[LINUX] I found the cause of mysterious communication of Minecraft server (Spigot)

It's been almost three years since I started using Spigot [^ 1], but I still didn't understand it. [^ 1]: One of Minecraft's mod servers. url: https://www.spigotmc.org/

What happened

When I was investigating the communication of the server running Spigot for the purpose of strengthening security etc., a strange connection was found ...

>> netstat -ntu
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
~Omission~
tcp6       0      1 xx.xx.xx.xx:35260    198.27.66.94:80         ESTABLISHED

Somehow communicating with 198.27.66.94:80 ...

I checked the process using the port with lsof and found that it was Spigot.

Who is 198.27.66.94?

For the time being curl

>> curl 198.27.66.94:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx on Debian!</title>
~Omission~
</html>

It looks like the default page for nginx. No information.

IP reverse lookup

>> nslookup 198.27.66.94
Server:         xx.xx.xx.xx
Address:        xx.xx.xx.xx

Non-authoritative answer:
94.66.27.198.in-addr.arpa       name = ns511765.ip-198-27-66.net.

Hmmm. It seems that it has not been set.

Stepping on the plug-in as the culprit, detour

Grep the plugin jar with no good source

>> unzip -c '*.jar' | grep '198\.27\.66\.94'

28 archives were successfully processed.
>> unzip -c '*.jar' | grep 'ns511765\.ip\-198\-27\-66\.net'

28 archives were successfully processed.

I don't know anything.

In fact, Spigot himself is the culprit

As a last resort, I tried to identify the criminal by gradually removing the plug-in, but I noticed that communication was occurring even when no plug-in was installed in the first place.

tcpdump (I should have done it first.)

>> tcpdump dst host 198.27.66.94 -A
~Omission~
User-Agent: Java/1.8.0_191
Host: mcstats.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 261

The host name of the connection destination is known.

>> nslookup mcstats.org
Server:         xx.xx.xx.xx
Address:        xx.xx.xx.xx

Non-authoritative answer:
Name:   mcstats.org
Address: 198.27.66.94

So, about half of the identity of 198.27.66.94 was found.

Identifying the relevant part of the code

Once you know that the Spigot server itself is the culprit and the host name, identify the relevant part of the code.

Grep the intermediate file generated by BuildTools

>> grep -r 'mcstats.org' .
./Spigot/CraftBukkit-Patches/0015-Metrics.patch:+    private static final String BASE_URL = "http://mcstats.org";
./Spigot/CraftBukkit-Patches/0015-Metrics.patch:+            configuration.options().header("http://mcstats.org").copyDefaults(true);
./Spigot/Spigot-Server/src/main/java/org/spigotmc/Metrics.java:    private static final String BASE_URL = "http://mcstats.org";
./Spigot/Spigot-Server/src/main/java/org/spigotmc/Metrics.java:            configuration.options().header("http://mcstats.org").copyDefaults(true);
Binary file ./Spigot/Spigot-Server/target/classes/org/spigotmc/Metrics.class matches

There seems to be a description related to Spigot / Spigot-Server / src / main / java / org / spigotmc / Metrics.java.

You can check the contents of the patch in the relevant part here. https://hub.spigotmc.org/stash/projects/SPIGOT/repos/spigot/browse/CraftBukkit-Patches/0015-Metrics.patch?at=refs%2Fheads%2Fversion%2F1.12.2

By the way, the version of Spigot server used this time is 1.12.2, but when it is updated to 1.13, the host name is changed from mcstats.org to mcstats.spigotmc.org (and from http to https). It seems that it has become. You can see the commit here. https://hub.spigotmc.org/stash/projects/SPIGOT/repos/spigot/commits/ed1cec9ae9ee07f1b51bdda14dfe14b40e92c9ed#CraftBukkit-Patches/0014-Metrics.patch

What this code is doing

It seems that it is used for sending statistical information. Currently, it doesn't seem to function as any service.

Remnants of the past and preparations for the future

As you can see from the contents of the patch, statistics such as server OS information, Spigot version, number of players, etc. are sent to the host shown above.

In the past, mcstats.org seems to have operated a service that collects information on Minecraft servers and displays it on a GUI. BStats (https://bstats.org/) is now an alternative service. https://www.spigotmc.org/threads/mcstats-down.193444/

When updating to 1.13, the host name was changed from mcstats.org to mcstats.spigotmc.org because there are plans to use it in the future. https://hub.spigotmc.org/jira/browse/SPIGOT-4203

opt out

This is a function that is not currently used, so you want to avoid unnecessary communication. You can turn this feature off by setting opt-out in plugins / PluginMetrics / config.yml to true.

plugins/PluginMetrics/config.yml


# http://mcstats.org
# opt-out: false
opt-out: true
guid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
debug: false

Summary

I was told that if I had been touching the Spigot server for almost three years, I should know that much. (On the other hand, I wonder if there are a lot of people who don't know this ...)

It is refreshing to understand the cause. I feel like I can sleep well today.

Recommended Posts

I found the cause of mysterious communication of Minecraft server (Spigot)
I tried the asynchronous server of Django 3.0
The story of launching a Minecraft server from Discord
I found out by analyzing the reviews of the job change site! ??
I investigated the mechanism of flask-login!
The story of remounting the application server
I checked the contents of docker volume
I checked the options of copyMakeBorder of OpenCV
I summarized the folder structure of Flask
What is the cause of the following error?
The Python project template I think of.
Let's summarize the construction of NFS server
I read the implementation of golang channel
Change the destination batfish server of pybatfish