As you may be aware, at around 16:30GMT today, our server went offline. I was on at the time, and thought little of it, putting the timeout error down to my internet (which isn't the most reliable thing). 7 minutes later, I was alerted the server was offline, and proceeded to restart the bungeecord proxy - this allowed players to join, however I was then made aware of certain features - all being database driven - not working. Following this, I proceeded to access the database, and was presented with this: https://i.imgur.com/bXJG0hG.png
By this stage it had become clear that our database server had been compromised in some form or another. At this stage, I took the decision to shut down our database entirely, to prevent any remote backups of data being modified, and once the backups from this morning were restored, re-installed the server from scratch to ensure any security loopholes that may have been overseen were no longer present. This is primarily the reason the outage dragged out as long as it did - installing the required software took some time, in addition to the large amounts of time taken to import the several gigabytes of database files back onto the server.
To make it clear: no personal data was involved in this breach. All emails and website account passwords are stored on our web server, and all passwords are hashed with a strong algorithm, so that in the unlikely event these were exposed, they would take hundreds of years to crack (providing they were strong passwords). The bitcoin ransom message makes it clear the hackers claim to have a copy of the data, although it is unlikely they are going through it - the data compromised is all chat / command / message logs, punishment logs, playtime, and other general stats - again, I want to make it clear that no passwords other than mine have been compromised, and unless you shared passwords or personal information in chat, you have nothing to worry about.
As of 6:00PM GMT, our servers were back up and fully reachable. This takes the total downtime to just under 1 hour 30 minutes.
Going foward, we have learnt from the issues, and are taking action to prevent anything like this happening again. Primarily, we will be checking over all aspects of our server security, and tightening up all security measures - we've already changed all passwords that could have been used to gain access to the database server involved in today's incident. In addition, we are planning on increasing the frequency of our database backups to twice daily (from once) so that data recovery results in less data loss (as in the future, more may be stored in our databases). In addition, we plan on adding a pull-style backup server to our infrastructure in order to keep a secondary offsite backup copy of data that is isolated from our network, so in the event of one of our servers being compromised, our backups are unable to be removed.
If you have any concerns about this, or want more information, please contact me, and I'll answer as many of your questions as I can.
Today I'm going to be addressing what is currently the most asked question I'm seeing on the server, which I'm asked a few times a day (and I can totally understand why people are wanting an answer to this) - when will 1.12 block support be out?
Minecraft 1.12 was released on June 7th this year, almost 3 months ago at this stage. Whilst we were able to quickly add support for 1.12 clients connecting to the server within a matter of hours of the release of this version, we waited to add support for 1.12 items themselves, as in addition to server updates being available, we have to ensure that all of the core plugins which our server relies on are compatible with 1.12 so the server continues to function as expected. Shortly after the release (a few days or so), all but one plugin were working with 1.12, this being the command block plugin, which we rely on to enforce plot restrictions on the commands which can be executed by command blocks.
Up to this stage, we are still waiting for the command block plugin to be compatible with 1.12, and are unsure as to when the update will be made available. The plugin developer has been paid to update the plugin by another server a few weeks back, and are still waiting for the update, and are unsure as to whether the update will ever be released. This is in addition to whether the currently blocked commands (such as setblock) will be safe to be enabled again.
Last update we made we removed command blocks in favour of supporting Minecraft 1.11, and had complaints about the removal of command blocks. This time round it was the other way round: command blocks stayed, yet players wanted 1.12 support (which is totally understandable in both ways). The difficult decision to make on my behalf is what decision is of most benefit overall to players, and causing the least anger / annoyance.
I'd love to hear what everyone has to say about this topic, whether you're a command block user or not, how much of an impact removing command blocks would have to your projects on the server, and your general views on this topic, so that the decision I make is one which will have the least possible negative impacts. We currently have a poll at http://www.strawpoll.me/13837166 to gather everyone's general view (please vote there!), but detailed comments will help a lot more. We will be taking action on the 30th September at the latest, and there will be no turning back beyond then - make sure you have voted by this date. Even if command blocks are temporarily removed, there is always the possibility of them being added back when the plugin supports the Minecraft version the server is running.
Feel free to ask about certain commands you find useful - e.g. I've been asked about /give, which I will be able to grant access in some form or another for spawning items with Metadata as an alternative (although I can understand this won't be a sufficient command block replacement in all cases)
As a side note, I am aware we changed command blocks to be primarily a donator feature in May - if the removal of command blocks is to go ahead & you donated from a date between 1st May & 20th September, you are welcome to contact us to receive a refund on your rank (excluding any PayPal fees there may be) & be demoted back to the default rank if this was a key factor affecting your purchase.
We've introduced a new & hopefully easy way for players to spawn in decorative heads from a pre-defined selection onto creative on our website! To use the feature, you need to be signed in (so log in / register), and head over to https://theburrow.net/user/creative_heads/ (accessible via the 'UserCP' navigation sidebar after selecting 'UserCP' on the dropdown under your name on the navigation bar). From there, select a category, find the head(s) that you want, and click the button to receive them in game almost instantly!
Update 2: as per request, an alternative, and probaby more useful method, of gaining decorative heads has also been added: by running the /headdb command on the server, you will be presented with a GUI of a wide variety of heads to chose from, with a search utility too.
This is just a quick update of something that's being worked on currently and should help out while on your server. We now have a command guide available here (https://theburrow.net/command_guide) on our website (or under the 'other' dropdown menu on the navigation bar). This currently contains the basic commands on the server, and is being expanded to contain more and more useful information which should be able to help you, and new players out.
It has come to my attention that recently we've been having an increased number of newer players coming onto the server with the intention to attempt to crash it using WorldEdit commands (primarily //set). This usually involves filling the plot with entities that cause lag, such as redstone, ladders, or minecart rails. Up unitl this point, I've tried to keep WorldEdit as limitless as it can, as it's a small minority of players causing issues for the larger group of everyone, however this has increased to a level where I couldn't leave it untouched.
Effective immediately, a few of the common items being used to crash the server with WorldEdit (such as those mentioned above) have been blocked from use with //set with WorldEdit. You will still be able to copy and paste these, however //set will no longer work for a select few of additional items, such as those specified in the example list in the previous paragraph.
This should hopefully reduce the number of cases of crashes, and this list may be modified again if felt necessary. However, if the issues continue, we will have to consider further limitations on WorldEdit, such as requiring a certain playtime before gaining access to it, or registering on the site (or potentially something else) in an attempt to minimise the influx of players joining to crash the server, with no intention of returning after that.