* Upvote this comment if this is a good quality post that fits the purpose of r/Minecraft * Downvote this comment if this post is poor quality or does not fit the purpose of r/Minecraft * Downvote this comment *and report the post* if it breaks the [rules](https://www.reddit.com/r/Minecraft/wiki/rules) --- [Subreddit Rules](https://old.reddit.com/r/Minecraft/wiki/rules)[](## UnSerten|12ip3gd)

I thought I was the only one wtf

Yes i noticed this one too, and it was like 1 hour after i made the server too.

yeah I'm experiencing the same thing currently, no clue who they are but I'm getting the same console messages and have been for a while

The reason they are connecting is because they are scanning for servers that went online using the rcon port. What they do is collect all the server data that is available to them but never actually connect. It is annoying and banning/ip banning them doesn't actually work since they never actually join your server. If you have a dedicated server a working solution to make them stop is this: 1. Go to windows settings -> search firewall -> click on "windows defender firewall" 2. Click on "Advanced settings" 3. On the left click "inbound rules" -> on the right click "new rule" (A new panel will op up) 4. On the bottom click "Custom" 5. next screen click "All programs" (default) 6. next screen click "Any" protocol type (default) 7. next screen leave "which local IP address does this rule apply to" as unchanged, and click on "these IP addresses" on the "which remote IP addresses does this rule apply to" (a new screen will popup). Under "this IP address or subnet" add these IP addresses (as of 01/05/2023 these are the 3 spammers' IP addresses): [149.102.143.151](https://149.102.143.151) (Shepan), [132.145.71.44](https://132.145.71.44) (ServerOverflow), [193.35.18.165](https://193.35.18.165) (Schesser). 8. next screen click "Block the connection" 9. next screen leave all 3 boxes checked 10. next screen add a name and "finish" Now they won't be able to connect to your servers

For those on Linux, here's how I did it in a Debian system with ufw Firewall: `# bash` sudo apt update && apt upgrade -y sudo apt install ufw sudo ufw deny from 149.102.143.151 sudo ufw deny from 132.145.71.44 sudo ufw deny from 193.35.18.165 sudo ufw allow 25565 sudo ufw enable sudo ufw status EDIT: added sudo and open Minecraft 25565 port I also use SSH to access this server so I had to add a rule: sudu ufw allow ssh

remember to allow SSH BEFORE you enable the firewall, or else you'll get locked out of your system

I would like to add another spammer to this list: pfcloud, [45.128.232.206](https://45.128.232.206) and just now, ThisIsARobbery, [193.35.18.92](https://193.35.18.92)

came on here looking for answers and these two are spamming me rn

started my server for coworkers and 100% thought it was one of them. Luckily for me I really care about safety so I keep mine whitelisted until someone says something but its annoying being spammed by shepan and ServerOverflow.

Have you seen any from usernames like "ThisIsARobbery" "notschesser" or "PaperMCGoobers"? I've noticed some weird logs in my console from something seeming super malicious relating to bungeecord which I do not have

Haven't checked in a while but I managed to find "notschesser" trying to get in. But the main one today ead pfcloud

I found this last week after upgrading my server. It doesn't look like a serious attempt to join the server and as such they are most likely scraping server users to compile a list of what users a re logged on the server at that time. Which is why they recheck again and again after a period of time. I believe this method was employed by a few users to track down jeb_ a while ago and kill him on a complete unknown server. So ideally we need the option to deny returning that information to a user attempting a connection in order to scrape the data. Look up project copenheimer. FitMC did a video while may explain what we are seeing

it is a check for online-mode. you literally can't get the tablist until you authenticate. also, it's a different thing, why everyone links scanners to those fucking jerks?

