52
Yes, we've all heard this one, and it's not even isolated to a few admins, even the best of us can leave something unchecked and get hacked. (I just got hacked tonight due to me not securing something, oops). This guide should serve as a checklist to those admins under attack to make sure the bad guys do as little damage as possible.
Now that the initial crisis is adverted, let's run through a list of possible entry points that the attackers could have gotten in through and how to avoid things like this happening in the future.
Hopefully this guide helps you guys out. I have adverted quite a few server griefing teams on different servers that have called out to me for help using these simple steps. Avoid being the next server that shuts down, or resets the map due to a griefing team rolling through and just be able to keep on going like nothing ever happened. ;) I bet the only evidence my users will notice (this was done at a time when only 1 player was online) is the post I posted on my website about it. :D
If this guide has helped you out, please consider giving it a diamond.
I Need Help NOW!
Under attack right now? Here's a few steps to minimize the damage the griefers are doing:- Stop the server. (Yes, that's right. Griefers can't grief a server that's stopped)
- Check your ops.txt file for any unauthorized players.
- Download your server log and open it in notepad++. Search for all the names of the players that were griefing (make sure to make the search non-case sensitive). This should give you a list of all the commands they did to those players and you should find who opped the guy in the first place.
- Remove rouge permissions from your permissions files from those players. Also, look through your users.yml, or whatever file your users permissions are in, looking for any weird, out of place perms that that user shouldn't have.
- Check your whitelist.txt file for players that shouldn't be whitelisted.
- Make sure to pardon any players that were banned during the griefing raid.
- If you have them, restore your worlds from recent backups.
- Change all the passwords on any entry points for your server (Multicraft, ssh, etc.).
- Start your server back up!
Okay, Crisis Adverted, Now what?
Now that the initial crisis is adverted, let's run through a list of possible entry points that the attackers could have gotten in through and how to avoid things like this happening in the future.
- Change all default passwords to a secure password. Yes, that's right, make sure there are no default passwords lingering. Check your password strength using a site like this: http://howsecureismypassword.net/
Places to check: MultiCraft, McMyAdmin, Spacebukkit, rtoolkit - If you're using rtoolkit, either disable telnet access, or remove the default user with the command ".userremove user" in the server console (this is how the attackers got into my server, using the default username "user" and the password "pass"... I thought I had it disabled.)
- If you don't have a backup plugin, get one immediately. Here's a good one to try: http://dev.bukkit.org/server-mods/minebackup/
- Keep offsite backups! Sometimes griefers tell the backup plugin you have installed to delete all the backups, so it's always a good idea to download a few backups to another location. (The backup plugin I have listed above does not have a delete backups command) Also, sometimes admins go bad and decide to wreck your server, so having a complete, recent backup in case of emergencies is always EXTREMELY important!
- Don't give OP to new players. Seriously, that command should be banned from all servers and everyone should have to use permissions.
- Install a logging plugin. I use LogBlock on my server, but Hawkeye and Prism also work.
- Keep your server up to date and don't use dev builds! That's correct, not updating can leave you, and your server vulnerable.
Hopefully this guide helps you guys out. I have adverted quite a few server griefing teams on different servers that have called out to me for help using these simple steps. Avoid being the next server that shuts down, or resets the map due to a griefing team rolling through and just be able to keep on going like nothing ever happened. ;) I bet the only evidence my users will notice (this was done at a time when only 1 player was online) is the post I posted on my website about it. :D
If this guide has helped you out, please consider giving it a diamond.
Credit | Thanks to the griefing team that rolled through mine and my friend's servers. With this simple plan we adverted quite a major disaster. |
Tags |
tools/tracking
2098752
6
help-my-servers-been-hacked-a-disaster-recovery-guide
Create an account or sign in to comment.
"Install a logging plugin. I use LogBlock on my server, but Hawkeye and Prism also work." ~ Quote from article.