Recent Discussions
Investigating avenue of griefer attack on local (public) server
Unanswered
Giant panda posted this in #questions
31 messages
0 views
Giant pandaOP
TL;DR - server was public w/o whitelist, got wiped, trying to learn from the mistake.
Disclaimer: I'm a newb to admin/hosting of any kind and I tend to learn by breaking and fixing things.
Environment: MineOS Turnkey VM on Proxmox
I recently spun up a Proxmox image and host MineOS turnkey on it. I did not configure additional users but I changed the root password (IKIK). Been running the server for me and my family for about a week now. The other day, I opened the server up to the internet without whitelist (AND on default port).. yeah, I know. (FWIW online-mode=true).
Well, on Saturday, I noticed logs during one of our sessions, "Server Seeker v2 has disconnected" x3. (I did not see any log INs logged, but haven't dug into the rest of the logs to see -- will do so today).
I immediately turned portforwaring off and then got to work setting up whitelist. Upon reloading the server and logging in to test, the server has been reset to the seed. I had a backup (less about 11 hours of work) that I have since restored.
I intend to check for users that I am unaware of and will pour over the logs, to try to determine exactly where/how they got us.
Can anyone shed any light or advice? I intend to harden my system but would like to learn how they got us, if possible.
Disclaimer: I'm a newb to admin/hosting of any kind and I tend to learn by breaking and fixing things.
Environment: MineOS Turnkey VM on Proxmox
I recently spun up a Proxmox image and host MineOS turnkey on it. I did not configure additional users but I changed the root password (IKIK). Been running the server for me and my family for about a week now. The other day, I opened the server up to the internet without whitelist (AND on default port).. yeah, I know. (FWIW online-mode=true).
Well, on Saturday, I noticed logs during one of our sessions, "Server Seeker v2 has disconnected" x3. (I did not see any log INs logged, but haven't dug into the rest of the logs to see -- will do so today).
I immediately turned portforwaring off and then got to work setting up whitelist. Upon reloading the server and logging in to test, the server has been reset to the seed. I had a backup (less about 11 hours of work) that I have since restored.
I intend to check for users that I am unaware of and will pour over the logs, to try to determine exactly where/how they got us.
Can anyone shed any light or advice? I intend to harden my system but would like to learn how they got us, if possible.
Giant pandaOP
This is the ONLY log with records indicating malicious activity:
message.txt
DownloadI had chocked the instability up to all the TPs and us being in different parts of the realm.. but after reviewing, it kinda looks suspect. Unfortunately I don't know/have network/performance metrics
@Giant panda TL;DR - server was public w/o whitelist, got wiped, trying to learn from the mistake.
Disclaimer: I'm a newb to admin/hosting of any kind and I tend to learn by breaking and fixing things.
Environment: MineOS Turnkey VM on Proxmox
I recently spun up a Proxmox image and host MineOS turnkey on it. I did not configure additional users but I changed the root password (IKIK). Been running the server for me and my family for about a week now. The other day, I opened the server up to the internet without whitelist (AND on default port).. yeah, I know. (FWIW online-mode=true).
Well, on Saturday, I noticed logs during one of our sessions, "Server Seeker v2 has disconnected" x3. (I did not see any log INs logged, but haven't dug into the rest of the logs to see -- will do so today).
I immediately turned portforwaring off and then got to work setting up whitelist. Upon reloading the server and logging in to test, the server has been reset to the seed. I had a backup (less about 11 hours of work) that I have since restored.
I intend to check for users that I am unaware of and will pour over the logs, to try to determine exactly where/how they got us.
Can anyone shed any light or advice? I intend to harden my system but would like to learn how they got us, if possible.
Disclaimer: I'm a newb to admin/hosting of any kind and I tend to learn by breaking and fixing things.
Environment: MineOS Turnkey VM on Proxmox
I recently spun up a Proxmox image and host MineOS turnkey on it. I did not configure additional users but I changed the root password (IKIK). Been running the server for me and my family for about a week now. The other day, I opened the server up to the internet without whitelist (AND on default port).. yeah, I know. (FWIW online-mode=true).
Well, on Saturday, I noticed logs during one of our sessions, "Server Seeker v2 has disconnected" x3. (I did not see any log INs logged, but haven't dug into the rest of the logs to see -- will do so today).
I immediately turned portforwaring off and then got to work setting up whitelist. Upon reloading the server and logging in to test, the server has been reset to the seed. I had a backup (less about 11 hours of work) that I have since restored.
I intend to check for users that I am unaware of and will pour over the logs, to try to determine exactly where/how they got us.
Can anyone shed any light or advice? I intend to harden my system but would like to learn how they got us, if possible.
they got you as simple as the username suggests
Server Seeker V2
people scan Every Single Ip out there for minecraft servers, once they can get a connection and find you its over if you are not in whitelist and are in offline mode
if you are whitelist and online mode you are pretty fine
but the best way to harden ur system is turn On online mode and turn Off show online players
Server Seeker V2
people scan Every Single Ip out there for minecraft servers, once they can get a connection and find you its over if you are not in whitelist and are in offline mode
if you are whitelist and online mode you are pretty fine
but the best way to harden ur system is turn On online mode and turn Off show online players
enable this
image.png
Giant pandaOP
You used the tldr and I don't blame you hahaha
(FWIW online-mode=true).
@Giant panda You used the tldr and I don't blame you hahaha
i read it all, kinda but i read at the bottom part to shed light or advice
Giant pandaOP
I understand how SSv2 found me.. what I don't understand is how in the world my realm was reset. I did not change or manipulate any files or directories when I enabled whitelist. I used the MineOS UI to do so
I suppose I may have to accept these as two seperate issues, given my lack of knowledge haha
did you ever rename ur servers world folder?
or change the level-name in server.properties?
Giant pandaOP
I CHANGED THE LEVEL-NAME TO SOMETHING CUTE 🤯
thats why
Checkered Giant
Talking with the owver of SSv2, they don't even fully log in, they simply connect and cancel and thats how it gets the info, it could be corruption on your end or such
the world folder also needs to be changed when you swap your level-name to something else
if its not, then it doesnt see a world and makes a new one
Giant pandaOP
And then overwrote the preexisting world?
Or is there a chance that it's in there somewhere?
I don't want to break the news to my 5 year old that I messed up our world hahahaha
Checkered Giant
I don't think it would have overwriten, try changing it back and seeing
it just made a new folder
@Giant panda Or is there a chance that it's in there somewhere?
its there on the server folder
if you named ur world something cute, itll be called something cute
and the default will be called world
if you named ur world something cute, itll be called something cute
and the default will be called world
Giant pandaOP
Ohh I'm so excited to try to find it. Thank you guys so much for taking the time to educate me.
Loading...
Loading...