I noticed on my server, and on a few of my friends servers (vanilla, bukkit, spigot, etc), that there are hackers who can join as any username. I've tried banning them, they keep coming back. There is usually one called Isopropyl, and they call it the Isopropyl Exploit. There are no unusual logs in my server, or my friends.
Comments 18
IsopropyI goes invisible, tp's to people, then places lava on people who are just building and having fun and killing them also burning all their things that they spent so long to build up. Then after he/she does that, they go into the buildings and break all the chests and free everything that's not needed, like on the server I was on when this happened, I had a snowman in a pen and the gate that was on the walls was broken when I came back to my house, Same goes with all my chests that were broken and half my stuff was gone. When I died due to the lava I was just building a bridge across a area of land to put a river down the middle, then my friend who was helping me also died and she lost all her stuff AND SHE WAS STAFF. Then when I told a admin on the server he told everybody to go to spawn to be safe. After this all happend admins and other staff got so fed up they just closed the server. So please fix this because this is so annoying!
Not a fix, nor an official comment, but turning on debug logs may help figure out what's going on (though that'll give a lot of information).
I'm experiencing the exact same thing on my 1.9.4 Spigot server.
User logged in as "Isopropyl", logged out, then proceeded to login to my account and grief my server.
I am having the same issue on my server
"""Let me tell you what's actually going on. Today on my online-mode=true server, the very person who made this thread somehow was able to log on to multiple false accounts with usernames like n*gger etc.. and was able to gain access to one of my admin's accounts as well. Unfortunately, he used his unauthorized powers to abuse players (griefing and killing them apparantly), all the while blaming it on an unknown player (Isopropyl), later a player with the name Isopropyl logged on, who had nothing to do with anything (likely the same guy as the false admin) for the sole purpose of making people believe this magic trick and giving this whole thread false credibility. I have no idea why anyone would do this as there's nothing to gain but I guess that's what 'trolling' is. What's concerning though is he was able to log in as any player although the server was cracked (which it definately is not)"""
This is exactly what is happening, My servers are connected by bungee (bungee server is in online mode the rest connected to it are in offline mode) No Isopropyl guy though
There have been a few reports of this. Please, can you get some packet debugging started NOW? We can't diagnose this without it.
The gist of the process is explained at http://wiki.vg/Debugging, but basically, you need to first create a file named log4j.xml, and put this in it:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN" packages="net.minecraft,com.mojang">
<Appenders>
<Console name="SysOut" target="SYSTEM_OUT">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
</Console>
<Queue name="ServerGuiConsole">
<PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
</Queue>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
<DefaultRolloverStrategy max="999999"/>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="debug">
<AppenderRef ref="SysOut"/>
<AppenderRef ref="File"/>
<AppenderRef ref="ServerGuiConsole"/>
</Root>
</Loggers>
</Configuration>Then launch the server with: java -Dlog4j.configurationFile=log4j.xml. If you're running spigot, you'll need to use a different configuration:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN" packages="com.mojang.util">
<Appenders>
<Console name="WINDOWS_COMPAT" target="SYSTEM_OUT"></Console>
<Queue name="TerminalConsole">
<PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
</Queue>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
<DefaultRolloverStrategy max="1000"/>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="debug">
<AppenderRef ref="WINDOWS_COMPAT"/>
<AppenderRef ref="File"/>
<AppenderRef ref="TerminalConsole"/>
</Root>
</Loggers>
</Configuration>This will put a lot of information into log files. But it should make it possible to investigate this issue.
That said, what you're describing might be something less exciting. The article you linked is about a different issue (a severe one, but not this one - I think it might be MC-101781?), which can cause server crashes but doesn't allow arbitrary usernames.
This is exactly what is happening, My servers are connected by bungee (bungee server is in online mode the rest connected to it are in offline mode)
That technically makes your issue here invalid since the Mojang bug tracker is only for vanilla, not bungeecord. But since it's happened on vanilla before without logs (or, believed to have happened that way) getting logs will be helpful in the event that this is a new exploit.
You do mention the servers being in offline mode. To verify, you did following the post-install steps found in the bungeecord thread, right?
Post Installation
As your servers will now be running in offline mode, they are open to users connecting as whoever they want to, and wreaking havoc. Unfortunately for them, this is something that we don't want to happen. Whilst you may be tempted to install an IP whitelist plugin, there are much better ways of preventing users from even getting to the login stage, and thus safeguarding yourself from whatever they may throw at you.
BungeeCord on same machine as all servers
Simply open up the server.properties file on each of your servers, and set the server-ip option to 127.0.0.1, and then restart the server.
BungeeCord on different machine to some servers
First you need to set connection-throttle to -1 in bukkit.yml. This is a VERY important step, and if you don't do it, BungeeCord will NOT work properly.
The only way to secure this setup entirely is to use a firewall to prevent access to them at all from the outside world. Luckily most Linux distributions include an easy to use firewall named iptables. Once you have everything set up you can activate this firewall with the command below, but first replace $BUNGEE_IP with the server running BungeeCord, and $SERVER_PORT with the port of your Minecraft server.
Please note that all commands in this section must be run as root.
iptables -I INPUT ! -s $BUNGEE_IP -p tcp --dport $SERVER_PORT -j DROPNext you must make these rules automatically apply each reboot. The commands used to do this vary depending on which Linux distribution you use:
CentOS
/etc/init.d/iptables saveDebian / Ubuntu
apt-get install iptables-persistent
/etc/init.d/iptables-persistent saveIf at any time you find yourself unable to connect to your servers after messing with the firewall, simply enter this command to completely reset it:
iptables --flushIf you didn't, and people can connect directly to your local servers, then they're able to directly bypass bungee's authentication and the normal offline mode warning applies:
**** SERVER IS RUNNING IN OFFLINE/INSECURE MODE!
The server will make no attempt to authenticate usernames. Beware.
While this makes the game possible to play without internet access, it also opens up the ability for hackers to connect with any username they choose.
To change this, set "online-mode" to "true" in the server.properties file.
Our server has been attacked through the Isopropyl exploit. Players homes and items have been destroyed. Admin attempts to remove trouble player all fail. Our server community was held hostage at spawn until the server was closed by admin. Please address this issue ASAP.