Malicious activity?


#1

Hello,

Running sponge now and following logs after hacks. Players would take advantage of exploits and such in mods. Even brought the server down.

Anyway, roaming through the logs now with sponge for 1.12.2, I see the following…

[10:53:57] [Server thread/INFO] [nucleus]: Nimtrod ran the command: /sponge:callback     9d971909-c0ad-4a9e-8953-c5b0e6a1b03e
[10:53:58] [Server thread/INFO] [nucleus]: Nimtrod ran the command: /sponge:callback     9d971909-c0ad-4a9e-8953-c5b0e6a1b03e
[10:53:58] [Server thread/INFO] [nucleus]: Nimtrod ran the command: /sponge:callback     9d971909-c0ad-4a9e-8953-c5b0e6a1b03e

Am I to assume that this is a glitch with sponge or a user attempting to exploit the server? The term callback reminds me of a callback function in Java.


#2

You’re correct in that it’s executing a callback function. TextActions can’t support code, but they can support executing commands. Sponge stores the function in a map based off of a random UUID, and instead creates a TextAction that executes the callback command with the appropriate UUID. When that command is executed, the function is retrieved from storage and run for the player.

I’m not saying that this couldn’t be the source of your issues, but it’s not anything that would indicate that specifically. Many plugins make use of this feature and Sponge has a similar process to handle pagination. As far as I know, there’s no definitive way to track down what that callback is (and more importantly, what plugin registered it) based off the logs alone - you’ll have to track that down yourself.


#3

Yeah this is definitely a UX issue to admins as they can’t see what callbacks are being run…

A possible fix would be to optionally allow specifying a human readable name for all callbacks, or include the clickable text used in the command solely for aid of admin debugging.


#4

Gotcha. Yeah, it just appeared for a command I ran to. False alarm then.