We have detected that the RCON passwords were being leaked by
/debugpaste both on Cloudburst Nukkit and PowerNukkit. If you have set
server.properties and you have used
/debugpaste at least once, then you must change the
rcon.password line in the same file and restart the server immediately! If you don’t have that enabled but you also used
/debugpaste you should also change the
rcon.password as it is now compromised.
RCON allows a remote administrator to execute commands in your PowerNukkit server with OP permissions as if the user were typing the commands in the console.
We have already patched the backend that receives
/debugpaste upload from newer PowerNukkit versions to auto-remove the rcon.password and we have already removed the passwords that were leaked from the existing pastes, but a malicious user could have noticed it before and saved the password before our removal.
/debugpaste upload (from newer PowerNukkit versions) are recorded in the
debugpastes folder in your server, you can find all URLs that were generated in the
.url files there.