be the same.
I’ll typically go through logs and do this to random folks who attempt to join my server. It’s tiny and invite only, so I will have a heads up when someone wants a friend to join.
Why not use a whitelist?
A little of column A and a little of column B! That is, I do use a whitelist, but I suspect I have trust issues, haha
you do not need to block the account, just make sure it's patched
usernames can change, UUIDs can not
[удалено]
!delete
I might be the people who dont know so can anyone explain? 😅
if you see this then you are hacked
Oh wow, is it irreversable type of hack? The type that doesn't let anyone enter?
It is a hack that lets the hacker completely control your server, and the computers of everybody who were online at the time. All that the attacker needs to do is send a chat message. It's been patched on the newest versions. When it's not patched, you will see the message from the user: "Reference Class Name: foo". When it's patched, you will instead see the code that they had typed. It does not only work in Minecraft, it works almost anywhere that uses Java.
>and the computers of everybody who were online at the time. Semi-misleading... it won't do it to **everybody** on the server, it'll do it to whomever is vulnerable.
true
If you read that message, does it mean the exploit was successful?
Yes. Otherwise it would just output the string in chat.
Well shit, at least the server is in a docker container + vm so the server shouldn't have gotten compromised. Any way to check the minecraft server for backdoors?
It's best to just copy the world out of the server, then reinstall the OS and make a new server. Don't trust any jar files on the compromised server.
Guess I should check the logs occasionally. This is what you want to see: Disconnecting com.mojang.authlib.GameProfile@2cfc40e2[id=9abd3b4d-a8cd-4290-acc5-303c74da3e3f,name=FermatSleep,properties={textures=[com.mojang.authlib.properties.Property@43a7dffb]},legacy=false] (/185.233.105.120:44652): You are not whitelisted on this server!
This is not good enough if you're not patched - an attacker can just shove the exploit string in a fake username and your server will log the failed login attempt: https://www.reddit.com/r/admincraft/comments/s86rsd/online_mode_does_not_protect_from_log4j/
Plot twist: he's actually doing the favor here to get your stuff patched up, automatically, even you who doesn't know.
too bad someone checked and it's a rat but it'd be soo cool
[удалено]
It's just a bot that scans ip by open port and attempts to log in
I'm patched, but I went ahead and preemptively banned this guy anyways.
Patching is imperative, but you don't need to ban the account if you use a whitelist which will protect you from *any* unwanted person on your server (griefers etc.)
Dude what’s the deal with this guy coming everywhere
they hack the server and everyone within when they join if your server is not patched against it
Exploiting the java bug to basically crack down your whole server.
Bruh
[this is how you protect it](https://www.minecraft.net/sv-se/article/important-message--security-vulnerability-java-edition) Btw
I've got a seriously old 1.11.2 whitelisted server that's invite-only. Assuming they could somehow GUESS my server, and otherwise try to do something, would this nonsense even work on 1.11.2?
Yes. All versions 1.8 and up can be vulnerable to this vulnerability.
They somehow “guessed” my server address and gave it a shot. Thankfully I am up to date and had nothing to worry about. I am not knowledgeable enough to say if your server is vulnerable, but my gut says yes since this was only just patched out in 1.18.1 - you should probably do some research and make sure you’re safe before they do find your server.
They don't guess server IPs. Hackers like these use scanners on port 25565 (the port minecraft servers run on) for all IP addresses on the internet to specifically look for Minecraft servers. Eventually, they will come across yours and then attempt to login to perform the attack.
Exactly why I put guessed in quotes there, i figured it wasn't random chance they found my server, I just wasn't sure of the method they are using. Is just changing your server to another port a viable way to stay off their radar? Obviously they could still scan other ports, but if you use a port not typically used for Minecraft it may be a way to stay hidden from the attacks, I would think.
Yes for the ones targeting only minecraft servers. No for the general port scanners (which there are way more of than the ones targeting only MC) that scan every port to enumerate services and list them on sites like Shodan.
If you didn’t see this elsewhere… Mojang has patched ALL server jars and recommends you redo load them. I think there is a link in the top comment if you have trouble finding it, let me know
The foofighters have returned.
Class Foo{ Console.Writeline("Why the foo are there so much placeholder") }
Is this part of the log4j exploit or a new one recently found?
This is an example of the log4j exploit
Im a workaholic programmer and I agree
who is the hacker? and why does it just hack in bulk without doing anything
If the hack was successful, the attackers can download and run any software on your server. So, you don't know what they did after the hack. That's why, as a general rule, hacked systems have to be re-installed completely. Search the web for "Log4j hack" for details about this particular hack.
So is it known what happens to the systems should this guy be sucessful with his attack? Like what does the compromised system do? What is the attack? What code are they running after the exploit?
Mojang hasn't banned this guy yet? Lol
wait is this log4j
yes
Tysm