Thanks for sharing insights from the Minecraft server hosting space. It's even more fascinating hearing it from you 😅

They say "don't shoot the messenger!" for a reason: many messengers get shot. I think you did good on trying to warn people. They probably deep inside also appreciate what you did.

While I appreciate the transparency, I think if I was just a random person who doesn't know about computers and stuff, and saw someone connect, drop a weird chat message, say they were doing research and sign it with a cool hacker name, I would be terrified. The data makes me feel happy though, gotta love some nice data

One approach that I think could have been nice for your scanning would be to set up a webpage where confused users could go to learn about why you were scanning servers, and drop the link in the chat

(regarding 6:00) Right after the vulnerability got published I did some research into servers and noticed that they would log the username of a connecting user regardless of whitelist status and online mode. With a bit of code (node in my case) its easily possible to send a connection attempt with a Log4Shell payload username to the server. Sadly the length of the username will get checked before any logging occurs, meaning that out of the 16 total characters a username can have only one can be used as the host, rendering the attack vector useless.

You are almost spot on with why the villagers were not picking up the lectern. To be completely clear on how villagers handle getting a job: - A villager, who is not a nitwit, or who does not already have a valid job stored in its memory (We'll get to that in a bit) will randomly check to see if it can "find" a nearby, unclaimed job site (lectern in this case). They can path up to ~64 blocks away and will store the "memory location" of that block. - If a job site is found, the villager will also query all nearby villagers within its pathfinding range to ask if anyone else has the job site claimed, to prevent multiple villagers within a single tick from claiming a job site. - Once a job site has been claimed, it will remain "claimed" even if the block state changes as long as the villager isn't made aware of this (Not possible to happen in normal Minecraft, but with mods like the Easy Villagers mod, you can easily get yourself into a position where the villager wasn't notified about the world state change and, because Minecraft works on an event watcher system for cases like this, the job site will remain permanently claimed even if the original job block has long since been destroyed). In your case, what was happening is that one of the villagers inside of one of the boats up on the hill were able to see the lectern, path to it and pre-emptively claimed it to put a "lock" on the job. This would prevent all other villagers from being able to claim the lectern as a result since they have communicated with their "memory" state that the job was claimed. Once you prevented all of the villagers form being able to path to the job site, and broke the block, it became fully available for the nearby villagers in the trading setup to claim and use the lectern. --- For those looking to build a trading setup, it is generally best to set up the trade in an area either fully pathing isolated from your trading hall, or at least 4 chunks away from the trading hall, in order for there to be no confusion for the villagers as to what job site are and aren't available. You should also only ever do this one at a time to prevent cases where a job site gets errantly claimed by another nearby villager (Note that the job site can be claimed as long as the villager can path to one of the 3x3x1 blocks around the job site at the same y level of the job site, or directly on top of it). If you are ever curious as to the information that an entity, such as a villager is currently storing, you can use the "/data get entity " command to see what is going on. For instance, if you want to look into the state of the closest villager, you would use "/data get entity @e[type=villager,limit=1,sort=nearest]".

/home/container is most likely pterodactyl As it loads it's files Into /home/container

Regarding the ethics of the internet scan, I feel it helps to imagine that the internet space by default is public zone. Anything on the internet must respond to queries and probes from other computers on the internet. I tend to use the following mental image to help determine when you cross the line from ethical port scanning to potentially illegal activity: Imagine if you will a very dark street with 4,294,967,296 addresses (IPv4 space) all available on a public map. As you walk down the street and shine a flashlight from side to side you see that there are some addresses with nothing there but an empty lot, but there are some you find which have a house (Minecraft server) on it. Just by looking at the house from the street you can identify some basic information about what type of house it is (server version, MOTD, player cap, who is in the house) as the house has it clearly visible from the street. There is nothing that will stop you from walking up to the house and trying to walk into the house, but you find that some of the houses you come across have doors (whitelist security), and some have no doors (open join permissions). If there is a door, you walk up to it and say who you are but the homeowner yells at you to leave as you are not welcome. If there is no door, you can say who you are, walk right in, ask if anyone is home, who's house this is, etc and it is up to the homeowner to either tell you to leave (kick/ban them) or let you stay. Once on a server, the ethics of using hacks/cheats/bypasses etc without the server owner's permission gets into the huge grey area. If the server owner has not posted rules/MotD explaining what is and isn't allowed then it could be construed as a no rules server. If the server has rules/MotD posted about what is and is not acceptable then breaking the rules is not ethical as they were clearly provided. Testing for the Log4Shell vulnerability while good research tends to come down to messaging. While I think the research approach was in theory good, the message provided to userspace looked to be the main issue most users had. From their perspective, not knowing that they had left a server open on the internet, they just saw a user connecting they didn't know, sending a strange and cryptic message while saying it was for "a project" and logging out immediately. It would perhaps have helped to do the scan in two loops. On the first, just connect and send a message saying that you had found their server from an open internet scan and would be interested in scanning it as part of a research project on security vulnerability in the near future and providing a contact if they had questions. If they wanted to opt out without letting you know they could either setup a whitelist or ban your scanner's UUID to prevent participation. On the second scan loop, just go over the shorter list of known servers you successfully connected to in the first loop and try the scan at that time where any servers that had banned the UUID or had implemented whitelisting would be ignored.

