Skip to content Nodecraft
Miscellaneous

PSA: Potential Vulnerability in Multicraft Hosts

There is some speculation that an exploit has been developed to target hosts which use Multicraft. A post on the Hack Forums shows a user making a remark about being able to force OP on a server powered by Multicraft. There is a user on the /r/Minecraft subreddit which reports his world being taken over by the same hack.

First off and most importantly. NodeCraft does NOT use Multicraft and is not vulnerable to this specific attack. We spent months developing and testing our application to prevent these type of vulnerabilities from affecting us.

Companies which use Multicraft, WHMCS, WordPress, or many other 3rd party systems are potentially vulnerable to many different attack vectors by hackers and subsequently script kiddies (users who simply run scripts that hackers wrote, rather than knowing how to hack specific systems). The potential for attacks grows as companies ignore building their own basic system by which they operate their business.

1. Vulnerabilities by Software

It's somewhat rare that 3rd party software has many vulnerabilities as it's so commonly used and often penetration tested, however because of the massive amount of use, these systems are often the target of hackers as their bounty for breaking software is exceedingly enlarged by the sheer number of businesses making hundreds of thousands and in some cases millions of dollars each year using software they didn't create. The most terrifying aspect of using 3rd party software is that you will not be able to patch the software as it is primarily closed source. You can make micro patches, but often you won't be able to see the full system and its vulnerabilities.

Here at NodeCraft, we have built a complex system, engineered for separation of systems to help protect ourselves in the event there is ever a vulnerability. We can make code changes to our custom built system at any level, including billing, control panel, systems, or even our website to help ensure vulnerabilities are our responsibility and watch them roll out to our systems in minutes.

2. Vulnerabilities by Negligence

Most often, attacks are able to penetrate providers without any any fault to the original software developers or publishers. Many providers don't have a professional level of experience in hosting, maintaining, and even deploying production websites. Often negligence can be as simple as not following one basic step when installing software. Many systems such as Multicraft or WHMCS can operate outside of secure parameters or can be skipped, yet still be operational. In most cases, attack vectors are created when system admins don't update applications such as WordPress, which allows attackers to attack one application to get into a web server; once the attacker is in, they often have access to all other systems or related applications.

We do not rely on 3rd party applications to serve content or create user experiences, here at NodeCraft. We've built our entire website (which is also our control panel and billing area combined into one system) on the same application. It's built by our internal dev team and isn't vulnerable to 3rd party software exploits.

3. Knowing how to fight attacks is half the battle

The most important aspect of repelling attacks is first understanding how they take place and what an attacker could have leveraged to gain entry into a system. By using 3rd party software a company can't have any investment into how the system truly works. They can understand the results of following basic instructions, however they don't understand what is taking place under the hood. This would be the equivalent of a car rental company renting hundreds and thousands of cars without any staff dedicated to the repair and upkeep of their cars. Because we've built our control panel from the game daemon manager, to our core internal API up to our website, we know how our system works, its limitations, and ultimately how to fix issues rather than wait on a patch by a third party.

4. Offsite Backups

No system is perfect, and the system we have built is no exception to that rule. The reality is that a contingency plan must be put in place to protect customers and business interests. We rely on offsite backups which are stored on a server with limited network access, outside of our normal data-centers. We push our system-critical backups to this system to ensure our customers services are safe.

5. Invest in your core business model

The most important thing any company can do for itself is invest in the core business model they depend upon to survive as a company. Investing into the software development simply isn't a focus by hundreds and thousands of web hosts and game server hosts alike. This results in companies which are all reselling someone else's product, complete with it's own set of vulnerabilities, same feature set, and same limitations.

We are not beholden to these limitations and as of 8/4/2013 we ceased operating with 3rd party systems and we launched NodePanel. Since then, we've made dozens of updates, patches, and still continue to support the product and develop new and greater solutions for tomorrow.

Chat blocked!

Nodecraft is an ad-free website! Disable adblock if you have any questions.