Minecraft Blogs / Article

PSA : Minecraft Server Exploit Discovered, Update Immediately!

  • 64,643 views, 1 today
  • 542
  • 74
  • 529
PMC's Avatar PMC
Level 100 : Transcendent Cake
Hi there, everybody.

This is just a quick PSA to let everybody know that a recent exploit in servers has caused a bit of a storm on many servers - including our own beloved PMC Server. The issue affects CraftBukkit (and any implementations of it thereof) and vanilla servers - so no matter what server you are running, I recommend you read this post.

The exploit allowed them to log in as any user on the server, causing havoc and doing as they please. Luckily, due to the efforts of md_5, Dinnerbone and others, a patch was quickly devised and rolled out to many affected implementations.

PMC urges you to update your version of CraftBukkit/Spigot/etc to their latest safest development build.

For CraftBukkit, go here:http://dl.bukkit.org/downloads/craftbukkit/(#2865 or later)
For Spigot, upgrade to at least version #1090

For information on how this all "started", the original Reddit thread is here:http://www.reddit.com/r/admincraft/comments/1llt2h/craftbukkit_fix_for_authentication_exploit/

Please note though that while this will close this hole, there may still be others, and I don't really want owners to think they are completely 100% safe from something like this ever happening again. Please take precautionary measures in protecting your moderator/administrator accounts on your own servers. Plugins such as SecuritySystem by Lord_Ralex of MinecraftForums (http://ae97.net/projects/securitysystem/) will lock users by their IP and deny entry until another administrator can approve their IP change. There are many other similar systems on BukkitDev, but this is the one we're using on the PMC Server as of now.


Create an account or sign in to comment.

09/03/2014 10:28 pm
Level 13 : Journeyman Mage
aidanushka-13's Avatar
what is the server ip to your server pmc?
10/03/2013 8:55 pm
Level 4 : Apprentice Miner
MisterMasterMine's Avatar
Just wondering KingArthur, was there a XvSpitFirevX on that server at that time?
10/04/2013 7:02 am
Level 3 : Apprentice Explorer
Blackjack's Avatar
No. That little skiddie had nothing to do with it I'm afraid.
09/30/2013 12:16 am
Level 1 : New Explorer
KIngArthur's Avatar
This happened to me yesterday, someone logging into my account and then they messed up ym server progress. I was an admin on a server and then someone logged into my account and then they spammed, got me perma-banned and i got demoted (my friend is also an admin on the server, he told me). I HATE THIS THING!!!
09/17/2013 2:52 pm
Level 1 : New Modder
Lildirt's Avatar
I've created my own alternatives to these issues, but I can say that using WorldGuard's hostkey features are fair if you have a domain. Otherwise, a staff-only version of AuthMe works just as well.
09/16/2013 7:02 am
Level 42 : Master Batman
DamnCreeperEater's Avatar
I was using build from September 8th, 2013 (A few days after this post) and I had a massive scare on my server. A few players (I_AM_WILDCAT, lisadaly, azura_hades) were forced op on the server. They made some pretty massive world edits and created multiple "dickfart" worlds. I was able to restore the server using a backup from a few hours before and have it back online within a few hours but it was quite a scare. I have updated to the build released last night (September 15th, 2013) and have seen no sign of them returning.
09/15/2013 11:46 pm
Level 15 : Journeyman Architect
sinfulgodofwar's Avatar
#1091 of Spigot does not fix the problem, I repeat updating to this build does not fix the problem. Had someone on my server today performing this exploit. In the process of applying AuthMe to fix this issue until a more suitable fix comes. I do not know if the exploit works past on builds after 1091. Just a PSA.
09/14/2013 1:48 pm
Level 2 : Apprentice Explorer
BetaSpark's Avatar
Thank you so much, always used AuthMe.
09/14/2013 10:21 am
Level 1 : New Cake
octyenoch's Avatar
while it doesnt stop this from happening, another good plugin is core protect, to clean up the mess. just a few seconds to undo all of the replace with lava world edits that they did. So just a couple minutes to get my bearings, ban the ips, unban my admins, and roll back only the changes that they did...only thing hurt was my faith in humanity
09/13/2013 1:47 pm
Level 9 : Apprentice Mage
oInward's Avatar
Well this explains the "admins" griefing and promoting people :/
Planet Minecraft


© 2010 - 2024