Time Nick Message 10:38 MTDiscord Is there something wild going on in the serverlist right now? My server vanished, and there seems to be some ... impostor?? 10:39 sfan5 server name? 10:40 MTDiscord yourland.de 10:40 MTDiscord I can't send pictures unfortunately. 10:40 MTDiscord There's a creative server with 15 max players called "yourland.de" 10:40 MTDiscord Our domain is your-land.de 10:41 MTDiscord I can't find it on https://servers.luanti.org/ but it's visible on the client 10:42 MTDiscord It also claims it's running mineclone2 10:42 MTDiscord According to my client, the 4 people on this server are a,b,c and ghislo 10:43 MTDiscord The address and port it points to is the correct one, but that's not coming from us. 10:43 [MatrxMT] I can see the real your-land.de in my favourites and something called "Your Neighbours" in the server list in the client 10:43 sfan5 I can't find this in the data files on the server 10:44 MTDiscord Your neighbours is a legit server we also host 10:45 [MatrxMT] then I can't seem to see the impostor mysel 10:45 sfan5 aha wait 10:45 MTDiscord https://ibb.co/QF4NqqNK 10:45 MTDiscord https://ibb.co/LhPqt2hX 10:46 MTDiscord Looks like they either switched to the domain with the dash recently or I didn't see right 10:46 [MatrxMT] yeah that's what I saw, the one with the dash, and the suspicious duplicate description 10:46 sfan5 since the list only permits one server this one is blocking yours from being announced 10:46 sfan5 however this isn't supposed to happen, since the fake one isn't being announced from the right IP 10:47 sfan5 but yours is 10:51 MTDiscord 1. what do I do to stop that? 2. what do I do to not have that happen again in the future? 3. can this attack siphon logins and password hashes? 4. Please DM me the IP the attack came from 10:54 sfan5 1/2: nothing, I fixed it now. | 3: no, clients would connect to your server. just the description and data is wrong. even if clients were connecting to the attacker server due to SRP it still wouldn't reveal hashes | 4: in redacted form maybe 10:55 MTDiscord Since when was that faux server listed ? 10:57 sfan5 not before 12:08 11:04 alias +1 thank you :) 11:05 sfan5 looks like someone with a different IP attempted the same thing yesterday evening (23:10) 11:13 MTDiscord Not sure if this has been discussed before, its probably not a great idea, but it might be worth having a server registration portal — either integrated into ContentDB or as a separate platform. Server owners could create an account and register their servers individually. Each registered server would then receive a unique token to use in the announce configuration. This wouldn’t completely prevent spoofing or phishing, but it would 11:13 MTDiscord make it more difficult and provide better data for identifying and handling bad actors. 11:15 [MatrxMT] authenticating the server list has been discussed before, but people would rather debate and delay and say that whatever we'd add would be imperfect and therefore useless 11:30 sfan5 the current implementation is quite solid and it has safeguards against this. this was caused by an implementation bug. 11:45 MinetestBot 02[git] 04sfan5 -> 03luanti-org/serverlist: Fix logic error in server duplicate check 132f66e1d https://github.com/luanti-org/serverlist/commit/2f66e1deca9dd0327de94ca48bd064b44c9d58e4 (152025-10-16T11:45:09Z) 14:07 user333_ found it 14:08 user333_ seems like the serverlist is hacked again... 14:09 MTDiscord uhoh. 14:09 sfan5 ? 14:09 user333_ ok, maybe not "hacked"... just fake servers 14:09 user333_ read the conversation from earlier 14:10 MTDiscord oh ok so not like the incident from earlier this year 14:10 sfan5 I participated in the conversion earlier, so yes I did read it 14:10 sfan5 it sounded like you were saying there's a problem with the server list right now 14:10 sfan5 and not three hours ago 14:12 user333_ well the said server is still up 14:12 sfan5 no? 14:12 user333_ i just checked the serverlist 14:13 sfan5 !server your land 14:13 MinetestBot sfan5: Your Land | your-land.de | Clients: 23/52, 18/24 | Version: 5.12.0-yl / minetest | Ping: 13ms 14:13 sfan5 ^ that's not fake 14:14 user333_ and it's gone.... huh 14:16 user333_ i swear it was there.... 14:22 MinetestBot 02[git] 04sfan5 -> 03luanti-org/serverlist: Replace outdated URLs 13fda88af https://github.com/luanti-org/serverlist/commit/fda88af6761cd8b9ab2fda91d8fc03a1a240c5a0 (152025-10-16T14:20:11Z) 22:18 MinetestBot 02[git] 04Thomas--S -> 03luanti-org/luanti: Clarify set_yaw() behaviour in documentation 136b0e1e9 https://github.com/luanti-org/luanti/commit/6b0e1e9b67c43eccfc11949374b4747fe5658d17 (152025-10-16T22:17:52Z) 22:20 MinetestBot 02[git] 04sfan5 -> 03luanti-org/luanti: Make logging timestamps configurable (#16581) 13a049174 https://github.com/luanti-org/luanti/commit/a049174f1259f7eb5e60d344bbfccb99ba92bde1 (152025-10-16T22:18:06Z)