Comments (10)
This is the picture when they're messing with the Luckperms where they shouldn't have any access to begin with.
from luckperms.
Has LuckPerms been exploited/hacked?
Most certainly: no. In most cases a 'LuckPerms exploit' is a simple case of human error, which can be avoided easily. Look below for some tips to be on the safe side.
Don't give random people full ( * ) permissions / admin permissions
While this should be obvious, a lot of times a exploit can be traced back to faulty permission settings. You should always take your time with permissions and read the plugin documentations. In 99% of all cases the plugins have documentations explaining each permission, in the rare case that the plugin you are using does not have a documentation, you could still:
A: Ask the plugin developer for help
B: Use LuckPerms verbose functionality ( !verbose )
C: Select a different plugin with proper documentation.
Do not run your server/network in offline mode
If you are running your server or network in offline mode, hackers have it really easy to steal your, or any other admins identity. While the server is in offline mode, certain checks ( which exist to prevent exactly this ), are being skipped, and the server does not verify if the person joining actually is the person they claim to be. While there may be plugins which increase the security of offline mode servers by adding things such as admin codes, you should just switch it to online to prevent the issue in the first place.
Do not download plugins from shady websites / sent by friends
You should never put anything on your server which has not been downloaded by yourself from official sources. Plugins can be infected with malware which injects itself into all other plugins, and thus is hard to remove. While it may look like a plugin has been hacked, you most certainly downloaded a modified version of it and it is not the plugin authors fault. In case your server has been infected by such malware:
- Stop the server
- Delete all plugins in your plugins folder, and just to be safe also the server jar file
- Re-Download all plugins and server jar files from official websites such as SpigotMC or official plugin websites ( luckperms.net for example ).
- Check if there have been any modifications to the permission system and remove unknown users and wrong permissions.
If you follow these steps you should have a clean server by the end, without exploits.
from luckperms.
also see #3724
from luckperms.
We've been using Luckperms since 2020, this is the first time this happened and we were shocked as we also changed our Luckperms plugin to a better one.
from luckperms.
based off the fact that your editor screenshot shows all alex/steve skins, either your network is misconfigured, or you just use offline mode. neither of those are the fault of luckperms.
from luckperms.
We restarted the server because of bot attacks then when the server opens, all our perms as well as the owner's/admin's perms gone. That screenshot came from one of our guy watching the stream of the person who has a permission using something in luckperms.
from luckperms.
We were shocked as this was the first time it happened after 4 years of using luckperms. We've encountered a lot of DDOS attack but this is the first time we encountered someone outside accessing luckperms of our server without any "access" in our hosting.
from luckperms.
What happened in #3724 is kind of similar but different, because the guys who hacked our LP is not using Aristois client but just the luckperms application or web app.
from luckperms.
As per Frypan, whether intentional or not, your server is running in offline mode. This was either an intentional choice (in which case, this is what happens when you disable security settings), or you're running an improperly configured Bungeecord network, and a malicious actor was able to bypass the proxy and connect directly to the backend.
Either way, the attack vector is most likely the following:
- Malicious actor learns the username of someone with full permissions
- Malicious actor connects to the offline mode server using that username, thus connecting with full permissions
- Malicious actor uses their full access to give their own account full permissions
- Malicious actor rejoins on their own account, and starts doing whatever the hell they want
Either way, this is not the fault of LP. If you can find concrete evidence that LP is vulnerable and allowed this permission escalation on it's own, please report that privately to Luck or a support team member. Otherwise, this is closed as not an issue.
from luckperms.
Understood. Thank you still for entertaining!
from luckperms.
Related Issues (20)
- Translations not work on spigot-1.20.6 server? HOT 2
- LP Editor unable to communicate with the editor HOT 7
- [LuckPerms] Command execution [editor] has not completed. HOT 1
- Implement a comment feature HOT 1
- playsound command doesn't work HOT 2
- Allow for "relative fixed" expiries in temporary commands
- `Mohist Server` doesn't have data pre-loaded, they have never been processed during pre-login in this session. - denying login.
- Support specific schema for PostgresSQL HOT 2
- [me.lucko.luckperms.lib.hikari.pool.PoolBase] luckperms-hikari - Failed to validate connection me.lucko.luckperms.lib.mariadb.Connection@7e20ff86 ((conn=5955) Connection.setNetworkTimeout cannot be called on a closed connection). Possibly consider using a shorter maxLifetime value. HOT 1
- pluginmsg does not work on forge HOT 1
- Database group.default HOT 1
- the problem with the priority of groups HOT 1
- Can't disable "luckperms_action" HOT 1
- Players with luckperms.autoop can use all luckperms commands even though commands-allow-op is false HOT 1
- LuckPerms not working with PlaceholderAPI HOT 5
- [1.18.2] Forge server crash HOT 2
- Add the command: /lp user <player> meta add/remove <key> <value>
- Exception stopping the server [1.19.2 Fabric] HOT 1
- Data truncation: Truncated incorrect DOUBLE value
- Add a setting to disable pinging with a HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from luckperms.