Hello, I recently had an admin go rogue and delete our servers and backups. I was able to recover most things from our offsite backup, and I have removed his console access and banned him. I was looking through the Glizer wiki for guidnance on how to handle the ban, and came across this: Does using console access to destroy the server count? If so, what proof is necessary? Since he deleted the server and the backups, most of the evidence of the deletion is gone; the only thing I have remaining are the chat logs that occurred at the time, which are only circumstantial. I should still have evidence of the griefing and admin abuse that proceeded the incident. If a global ban is not appropriate for admin abuse and server destruction, please let me know, and I will rescind the global ban that I issued and make it local instead. If you believe moving forward with a global disable would be appropriate, let me know that as well, and I will provide the user's name and what evidence I can. Thank you!
AW: Rouge admin Glizer removal? Hi ryangubele, I think, that an chat protokol is not a proof to disable an account forever. That says, that an glizer staff will get your exadmin an globalreputation by his account with (-100). He can never connect to an server running glizer. There are 2 reputations: The server reputation and the glizer account reputation. When you ban an account global you give him an globalreputation by (-10) and an local reputation by (-100). He can not connect to your server and other server admins and mods are warned :) I think, he had erased the data with ftp ?! See in the ftp server log or ask your server provider. When ftp logged login actions than you had an IP. When the IP is the same as the user IP, then i think you had an proof the disable his account. No, the globalban is proof and you must not change to local But, he don't had attack your server. He had destroyed him with his rights, if this is an reason? I don't know You must wait to the answer from the glizer staff :) I hope i could help you
Re: AW: Rouge admin Glizer removal? Hi Knight, Thank you for your reply. Here is the sum total of the evidence I have or can collect: 1. Our chat session at the time when he deleted the server. 2. My internal monitoring showing the server going down at the time of the chat. 3. Glizer's heartbeat monitoring should also confirm that the server when down during the time of the chat. 4. My server's SSH logs, showing that his was logged in at the time that the server went down (and the time of the chat). I can provide my server logs matching his IP to his user name, but I think that glizer should be able to so internally thanks to the plugin. 5. My server's 'last' logs, showing the same as #4. 6. The AWS billing logs of me pulling the latest off-site backup of the server from Amazon S3, where I keep it. 7. Our hawkeye logs (which are stored in an external, off-site MySQL server) showing abuses of his administrative privilege up to the time of the server deletion. He actually had SSH access to the server. He presumably did something like an rm -fr *. He either intentionally or accidentally caught the .bash_history file in his deletion, which is why I can't provide concrete evidence that he actually deleted it. None the less, him and I were the only two with access, the files disappeared, and he essentially admitted as much in our chat. I am 100% confident that he attempted to destroy the server. I run a dedicated server, so unfortunately there is no provider to contact for access logs. It's just what I have. Yeah. Sadly, it's not FTP, and I don't log every SSH command entered. He was in a position of trust, I'm afraid. I will leave the global ban in place for now then. It looks like he may be trying to dispute it. I can't find a lot of information about Glizers dispute process on their wiki. Can you enlighten me? Even if I can't prove he deleted the server, I can concretely proved that he abused his administrative privileges, harassed players, and griefed, which should be enough to hold up a global ban even if it wouldn't mean an account disable. Yes, he did use his legitimate access to destroy the server, rather than an exploit or other kind of attack. Thank you again!
AW: Rouge admin Glizer removal? I can feel with you I think that the data you can collect is an good reason for an permaban. But im not an glizer staff. I can help and write to you, but not finish your request But when an glizer staff have time for your request, he will answer you :) Only the best for you Knight
AW: Rouge admin Glizer removal? It's not a hacking attack - the player is no risk for other servers. He deleted your files with the proper password, so nope - no globalban, but you can ban him normally on your server.
Re: AW: Rouge admin Glizer removal? Hi Krim, Thank you for the reply. I understand that the global disable/permaban isn't appropriate in this case, since he did not hack the server but rather used his legitimate privileges. However, I wanted to double-check with you that a globalban from my server is indeed not appropriate because of his griefing. The ban guidelines say that griefing is: Deleting the world files may not be the traditional way that griefer's grief, but it still certainly has the effect of destroying buildings and harming players. Even if you don't agree with that, prior to the incident, he did grief in a more traditional way, by setting fire to player structures. While I haven't actually counted the number of blocks of damage that that resulted in, I would be really surprised if it wasn't under the 50-block guideline. Quite frankly, had any other player set fire to structures on our server, I would have immediately given him a glizer global ban without a second thought. The only reason that I didn't immediately ban him was because he was my co-admin, and the damage was easily repaired with rollbacks. Anyway, let me know what you think. I will go with your advice either way. By the way, I love glizer, and think it's an awesome product. I use it exclusively for bans on my server. I don't use the ban.txt or anything else. So the only question I really have is, should I keep the global ban, or switch it to a local ban. Thanks again!
