This Minecraft Player Just Secretly Hacked Over 300 Servers…

This Minecraft Player Just Secretly Hacked Over 300 Servers…

A few weeks ago, the biggest Minecraft backdoor in history secretly happened. Over 300 Minecraft servers, including my own, were completely vulnerable and taken over with the hacker having almost full remote control over the server and able to do whatever he wanted with them. The hacker had the ability to destroy, grief, and delete every file from all these servers entirely. Hundreds of server files were stolen, worth combined potentially hundreds of thousands of dollars. And the only reason this smart exploer was caught was because of one little user error they made. Which just begs the question, how did he do it? Well, first let’s talk about what actually happened and what even is a Minecraft backdoor in the first place. A back door in the context of Minecraft servers refers to when a Minecraft plug-in, which is like a mod, but for a server, contains malicious hidden code that allows exploiters to do things on the server they aren’t meant to be able to do normally. Back doors can be as simple as allowing players to access operator commands like creative when they type a hidden command in game only they know. But they can also be significantly more dangerous and powerful, allowing malicious players to gain full control over a server’s console and files, as you’ll later see. Back doors are very rare. The vast majority of servers either use plugins they create themselves or popular plugins that have been downloaded tens of thousands of times. And since the only way for a back door to get into a plug-in is for a malicious developer to code one in themselves, you just don’t ever see it happen. If it ever does occur, it only ever happens on extremely niche small servers with extremely niche plugins, meaning it is never widespread, but isolated to just a few servers or a single one, such as the 2b2t backdoor exploits. However, there is one other scenario where back doors can occur, which is much scarier and much more widespread, and that’s if a malicious third party somehow gains access to or can modify an already existing popular trusted plug-in without the original plug-in creators knowing. Essentially, a malicious player hiding code in a plug-in from not only the server owners, but also the plug-in developers, and tens of thousands of people downloading it, none the wiser. Which brings us to our story today. This is a plugin called Z auction house. It is a plugin I had on my server and it is extremely popular. In fact, you can even see on the plug-in spigot page that it is used by around 2,500 servers which combined reach a total of 20,000 concurrent players daily. Hundreds of thousands of players are interacting with it each day. In fact, even in the plug-in’s description, it states the most used auction house plugin in the world. So, why is the plugin so prevalent and popular? And what does it do? Well, my server’s new RPG survival game mode used it, and it was very important to the server’s economy and player trade. You see, most Minecraft servers have a variety of custom items, weapons, enchantments, and other goods, which have value in in-game money. For example, my server had custom enchantment runes you could put on weapons, armor, and tools, such as this one here called Roped Arrow, which allows arrows to pull players forward, or this one here called Executioner, which allows players to decapitate mobs. Some of these runes were so powerful or had extremely useful abilities, such as this tunneling rune or molineer rune that they could only be obtained rarely from the server’s various custom PVE dungeons, which are also very challenging to beat. So, players who were lucky enough to get these runes and wanted to sell them for money could list them on the auction house for a specific price. And other players who wanted those runes but weren’t lucky enough to get them yet could buy them. And this is the same process for all items. Although the auction house is most commonly used for valuable items like spawners and highle enchanted gear. Anybody can list things for sale globally here and anybody can buy them if they have enough money. You could even have it so the players bid for items like we had at the player run market on our server’s other survival game mode. It was a very configurable and well-made plug-in that was essential to the function of the economy of almost all servers which is why so many servers used it and had been doing so for years. You should come Z auction House was a very popular plug-in. In fact, the developer of the Z Auction House plug-in actually makes dozens of other very popular plugins, which all up have tens of thousands of downloads on Spigot combined. And one other place these plugins could be bought and downloaded was the dev’s official website known as Group Z. This website was actually the most common place server owners downloaded new versions of the plug-in when it’s updated. And this is where the issue begins. A few months ago, an announcement was made in the Z Auction House plug-in Discord, warning all server owners that the downloads for Z auction house and another plug-in named Z Menu on the Group Z website had been compromised and malicious code had been included in them. My server was also compromised alongside hundreds of others with the malicious player using our server’s custom Discord bot to send messages in our Discord displaying that they had access to things they simply weren’t meant to. We immediately panicked, but luckily the hacker didn’t do anything malicious, at least not yet, and wanted to get in contact with us where he gave me the full rundown of what exactly he managed to do. This player who wants to remain anonymous and asked me to refer to them as only Hess gave me the full explanation of how he did it. Hess is a Minecraft server exploer and griefer. He likes to find vulnerabilities in servers and plugins. One day, as he was looking for popular Minecraft plugins to try to find vulnerabilities in, he came across the official Z auction house website, Group Z. He then checked a website called Intel X, a website with a search engine and data archive that is used for investigating data breaches, which contains information from public data leaks. Hess discovered that a user with administrator access to the group Z website had their username and password leaked and archived on Intel X. This user had saved his Group Z login credentials in Chrome which was then stolen by some other malicious program months or even years prior. Now that’s not that uncommon. Many of you probably have had some of your details stolen or leaked in data breaches. But the thing is the Group Z website also had poor security. It had no two-factor authentication and as