5:40 There is a Trader that is invisible at night. You can see the particles of the invisibility potion.

Your explanation to the villager problem is 100% correct! Like you said, some random villager in a boat claimed the lectern, because he could pathfind to it, blocking the villager next to the lectern from taking it.

One point I see is that eventhough there is no malicious intent, your scan did create actual monetary damage (people going to their host providers for support - support agents have to be paid) to hosting providers.

I'm so hooked. Can't wait for the next episode of this series.

the reason why your villagers wouldnt take the job is because you had way too many close-by in the chunk, look at the source code where they find a block to get the job and you'll find why they did this, it's for optimizations cuz before if you had like too many villagers you would drop to like 5 frames because it would run expensive searches for every single villager in that chunk and then they made it so if theres too many villagers in one chunk it will not run that code so therefore preventing lag (and also preventing u from getting them a job, darn mojang)

Man, these videos are awesome. I haven't watched your channel for awhile, but I came back to see what you were doing with minecraft :)

nice experiment, love your content and the mix of the gameplay and the technical stuff, i'll be waiting the next episode

The minecraft servers at /srv/minecraft that are honoring the linux FHS are very cool 😎

-To be clear Villagers will only try to find a job at certain periods of the day. So basically Villagers will only try to find jobs during work hours.-

Looks like maybe the lectern was in a range of all the villagers up there, so one "random" Villager was selected. Rather than nearest villager, it seems that all within range was restated and just picks a FIFO order for applying for the job. My theory none the less, someone would have to check the source code to confirm.

I rang your channel's bell a long time ago and still have it on... This video didn't pop up in my notifications bell menu thing and I had to go to my subscriptions feed to find it. love this website.

Back before the pandemic, during the Minecraft "middle ages", when everyone thought the game was going to die pretty soon and every server shut down, some self proclaimed "Minecraft data miners" started collectings the writings from books, sings and other items on all the servers they could find. Some stuff might have looked rather mondane, but some people kept personal diaries on those servers, often with very personal stuff... Those places might have looked abbandoned, but maybe it was a bit unethical to invade other people's privacy, even if historical preservation was the purpose. Tecnoblade left a book in some chest for Tommy to read, and those phrases have become really iconic on how we remember him now... Idk.

For the villagers thing, when you place a workstation, a villager immediately assigns itself to that workstation. The trades and look won't show on them until they can get to the workstation, but the workstation is still considered taken until it is replaced/the villager can't path find to it for a full day/ the villager travels more than 100 blocks away from the workstation, effectively "leaving the village"

I've super enjoyed this series! I know it will have to end at some point but i will still be sad when it does.

This series is awesome 🤩 How am supposed to wait for the next episode 😢

More of this research please! Great job.

Keep it going!! Can't wait for the next episode/

Your explanation on why jobs weren't working makes sense with what I know.. I spent some time just adding lecterns to my village to get some Mending / Efficiency V / Silk Touch / Thorns III books. Pretty sure based on the way it calculates which book to give you Efficiency V is hard to get (based on how hard it was I suspect it calculates the enchantment first, then a level from I - V, and clamps that level afterwards). I have a request for a video I think. One thing that has been annoying is trying to find the perfect horse. Horses have three stats but it can be difficult to determine their jump and speed properties through testing, especially with many horses to test. It would be cool to see a modification for Minecraft to make it easier to determine these values for any particular horse.

regarding the villager trade issue, after the boated villagers were walled off from path finding to the lecturn I noticed some of the magma blocks hadn't been replaced. My running theory is that the trapped villagers had claimed the lecturn without being able to reach it, preventing the one in front of you from claiming the job.

the missing leaves is certainly a throwback

As a server owner, I got a message from the monitor for chat messages with this and it scared tf out of me. But we DM'd about it and we chat for a bit.

