Eliminating a Backdoor?

[11clock]

A backdoor is a virus that lets someone have illegal access to a machine. I'm going to explain why I am asking about backdoors first.

My little brother, who is known as Hi756 on these forums, has been hosting a Minecraft server for 4 months. Sometime during its early days, a friendly looking guy named Jonathan joined the server. Over time he managed to become friends with many people on the server, and he also became very close friends with Hi756. Hi756 gave Jonathan console access and he became a second admin around a month or so into the server's history. Through this friendship, Hi756 discovered that Jonathan is a hacker and has completely destroyed a server in the past simply because he didn't like the main admin. Hi756 didn't really give this information a second thought because he was friends with the guy. He wouldn't do something like that to his server, now, would he?

Later on, Jonathan started to abuse his admin powers. As a result, his powers were taken away by Hi756. He seemed to understand why his powers were taken away, and has agreed not to use his console access to gain them back.

Later, Jonathan was found using admin powers again. Hi756 then removed his powers again, and changed the console password. Jonathan somehow managed to get into the console regardless, changing the password back and giving himself back his powers.

After this event occurred, Jonathan started to come up with new rules for the server without Hi756's consent. He made a document and called it the "Constitution." He attempted to get Hi756 to make the document official. He was against the Constitution, so the stubborn hacker kept trying to convince Hi756. Hi756 personally contacted half the server through Skype, having them look at the document and analyze it. It was quickly discovered that the document was bogus, because it basically gave secondary admins more control than the admin.

After a while, Hi756 managed to get most of the people he contacted on his side of the situation. Everyone's statements about the Constitution were sent to Jonathan at the same time. The result? Jonathan felt like he was hated and said he was leaving the server, wording it in a way that made it obvious he was trying to do the "puppy eyes" trick to regain his now-broken reputation. It didn't work on any of the server's members, so Jonathan finally revealed how he still has access to the console despite being banned from it and the password being changed.

When Jonathan was first given console access, he placed a backdoor virus on the server machine. It is a powerful virus that was seemingly impossible to get rid of. Restarting the server and changing the IP didn't do squat. After several attempts trying to get rid of the backdoor virus (and also trying to convince the server providers to call authorities since hacking and creating malicious software are major crimes in the US), Jonathan got tired of these attempts and banned Hi756 from the console. He easily managed to get his access back, but has now decided to switch to a new server provider, since it was apparently the only way to escape Jonathan's grasp.

Now that you have a good understanding of the situation, how does one get rid of a backdoor such as the one described?

[Scotty]

Windows or Linux/Mac/OpenBSD/etc...?

[Loganvz123]

What do you mean by 'console', do you mean the Java sever? A VPS? A hosting control panel? What is he actually gaining access to?

[Mr Pwnage]

Well, assuming the worst case scenario being that the backdoor virus is a rootkit residing on the server computer's Kernel, your best (and probably only) bet of getting rid of it is to completely re-install your operating system. If this was a novice hacker who didn't install the backdoor via a rootkit, it could very likely be disguised as a 3rd party software on your computer, but will often easily bypass software which could potentially detect it. I highly recommend backing up your server computer's map files, then entirely re-installing the operating system. Rootkits are about the hardest thing to detect when you are talking about malicious software, and sometimes virtually impossible to detect. Best of luck!

[11clock]

I'm pretty sure that it is Windows.

Console, as in, the server's control panel.

Thanks! Apparently they are creating a new map with the new server in case the hacker implanted something in the world file. The hacker should no longer be a problem, but this information might be useful in the future in case it happens again.

[Scotty]

Well, assuming the worst case scenario being that the backdoor virus is a rootkit residing on the server computer's Kernel, your best (and probably only) bet of getting rid of it is to completely re-install your operating system. If this was a novice hacker who didn't install the backdoor via a rootkit, it could very likely be disguised as a 3rd party software on your computer, but will often easily bypass software which could potentially detect it. I highly recommend backing up your server computer's map files, then entirely re-installing the operating system. Rootkits are about the hardest thing to detect when you are talking about malicious software, and sometimes virtually impossible to detect. Best of luck!

