Question Possible exploit / Paper 1.18.1-124

Sierran

New member
Jan 10, 2022
4
0
1
And it happened, for the first time someone broke into the server and spoiled the fun, it just makes me wonder how it happened. The server was in offline mode with the default port changed. Logs are in attachment. I'm just wondering how did he get a list of players on the server without going on the server? Theoretically whitelist shouldn't let him in and he wouldn't know the usernames he impersonated.
 
Solution
the server was in offline mode with the port changed

So, you disabled the servers authentication system, which allows people to join with whatever name they want, and your sole mechanism of defence was a system which, because you disabled the authentication system, relies on the name of the person trying to join, and are surprised that somebody was able to join.

The server literally sends a random selection of players each time it pings, and then there's always the potential that janky plugins were installed which opened such a hole.

Basically, you configured your server to permit this exact thing to occur and are running in a setup that we don't provide support for.

electronicboy

Administrator
Staff member
Dec 11, 2021
216
10
34
28
the server was in offline mode with the port changed

So, you disabled the servers authentication system, which allows people to join with whatever name they want, and your sole mechanism of defence was a system which, because you disabled the authentication system, relies on the name of the person trying to join, and are surprised that somebody was able to join.

The server literally sends a random selection of players each time it pings, and then there's always the potential that janky plugins were installed which opened such a hole.

Basically, you configured your server to permit this exact thing to occur and are running in a setup that we don't provide support for.
 
Solution

Sierran

New member
Jan 10, 2022
4
0
1
Yes, you're right. But it makes me wonder how he knew the usernames to impersonate. I'm also curious how he got into a server that is not exposed on a standard port. Server is clean and without plugins.
 

electronicboy

Administrator
Staff member
Dec 11, 2021
216
10
34
28
there are literally tools which index the entire web, pot chance luck of somebody using that port/ip before for a server, etc

the server also sends a list of currently connected users to the client, generally not hard to make a few guesses
 

sulu

Paper Triage
Staff member
Dec 14, 2021
23
3
4
3
Minnesota
There are numerous bots going around scanning the entire internet for open Minecraft servers. There are even some websites (not server lists) where you can go and search databases of these publicly for people not inclined to set up their own scanner.

In terms of finding the correct username, as cat said the server will expose a subset of online players (or the entire list if there are not many people online) by default on ping.
 

Sierran

New member
Jan 10, 2022
4
0
1
In terms of finding the correct username, as cat said the server will expose a subset of online players (or the entire list if there are not many people online) by default on ping.
the server also sends a list of currently connected users to the client, generally not hard to make a few guesses
Well that clears it up, thanks for the clarification. Well, that leaves me with a possible play with whitelisting ip addresses. I was living in the belief that nobody would guess usernames, well, I was wrong :) Everything explained, you can close the topic.
 

sulu

Paper Triage
Staff member
Dec 14, 2021
23
3
4
3
Minnesota
You can also remove this player sample via a plugin (or, disable pings entirely in server.properties) but this is still relying on a. no one actually trying to join, or b. no one guessing a username- both of which are not good bets to make.