This news has been updated for more info after Exor has researched deeply.
What happen? (Updated)
Our minecraft server was hacked by someone called "notch" which was using cracked client to name himself "notch". I assumed he watched the real time map and see who is admin of the server and then rename himself to "Brillis18". He can rename himself to anyone because he uses cracked client. So he named himself "Brillis18" because he will retain admin power which is also because "Brillis18" is an admin. He uses "Brillis18" to make "notch" and "jeb_" an admin. He also uses "Brillis18" to add "notch" and "jeb_" to white list. He then log off "Brillis18" and then log in "notch" and "jeb_" -- assuming he had 2 minecraft clients running at same time. He then put ball of lava on Xarta (city). This happened twice.
What did Exor do? (Updated)
After deep research and apparently he did NOT enter ftp server but I have changed the password for ftp just in case. I have the hacker banned via IP address. I have uploaded the back up file to fix the ball of lava. I have enabled "online-mode" for server's protection against hackers. For those people who use cracked client, you are still on white list but you will not be able to enter until you bought the game.
This is necessary to protect server from hackers. This is also ensure that people who have REAL username, not a fake username using cracked client.
EDIT: Found more information of the hacker. The hacker used Deafgeek's ip address to enter our server as "notch" and "Brillis18" and "jeb_" and "exor18". Here's prove:
Real:
>22:42:20 [INFO] deafgeek [/68.207.236.4] logged in
Fake:
>23:23:09 [INFO] Brillis18 [/68.207.236.4] logged in
>23:29:27 [INFO] exor18 [/68.207.236.4] logged in
>23:23:50 [INFO] jeb_ [/68.207.236.4] logged in
>23:29:42 [INFO] notch [/68.207.236.4] logged in
Noticed that all ip address above is same as deafgeek's real ip address.
I also found other people trying to connect (probably more hackers): (Updated)
>00:10:42 [INFO] Disconnecting pyrodogga [/182.239.215.143]: You are not white-listed on this server!
>20:17:49 [INFO] Disconnecting Haruhi [/64.231.25.161]: You are not white-listed on this server!
>22:32:40 [INFO] Disconnecting Geezer12 [/68.207.236.4]: You are not white-listed on this server!
>00:51:23 [INFO] Disconnecting djclov [/70.113.56.244]: You are not white-listed on this server!
>00:58:08 [INFO] Disconnecting sammynibbs [/75.140.2.8]: You are not white-listed on this server!
>03:37:02 [INFO] Disconnecting Ericraft [/122.60.243.190]: You are not white-listed on this server!
>08:52:07 [INFO] Disconnecting shamtin [/131.191.61.16]: You are not white-listed on this server!
>09:28:09 [INFO] Disconnecting beastXL [/206.83.30.40]: You are not white-listed on this server!
Words from deafgeek about this:
12:03 AM - コンリーExor: The same person tried to enter the server using your name. But he cannot enter because his ip address is banned.
12:03 AM - DeafGeek: oh, good you got his IP
12:04 AM - DeafGeek: wait, i am curious waht IP was it
12:04 AM - コンリーExor: www.ipchicken.com
12:04 AM - コンリーExor: give me your ip address
12:04 AM - DeafGeek: 68.207.236.4
12:05 AM - コンリーExor: so... it was you who hacked the server?
12:05 AM - DeafGeek: lemee run antivirus
12:06 AM - DeafGeek: it can be possible i was infected
12:06 AM - DeafGeek: if this scan not show anything, ill do a reformat
12:06 AM - DeafGeek: then let you know
12:06 AM - DeafGeek: was there other IP addresses
12:07 AM - コンリーExor: >23:29:42 [INFO] notch [/68.207.236.4:55709] logged in with entity id 307202 at ([Survival 5] 179.5, 11.620000004768372, 1200.5)
12:07 AM - コンリーExor: that is same ip address as your
12:08 AM - DeafGeek: that was not me
12:08 AM - DeafGeek: yes my IP address
12:08 AM - DeafGeek: but not notch
12:09 AM - DeafGeek: i remember all day today and yesterday my computer was slow
12:10 AM - DeafGeek: I clicked a link 2 days ago and my internet crashed and i t came back on but things was slow
12:11 AM - DeafGeek: I looked at my AV logs it showe dthis, File & Documents Protection
277257files have been scanned
2files were infected and healed
Web & Network Protection
1100512web & network objects have been scanned
293web & network objects were infected and blocked
Email Protection
4emails have been scanned
0emails were infected and healed
12:12 AM - コンリーExor: i suggest change your wan ip
12:12 AM - コンリーExor: because i am afraid to let the ip address you are using to do any harm.
12:12 AM - DeafGeek: first i gotta scan and do a reformat then ill ask dad to call the ISP and see if they can do a WAN ip change
12:12 AM - コンリーExor: that will do.
12:13 AM - DeafGeek: and after IP change and reformat ill change my MC password and all my passwords just in case... ugh...
12:14 AM - DeafGeek: I ama go and reformat, brb in 2 hours
DeafGeek is now Offline.