It sounds like he's running off of shared hosting, which means he most likely won't have access to re-image the operating system.  That's something the shared host would have to do.  I'm somewhat shocked the host hasn't given him the boot for posing a security risk.

I'm pretty sure that it is Windows.

Console, as in, the server's control panel.

Thanks! Apparently they are creating a new map with the new server in case the hacker implanted something in the world file. The hacker should no longer be a problem, but this information might be useful in the future in case it happens again.

If it's a web based control panel, have you checked to see if the service allows you to have multiple accounts?  That would be a surefire way of gaining access if he set up a second account.  If not that, what about the email on the account?  If he changed the account's email to his own, he essentially laid claim to the account.

I don't know how you gave him access, whether you shared the "root/admin" credentials, or if you created a secondary account for him.  If it's the former, shame on you.  That is asking for all sorts of bad stuff to happen.  If it's the latter, than we don't have nearly enough information to diagnose the problem.

I'm getting mixed signals from you now, though.  You said in your initial post that you are switching to a new service provider, indicating that you're cutting ties entirely with the old, and finding a new one that this Jonathan character can't gain access to (hopefully using a different password).  In your last post though, you're saying that "they" (whoever "they" is) are creating a new server.  Are you continuing to stick with your old provider, or did you move on to a new one?  If the latter, re-installing the Minecraft server is unnecessary, hence my confusion.  Also, if he did plant a genuine backdoor on the server somehow, simply re-installing Minecraft will not get rid of that backdoor.

[Hi756]

Hello. I am the one with this major problem clock is describing. I am his younger brother.

Anyways, in regards to what has been said in this forum topic:
I was running a Minecraft server with "Fragnet" (an online hosting service). I paid for the server to run for 6 months (costed around 70$).

Jonathan's taking advantage of me is completely my fault and I should have been cautious, but that isn't the main problem as of this point.

You said in your initial post that you are switching to a new service provider, indicating that you're cutting ties entirely with the old, and finding a new one that this Jonathan character can't gain access to (hopefully using a different password).

Scotty, this is true. As soon as I have exhausted every possible solution to get Jonathan out and have come to terms with the fact I can't get him out of my Fragnet account, I messaged the Fragnet moderators asking to completely delete my account.

I then paid more money to a different host (with different password) and have told everyone on the server explicitly not to tell Jonathan anything about the IP or the new server providers. I also told everyone to block him on skype.

Hopefully this clears your confusion.


The thing that mainly pisses me off about this situation, is no matter what I tell him, he is convinced and is trying to convince everyone else that I banned him because I am jealous of his knowledge of server running and I didn't like that he knew more than me. (if you read clock's starting post, you'd know exactly what is wrong with this accusation)

[Scotty]

Didn't quite get an answer to the previous question, did you give him access to the control panel, in such a fashion that he could compromised your account via the panel?  "root" access?  Email change?  Any chance he could have created a second account that you overlooked?

The thing that mainly pisses me off about this situation, is no matter what I tell him, he is convinced and is trying to convince everyone else that I banned him because I am jealous of his knowledge of server running and I didn't like that he knew more than me. (if you read clock's starting post, you'd know exactly what is wrong with this accusation)

Yeah... Because I'll take anyone seriously when they make such bold statements about themselves... :-\  Sounds like your typical resourceful, scheming little brat.

[Hi756]

Didn't quite get an answer to the previous question, did you give him access to the control panel, in such a fashion that he could compromised your account via the panel?  "root" access?  Email change?  Any chance he could have created a second account that you overlooked?

My apologies, I will answer your question. There was one account, shared between the two of us, which had my email to be used in the login. What made me trust him is he told me to change the password to his personal password that he uses for everything, so if he trusted me with that I should trust him with everything else. We both had access to all the same files. I was fully aware that he could simply ban me from my own server and change the password to the account, but I trusted he wouldn't because he was one of my "close friends". Which was completely my mistake, don't get me wrong.

And, knowing his password, I could just log into all his accounts and screw with them, but I'm not the type to do that sort of thing. Plus it would get me in a lot of trouble with the sites I'm logging into since they can look for IPs that log into accounts. And also I don't know exactly what Jonathan can do to me. I don't know exactly where his access to me ends. He could fry my computer by pressing a single button for all I know.