such when Hess had the username and password of this administrator account, he could simply log in. From there, he quietly uploaded his own modified backdoor version of the Z auction house plugin and another plugin called Z Menu. As he told me, the backdoor was hidden very deep in the plug-in and remained undetected for some time. In fact, it wouldn’t be until 3 weeks after he uploaded the backdoor plugins to the Group Z website that it was discovered due to a user error he had made. 3 weeks is a very long time for an infected plug-in to remain inconspicuous, especially one as popular as Z auction House. And just like that, many unknowing server owners downloaded and added or updated Z auction house and Zmenu on their servers without realizing what had happened and were now backdoored. Be sure to subscribe if you did Hess’s back door do and how did it work? As I mentioned, two plugins were backed. Z Auction House and another plug-in called Z Menu, which we will talk about soon. The first plugin, Z Auction House, was modified to contain commands that allowed Hess to run operating system level commands through Minecraft. Essentially, with these in-game commands, he could remotely access all files on a server and modify them. He also set his back door up so whenever a server with the backdoor version of the plug-in was online, it would send an alert to his Discord notifying him so he could check it out. Here’s what would happen when he joined one of the servers he had backed. The first thing he would do is execute two specific rce or remote code execution commands in game. One of which would download a reverse shell and the other executing it. A reverse shell is essentially like a connection from the backdoor server to Hess’s own computer. Normally, when servers are hacked, players gain access to the server’s existing consoles, but a reverse shell is sort of the opposite. It involves the attacker running code or executing commands that make the server initiate a connection back to the attacker’s PC. So in this case, the two commands Hessi ran would then make the server initiate a connection to his computer where he can then run a variety of commands to take and download all these service files, including their custom plugins, world saves, databases, and configs, which depending on the server, could be worth tens of thousands of dollars. The next thing he would usually do is gain access to the server’s Discord bot. You see, almost all Minecraft servers have a custom Discord bot with special server commands and functions. For example, our server’s Discord bot allows players to link their Discord to their in-game account, so automatically syncs their in-game ranks to Discord and gives them a role. These bots usually have administrator level permissions in the Discord. And as such, when Hess gets the bot’s token, he can log in as the bot to do a bit of trolling and potentially nuke the Discord or just get the server owner’s attention to contact them as he did with us. Now, the other backdoor plugin was the menu. This plugin is used to create custom menus and GUIs for a variety of different functions. For example, our RPG survival server has a custom class system where players can select a class when they first join that gives them a variety of special abilities and perks. Players can upgrade their class and abilities through a custom GUI we made, which is something Zmenu could be used for. While we didn’t use this plug-in on our server personally, it is also very popular, used by about 2,800 servers, which combined peak at over 15,000 players daily. As Hess told me, the Zmenu backdoor he created was significantly more advanced. Unlike the Z auction house backdoor, the Zmenu backdoor plug-in ran remote Java code on the backdoor server automatically every time the server started up or restarted. He didn’t even need to join the server and run commands to gain access to it. These hidden Java commands would automatically initiate the request to connect to his computer for him entirely remotely. From there, he could do the same as he did with the Z auction house back door and download the service files or do whatever he pleased, except he could do it all, leaving essentially no trace. This back door was clearly extremely powerful. In fact, it’s the biggest known Minecraft plug-in backdoor to date. As mentioned earlier, it took almost 3 weeks for the backdoor to be discovered, of which only happened due to a user error Hess made where one of the backdoor servers randomly investigated the core protect logs of his Minecraft account where he executed his rce commands. The core protect logs of a Minecraft account simply show the blocks he has broken, the commands he has executed recently, and much more. And this server managed to see the RC commands he had executed and reported it to the Z auction house dev. He forgot to clear these server logs to remove traces of his commands. And it was purely by chance that they checked his logs too. As he told me, the backdoor plugins were downloaded about 500 times in total, affecting over 300 servers in total, including some big notable ones such as Renarok, which is one of the biggest French Minecraft servers, seeing almost 1,000 players online daily. Hiltscraft, a somewhat popular Brazilian server. Sharpness.gg, GG, a PvP server run by the YouTuber Sharpness, and many more, obviously, including my own, og-network.net. He would only join servers which had notable player accounts, though, ignoring most of the ones with player accounts under 50. Even months after the back door was discovered, there were still dozens of backdoor servers, pinging Hess’s Discord bot. But here’s the thing, Hess didn’t actually grief any servers with this back door. All the recent videos on his channel were not connected to the back door whatsoever. As he told me, not a single piece of data was destroyed due to the back door. And his main motivation was just to see if he could get access to a server, as well as creating and coding the actual backdoor structure. He downloaded around 40 medium to large service files in total, of which he tells me he keeps to see how they work, as well as to judge them for their code quality. The backdoor is now officially dead with his domain expiring recently, and the whole event will most likely be forgotten. Not because the power of the back door was weak, but because the individual who back doored all the servers didn’t want to do damage with it. If he wanted to, he could have created an absurdly huge mess. Hundreds of unsuspecting Minecraft servers could have had their files deleted, something that likely would have made news worldwide. Be sure to check out my server’s new RPG survival game mode. IP is in the description, and be sure to subscribe. Thank you all so much for watching.