What happen? (Updated)
Our minecraft server was hacked by someone called "notch" which was using cracked client to name himself "notch". I assumed he watched the real time map and see who is admin of the server and then rename himself to "Brillis18". He can rename himself to anyone because he uses cracked client. So he named himself "Brillis18" because he will retain admin power which is also because "Brillis18" is an admin. He uses "Brillis18" to make "notch" and "jeb_" an admin. He also uses "Brillis18" to add "notch" and "jeb_" to white list. He then log off "Brillis18" and then log in "notch" and "jeb_" -- assuming he had 2 minecraft clients running at same time. He then put ball of lava on Xarta (city). This happened twice.
What did Exor do? (Updated)
After deep research and apparently he did NOT enter ftp server but I have changed the password for ftp just in case. I have the hacker banned via IP address. I have uploaded the back up file to fix the ball of lava. I have enabled "online-mode" for server's protection against hackers. For those people who use cracked client, you are still on white list but you will not be able to enter until you bought the game.
This is necessary to protect server from hackers. This is also ensure that people who have REAL username, not a fake username using cracked client.
EDIT: Found more information of the hacker. The hacker used Deafgeek's ip address to enter our server as "notch" and "Brillis18" and "jeb_" and "exor18". Here's prove:
Real:
>22:42:20 [INFO] deafgeek [/68.207.236.4] logged in
Fake:
>23:23:09 [INFO] Brillis18 [/68.207.236.4] logged in
>23:29:27 [INFO] exor18 [/68.207.236.4] logged in
>23:23:50 [INFO] jeb_ [/68.207.236.4] logged in
>23:29:42 [INFO] notch [/68.207.236.4] logged in
Noticed that all ip address above is same as deafgeek's real ip address.
I also found other people trying to connect (probably more hackers): (Updated)
>00:10:42 [INFO] Disconnecting pyrodogga [/182.239.215.143]: You are not white-listed on this server!
>20:17:49 [INFO] Disconnecting Haruhi [/64.231.25.161]: You are not white-listed on this server!
>22:32:40 [INFO] Disconnecting Geezer12 [/68.207.236.4]: You are not white-listed on this server!
>00:51:23 [INFO] Disconnecting djclov [/70.113.56.244]: You are not white-listed on this server!
>00:58:08 [INFO] Disconnecting sammynibbs [/75.140.2.8]: You are not white-listed on this server!
>03:37:02 [INFO] Disconnecting Ericraft [/122.60.243.190]: You are not white-listed on this server!
>08:52:07 [INFO] Disconnecting shamtin [/131.191.61.16]: You are not white-listed on this server!
>09:28:09 [INFO] Disconnecting beastXL [/206.83.30.40]: You are not white-listed on this server!
Words from deafgeek about this:
12:03 AM - コンリーExor: The same person tried to enter the server using your name. But he cannot enter because his ip address is banned.
12:03 AM - DeafGeek: oh, good you got his IP
12:04 AM - DeafGeek: wait, i am curious waht IP was it
12:04 AM - コンリーExor: www.ipchicken.com
12:04 AM - コンリーExor: give me your ip address
12:04 AM - DeafGeek: 68.207.236.4
12:05 AM - コンリーExor: so... it was you who hacked the server?
12:05 AM - DeafGeek: lemee run antivirus
12:06 AM - DeafGeek: it can be possible i was infected
12:06 AM - DeafGeek: if this scan not show anything, ill do a reformat
12:06 AM - DeafGeek: then let you know
12:06 AM - DeafGeek: was there other IP addresses
12:07 AM - コンリーExor: >23:29:42 [INFO] notch [/68.207.236.4:55709] logged in with entity id 307202 at ([Survival 5] 179.5, 11.620000004768372, 1200.5)
12:07 AM - コンリーExor: that is same ip address as your
12:08 AM - DeafGeek: that was not me
12:08 AM - DeafGeek: yes my IP address
12:08 AM - DeafGeek: but not notch
12:09 AM - DeafGeek: i remember all day today and yesterday my computer was slow
12:10 AM - DeafGeek: I clicked a link 2 days ago and my internet crashed and i t came back on but things was slow
12:11 AM - DeafGeek: I looked at my AV logs it showe dthis, File & Documents Protection
277257files have been scanned
2files were infected and healed
Web & Network Protection
1100512web & network objects have been scanned
293web & network objects were infected and blocked
Email Protection
4emails have been scanned
0emails were infected and healed
12:12 AM - コンリーExor: i suggest change your wan ip
12:12 AM - コンリーExor: because i am afraid to let the ip address you are using to do any harm.
12:12 AM - DeafGeek: first i gotta scan and do a reformat then ill ask dad to call the ISP and see if they can do a WAN ip change
12:12 AM - コンリーExor: that will do.
12:13 AM - DeafGeek: and after IP change and reformat ill change my MC password and all my passwords just in case... ugh...
12:14 AM - DeafGeek: I ama go and reformat, brb in 2 hours
DeafGeek is now Offline.
3
comments
DeafGeek Ok, IP address changed, computer was reformatted, now reinstalling all of my programs and downloading my games on steam.
drbam15 o.0... ouch!!!
Luke Two people used name "notch" and "jeb_" too. I saw them.
Well, I have plan to buy minecraft account ...