222:25 the best part about these types of projects is always things like this. the descriptions

I believe the reason why the villagers weren't claiming their jobs was first because they were not part of a village. I don't fully remember when this happens but it's something like at least three villagers need access to a bed. That happened when you freed the large group and gave them a bed. Then the trading villagers became a part of the village when the librarian was placed among them.

Is it ethical to scan for attack vectors on Minecraft servers, with the intention to research it? IMHO it is. You don't have bad intentions to use your findings to the disadvantage of players or for your own advantage. Someone joining your Minecraft server and leaving a message that you found them is a grey area and running a known exploit on their server too. That's scary af. IMHO a part of security research is to uncover security issues and tell the public or the company who is affected by this issue about it. From the security standpoint a big player in the hosting business specialized at hosting Minecraft servers is responsible for fixing log4shell for their customers - it's unethical that they don't care about it. Big companies trying to sue security researchers is always a big problem. The responsible disclosure process is the best way to tell a company about a security issue, but not all companies play nice. The problem is when you can easily find Minecraft servers that still can be exploited over log4shell, a black hat can find it too and probably already turned Minecraft servers into malware bots. Maybe a big player in the responsible disclosure like Project Zero can help you? Or the German Computer Chaos Club (CCC)? I'd love if this security issue could be somehow be fixed, for those who are unaware of this issue and that are not able to fix it themselves.

WOW insane series! also I don't know why but just in case I think I will download every single video you have.

Really random question, but did you use a unique identifier for every Minecraft server you sent a test log4shell to? If so, how many times did IPs that you sent the exploit to, return a request from a different IP, signifying a tunneling system being used?

Yesss so cool! This video had perfect balance of let's- play to technical content for me. Any more non- hacking MC stuff and it gets too boring for me, I just don't care that much about MC. Short segments are a nice palate cleanser though :)

as others have suggested maybe linking a webpage or something (tweet maybe even? your own domain might look suspicious to a careful person given that it matches the minecraft username) linked in an initial message before sending the payload would've helped people understand what you're trying to do. In an ideal world you'd obviously have it automated to where someone needs to give permission before the payload is sent, but that'd very likely lower the sample size by a very significant margin :\

Really appreciate what you're doing

I had the same issue with the villagers not taking jobs. I had to leave the area (unload it ) and come back and sometimes it would fix it. After a few times doing it and a few days passed it was fixed and they took jobs instantly. Maybe they just need to get used to their new home?

Maybe make a path finding viewer where you can see all active entity paths

I think I know what's going on with the villagers, and I believe it's a bug. Workstations are stored as "Point of Interest" (POIs for short). POIs are stored to a file and a villager will check if there are any POIs near them. If they find a POI they then try to pathfind to the POI, if this fails it unclaims the POI. Once the POI is claimed by a villager the POI is marked as claimed and no other villagers can claim it. The villagers in the boats are probably claiming the POI because they think they can pathfind to it as there are no blocks obstructing them. That's where I think the bug is. I believe the AI isn't supposed to be able to do pathfind checks inside the boat and the POI should return false for pathfindable.

I love this series!

I love all these herobrine appearances xD

The villagers trading and bed/job mechanics is the same magic like the redstone circuits :)

Regarding the villagers: its not that the villagers in the boats linked to the lectern. Its one of the villagers next to them. Because of that it sometimes worked and sometimes not. If you completly build them in on all sides it should work everytime.

11:51 You sound sarcastic here, but I genuinely was so interested in what you were talking about that I wasn't really paying attention to what was happening in game

All those people who got scared hopefully were told to add an allowlist to not have it happen again! It's so trivial to scan for servers on the default port (remember kids, always change the port for skid protection!) that it really should be a requirement

I can confirm that I have a Minecraft Server hosted on our air-gapped cloud/network containing other production and internal servers and the minecraft server is the only internet facing box :D

"Gonnorhea is just a spicy bee", "im a styrofoam cup yo". These server descriptions are great 💀

24:30 Anecdotally, there are a lot of Windows 10 VMs running on providers like OVH. I've seen them when following up on IPs associated with malware/spam.

I was a bit surprised that you didn't try to debug the Villager issue by stepping through the code. You pretty much have the source code and tools to do it already. I guess the log4shell stuff was more interesting and on topic for the channel.