A few months ago, almost entirely secretly, the biggest backdoor exploit in minecraft history, quietly went off without a hitch, impacting over 300 servers…

Join my servers new RPG Survival gamemode: rpg-smp.net
Discord: https://discord.gg/ognetwork
Bedrock Port: 19132

My Patreon (exclusive censored content, worlds and plugins) – https://www.patreon.com/TheMisterEpic

——————————————————————–
Want to run your own minecraft server with friends or a community?
Get a 25% discount on hosting with code “Epic”!
https://shockbyte.com/partner/themisterepic
——————————————————————–

Thanks for watching! Subscribe and Join My Discord!
Discord – https://discord.gg/WGc9UNM
Twitter – https://twitter.com/TheMisterEpicYT
Twitch – https://www.twitch.tv/themisterepicyt
Instagram – https://www.instagram.com/themisterepic
My Subreddit – https://www.reddit.com/r/themisterepic/

0:00 – Intro
0:38 – A Minecraft Backdoor.
2:14 – A Very Popular Plugin
4:36 – Getting The Backdoor
6:52 – What Did It Do?
9:39 – How Much Damage Was Done?

Music Used:
1. Scott Buckley – Dragons Lullaby
2. DBadge – Lucky Star (https://www.youtube.com/watch?v=sF890MaKs1Y&ab_channel=DBadge)
3. Scott Buckley – Rites of Passage
4. Scott Buckley – Sanctuary
5. Scott Buckley – Signal to Noise

If there is any content in this video which you own and would like removed, than please contact me and I will be happy to oblige.