It's been almost three years since I started using Spigot [^ 1], but I still didn't understand it. [^ 1]: One of Minecraft's mod servers. url: https://www.spigotmc.org/
When I was investigating the communication of the server running Spigot for the purpose of strengthening security etc., a strange connection was found ...
>> netstat -ntu Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State ~Omission~ tcp6 0 1 xx.xx.xx.xx:35260 22.214.171.124:80 ESTABLISHED
Somehow communicating with
I checked the process using the port with lsof and found that it was Spigot.
>> curl 126.96.36.199:80 <!DOCTYPE html> <html> <head> <title>Welcome to nginx on Debian!</title> ~Omission~ </html>
It looks like the default page for nginx. No information.
>> nslookup 188.8.131.52 Server: xx.xx.xx.xx Address: xx.xx.xx.xx Non-authoritative answer: 184.108.40.206.in-addr.arpa name = ns511765.ip-198-27-66.net.
Hmmm. It seems that it has not been set.
Grep the plugin jar with no good source
>> unzip -c '*.jar' | grep '198\.27\.66\.94' 28 archives were successfully processed. >> unzip -c '*.jar' | grep 'ns511765\.ip\-198\-27\-66\.net' 28 archives were successfully processed.
I don't know anything.
As a last resort, I tried to identify the criminal by gradually removing the plug-in, but I noticed that communication was occurring even when no plug-in was installed in the first place.
tcpdump (I should have done it first.)
>> tcpdump dst host 220.127.116.11 -A ~Omission~ User-Agent: Java/1.8.0_191 Host: mcstats.org Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 261
The host name of the connection destination is known.
>> nslookup mcstats.org Server: xx.xx.xx.xx Address: xx.xx.xx.xx Non-authoritative answer: Name: mcstats.org Address: 18.104.22.168
So, about half of the identity of
22.214.171.124 was found.
Once you know that the Spigot server itself is the culprit and the host name, identify the relevant part of the code.
Grep the intermediate file generated by BuildTools
>> grep -r 'mcstats.org' . ./Spigot/CraftBukkit-Patches/0015-Metrics.patch:+ private static final String BASE_URL = "http://mcstats.org"; ./Spigot/CraftBukkit-Patches/0015-Metrics.patch:+ configuration.options().header("http://mcstats.org").copyDefaults(true); ./Spigot/Spigot-Server/src/main/java/org/spigotmc/Metrics.java: private static final String BASE_URL = "http://mcstats.org"; ./Spigot/Spigot-Server/src/main/java/org/spigotmc/Metrics.java: configuration.options().header("http://mcstats.org").copyDefaults(true); Binary file ./Spigot/Spigot-Server/target/classes/org/spigotmc/Metrics.class matches
There seems to be a description related to
Spigot / Spigot-Server / src / main / java / org / spigotmc / Metrics.java.
You can check the contents of the patch in the relevant part here. https://hub.spigotmc.org/stash/projects/SPIGOT/repos/spigot/browse/CraftBukkit-Patches/0015-Metrics.patch?at=refs%2Fheads%2Fversion%2F1.12.2
By the way, the version of Spigot server used this time is 1.12.2, but when it is updated to 1.13, the host name is changed from
mcstats.spigotmc.org (and from http to https). It seems that it has become. You can see the commit here.
It seems that it is used for sending statistical information. Currently, it doesn't seem to function as any service.
As you can see from the contents of the patch, statistics such as server OS information, Spigot version, number of players, etc. are sent to the host shown above.
In the past,
mcstats.org seems to have operated a service that collects information on Minecraft servers and displays it on a GUI. BStats (https://bstats.org/) is now an alternative service.
When updating to 1.13, the host name was changed from
mcstats.spigotmc.org because there are plans to use it in the future.
This is a function that is not currently used, so you want to avoid unnecessary communication.
You can turn this feature off by setting opt-out in
plugins / PluginMetrics / config.yml to true.
# http://mcstats.org # opt-out: false opt-out: true guid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx debug: false
I was told that if I had been touching the Spigot server for almost three years, I should know that much. (On the other hand, I wonder if there are a lot of people who don't know this ...)
It is refreshing to understand the cause. I feel like I can sleep well today.