24:04 holy I was not expecting to see Chungwa Telecom Co.(A Taiwan ISP) on the list very surprised -commited from Taiwan

Liveoverflow: I scanned 60,000 minecraft servers without permission Oracle: laughs in 5,000,000,000 (without permission)

add nofall in your fly hack it's very simple !

I think a number of villagers in an area could have something to do with them not taking a job. When we put down a job block what normally happens? How many villagers move toward it? Does distance matter? If that villager failed to make it to the block, falls in a hole or something, does another villager try to take the job? I'm thinking it could have been the many villagers queuing up to try and take the job, hence the wait. 4:28 you said this ^-^

Can you provide a list of all scanned motd of the minecraft servers? If you still have them of course. Would be interesting if my server was scanned 😉

Definitely interesting data to see. I really think it's ok from you to do this as long, as you don't have any malicious intends, which you didn't.

Thanks!

Man you are really good 🔥🔥

I didn't realize it's liveoverflow channel at first LOL

(16:52) I did this so many times, not for RAM, but for the Aikar's Flags. Sadly it got patched, I rent my own VMs now.

i should try this

As an ethical hacker, I think what you did was reasonable. Intent is what matters. Well done. Edit: this was very illegal in the UK until very recently!

Why are notifications disabled?

you can see the villager problem in the timelapse at 4:50

Thank you

i think you need to leave the villagers with lecterns in front of them if you want them to replenish their trades quickly

Can you please add your paper server to a bungeecoord proxy network and hack into that? I made docker files for paper server and a bungeecoord proxy network if you want to use the config

How legal is the scanning on it’s own? (without Log4Shell)

Your username can also be an attack vector for log4j on whitelist servers that runs in offline mode, so you can use it to find even more vulnerable servers

At the start, when you put down a lectern, a random village will be picked, the villagers upstairs couldn't reach the lectern. After they have had a job assigned this logic changes. You can view this in speedruns where there's a strategy to obtain a bucket from a villager, the speedrunner has to find which villager is heading towards the fish barrel.

the villager didnt get its job because another villages was already planning on getting it, you can see the villager on the left trying to get the villagers job on the right 3:45

Villager AI already isn't the best, but Paper adds pretty aggressive optimizations that makes villager AI (and mob AI in general) even less reliable. I'd suspect that to have at least some role.

I made a villager trading hall where they would walk themselves into holes standing on trap doors, which worked fine but because they were ”inside” the block, all other jobless villagers would try to walk out of their cage even though they were too far up. Blocking them off made it work fine for me. The villagers in boats may have the same issue as you guessed.

21:53 Why top of tabel description looking very sus?

I'd be completely fine with you scanning my minecraft server, but that's easy for me to say because I'm a subscriber.

Hey! I run a Minecraft server analytics platform, love the coverage you're showing and the data you've got across pinging servers. Is it possible to be able to contact you? I did send another comment here but I think the bot has deleted it.

I feels so wild that all this started from a single april fools video.

I think the villages issue would be related to if its a village or not. A Villager won't take a job outside of his village. It could be that the Vilagers where thinking they're still home in the village that they were "born" in, and since keeping the villagers in boats does not count as a villagers to the algorythm that creates Villages. With placing down the bed and getting a villager a job it will be recocnised as a village. But you def. got some very weird behaviour.

Did anyone else read the server descriptions at the end? XD

Well Done

love you!1

Imagine getting upset because somebody warns you your security is shit

I support these kind of projects. Interesting research, absolute transparency, no malicious intentions. Keep up this kind of work!

Its likely my linode server is in that list xD

maybe you were the one that randomly joined my minecraft server im hosting on my home guest computer running windows 10 lol, after that i got spooked and turned on whitelist

Please tell us who is the famous mc hosting platform!

Unlimited RAM Hack is the equivalent of downloading more ram but for dedicated servers

I genuinely hope you informed the people who you found to be vulnerable

I love you LiveOverflow! I love the minecraft hacking adventures and your explanations. I really love this series and I want you to continue to work hard to produce these videos. Thank u

based

Guys it really works, I checked.

Villagers only Change jobs around mid day I think

The masses of villagers were probs taking the lecterns and bed :3

they only take on jobs during working hours, which is only a few hours a day

Villagers will only take jobs during certain times of day in minecraft.

Mass scanning mc servers for log4shell exploits? promises to be interesting

Lol everytime I had similiar problems with the game mechanics and especially villagers I just looked up the source code haha.

One of the most insane mods in my opinion is SeedCrackerX. U really should make a video about it.

IIRC villagers can only take jobs at certain times of the day.

What debugger should I use on the new MacBook arm64 architecture?