Hello everyone, So we have being having this problem since last year (september) and the issue is that random players who play on the server gets opped at the most random timings and this happens only when there is a reasonable amount of players online (eg. 10-20+). We have tried to fix this issue several times and we suspect a possible backdoor plugin, BUT, we always use our plugins from reliable and trusted sources but we are still suspicious of a possible backdoor. The issue may also be caused due to some other issues that we are possibly unaware of? Please help and guide us, any expert here on this topic? Some suggested that PurePerms / Chat might be the issue. Also how to make ops.txt read only? or lock the file? please do guide us. Thanks.
What I would do... this might sound stupid, but bear with me on this one. Edit pocketmine source, and throw an exception whenever someone tries to set op. PHP: /*** @return void*/public function addOp(string $name){ try { throw new \Exception("Someone tried to op $name"); } catch (\Exception $e) { file_put_contents("op-error-".time().".txt", $e->getTraceAsString()); foreach($this->getOnlinePlayers() as $p) { if(!$p->isOp()) continue; $p->sendMessage("Evil bastard tried to set '$name' as op"); } } return; $this->operators->set(strtolower($name), true); if(($player = $this->getPlayerExact($name)) !== null){ $player->recalculatePermissions(); } $this->operators->save();} As for the read-only for ops.txt use (assuming you're using linux) Code: sudo chmod 0444 ops.txt Try using this in plugin directory. Will scan all files where string is occurring, might show you the plugin which is causing the issue. Code: grep -r "setOp" . # or grep -r "addOp" . Yes, probably some malicious backdoor code is in your plugins. Or simply someone from your crew is doing evil stuff.
Seems like not enough information, in my opinion. Here are some possible solutions though, Case One: If you are a developer - Check on every single plugin of yours and look for a code that is suspicious - Possible code can be including the following, (from what you've said) PHP: if (count($this->getServer()->getPlayersOnline()) > 10) { // if there are more than 10 players online $random = array_rand($this->getServer()->getOnlinePlayers()); // get a random player $random->setOp(); // set the random player op } This is just an assumption I made considering what you said. - See who's opped and make a logger where it records who executed /op command Case Two: If you are NOT a developer - Make sure you're using an official version of PocketMine-MP - Make sure you don't have a subuser on your Control Panel - See who's opped excluding yourself Case Two: xBox username exploit I won't be revealing how it is done, but I'll tell you how this issue can be fixed. If the person who is opped has the same spelling as an operator in your server(i.e. minijaham and mInIjaHam), Try making and(or) installing an authentication plugin where players would have to log in to their "account username" with a specified password. If these still doesn't solve your issue, well, @Primus's solution sounds just good