LuckPerms

LuckPerms

905k Downloads

Luckperms got Compromised?

kenjisaturo opened this issue ยท 10 comments

commented

Description

Just earlier, our server's luckperms got hacked by external people even though we did not give them any permission on the hosting. May I know how to prevent this or how did they do this?

Reproduction Steps

Let me know of a solution on how to prevent this.

Expected Behaviour

I expect to get the correct explanation and answer to our problem as server owners.

Server Details

RPG

LuckPerms Version

5.4.40

Logs and Configs

No response

Extra Details

No response

commented

image (3)
This is the picture when they're messing with the Luckperms where they shouldn't have any access to begin with.

commented

Has LuckPerms been exploited/hacked?

Most certainly: no. In most cases a 'LuckPerms exploit' is a simple case of human error, which can be avoided easily. Look below for some tips to be on the safe side.

Don't give random people full ( * ) permissions / admin permissions

While this should be obvious, a lot of times a exploit can be traced back to faulty permission settings. You should always take your time with permissions and read the plugin documentations. In 99% of all cases the plugins have documentations explaining each permission, in the rare case that the plugin you are using does not have a documentation, you could still:
A: Ask the plugin developer for help
B: Use LuckPerms verbose functionality ( !verbose )
C: Select a different plugin with proper documentation.

Do not run your server/network in offline mode

If you are running your server or network in offline mode, hackers have it really easy to steal your, or any other admins identity. While the server is in offline mode, certain checks ( which exist to prevent exactly this ), are being skipped, and the server does not verify if the person joining actually is the person they claim to be. While there may be plugins which increase the security of offline mode servers by adding things such as admin codes, you should just switch it to online to prevent the issue in the first place.

Do not download plugins from shady websites / sent by friends

You should never put anything on your server which has not been downloaded by yourself from official sources. Plugins can be infected with malware which injects itself into all other plugins, and thus is hard to remove. While it may look like a plugin has been hacked, you most certainly downloaded a modified version of it and it is not the plugin authors fault. In case your server has been infected by such malware:

  1. Stop the server
  2. Delete all plugins in your plugins folder, and just to be safe also the server jar file
  3. Re-Download all plugins and server jar files from official websites such as SpigotMC or official plugin websites ( luckperms.net for example ).
  4. Check if there have been any modifications to the permission system and remove unknown users and wrong permissions.

If you follow these steps you should have a clean server by the end, without exploits.

commented

also see #3724

commented

We've been using Luckperms since 2020, this is the first time this happened and we were shocked as we also changed our Luckperms plugin to a better one.

commented

based off the fact that your editor screenshot shows all alex/steve skins, either your network is misconfigured, or you just use offline mode. neither of those are the fault of luckperms.

commented

We restarted the server because of bot attacks then when the server opens, all our perms as well as the owner's/admin's perms gone. That screenshot came from one of our guy watching the stream of the person who has a permission using something in luckperms.

commented

We were shocked as this was the first time it happened after 4 years of using luckperms. We've encountered a lot of DDOS attack but this is the first time we encountered someone outside accessing luckperms of our server without any "access" in our hosting.

commented

What happened in #3724 is kind of similar but different, because the guys who hacked our LP is not using Aristois client but just the luckperms application or web app.

commented

As per Frypan, whether intentional or not, your server is running in offline mode. This was either an intentional choice (in which case, this is what happens when you disable security settings), or you're running an improperly configured Bungeecord network, and a malicious actor was able to bypass the proxy and connect directly to the backend.

Either way, the attack vector is most likely the following:

  • Malicious actor learns the username of someone with full permissions
  • Malicious actor connects to the offline mode server using that username, thus connecting with full permissions
  • Malicious actor uses their full access to give their own account full permissions
  • Malicious actor rejoins on their own account, and starts doing whatever the hell they want

Either way, this is not the fault of LP. If you can find concrete evidence that LP is vulnerable and allowed this permission escalation on it's own, please report that privately to Luck or a support team member. Otherwise, this is closed as not an issue.

commented

Understood. Thank you still for entertaining!