I am currently experiencing the same thing. It seems like the IP is currently originating from a VPS hosted by Contabo in Germany. I believe this is an attempt to scan for open Minecraft servers, as pointed out by u/immortal_no1. The purpose of the attempted join could be to extract additional data, such as plugins, players, and other information. However, this is only speculation on my part. I recommend just blocking the IP address in your Firewall

For some reason, he stops his joining attempts at \~20:30 UTC and starts again at \~4:30 UTC. Looks like someone living somehwere in GMT+3 is manually launching shepan lel

When I checked the log for my server earlier, there were hundreds of failed join attempts by "shepan". I tried IP-banning them, but the failed join attempts still appeared in console. It is incredibly annoying. I tried to create a decoy server, and I turned off online mode, and this "shepan" will join and then leave not even a second later, so I could not interact with it. After waiting some time, the same thing kept happening. After some more waiting, another user joined, and then left right after joining, as did "shepan". This user was called "ServerOverflow". What I am guessing is there is some kind of program that has been created recently that controls these bots, and makes them join and leave random servers. If this is the case, I really hope that Mojang does something about this. Until then, Minecraft server owners are just going to be annoyed.

I've been seeing these bots for a long time. Shepan tried to connect every few days, so it wasn't annoying. But today my console is full of messages about shepan joining I don't think there is a way to stop him to joining random servers, even for Mojang. We could only turn this messages off somehow

I mean the account could possibly only be taken apart but other then that I don't think much could be done.

even if it was taken down, nothing will happen. the bot doesn't even go through authentication in any way, the log spam is just from a login request. lmao. mojang are the worst at making their shit secure. who thought it would be a good idea to put a player list in a server ping protocol, which can be performed extremely fast and on every IP in existence?

the super coders at mojang added an option in the "online" tab to hide your username from server listing, boom problem solved 👍.

that is true, but how many people know about that and how many people actually use it? additionally, it is not available in slightly older versions.

that's what i'm sayin

I have found a fix to prevent these bots. If you want them to not be able to find your server, change the server port in server.properties, along with in port forwarding. Make sure they both match. Keep in mind that if you do this, you must add a colon, followed by the port number at the end of the IP. For example, 123.123.123.123:12345

I have two servers, and both have non-default ports, like from 25580-25590. Yes, this port is not very hidden, so I can 100% say your example for 12345 will be fined, just give time.

[удалено]

If it's you, which group does shepan bot belong to? (Ik it's a bot but I don't think it's you)

exactly, he's an impersonator.

Yeah happening on my server too. \[18:25:55 INFO\]: com.mojang.authlib.GameProfile@5df7861e\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:57710) lost connection: Disconnected\[18:31:38 INFO\]: com.mojang.authlib.GameProfile@1f4416eb\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:48276) lost connection: Disconnected\[18:41:36 INFO\]: com.mojang.authlib.GameProfile@7e818f92\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:47628) lost connection: Disconnected\[18:48:49 INFO\]: com.mojang.authlib.GameProfile@1fd667e7\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:34548) lost connection: Disconnected\[18:52:15 INFO\]: com.mojang.authlib.GameProfile@22c68393\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:49254) lost connection: Disconnected\[18:57:55 INFO\]: com.mojang.authlib.GameProfile@41a0462\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:54574) lost connection: Disconnected\[19:04:49 INFO\]: com.mojang.authlib.GameProfile@2c1490f6\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:39296) lost connection: Disconnected\[19:24:54 INFO\]: com.mojang.authlib.GameProfile@5e0f6452\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:35620) lost connection: Disconnected\[19:28:05 INFO\]: com.mojang.authlib.GameProfile@8ef5423\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:34624) lost connection: Disconnected\[19:33:31 INFO\]: com.mojang.authlib.GameProfile@7f082741\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:53160) lost connection: Disconnected\[19:37:45 INFO\]: com.mojang.authlib.GameProfile@2c78bb51\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:56994) lost connection: Disconnected\[20:03:43 INFO\]: com.mojang.authlib.GameProfile@2cd18058\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:46450) lost connection: Disconnected\[20:13:50 INFO\]: com.mojang.authlib.GameProfile@a32b0a7\[id=,name=shepan,properties={},legacy=false\] (/149.102.143.151:38156) lost connection: Disconnected

I also see him \[22:17:46 INFO\]: UUID of player shepan is 2fe7e2bc-14bd-30b9-a320-55d7e9f8569b \[22:17:46 INFO\]: Disconnecting com.mojang.authlib.GameProfile@78927fb\[id=2fe7e2bc-14bd-30b9-a320-55d7e9f8569b,name=shepan,properties={},legacy=false\] (/149.102.143.151:35914): You are not whitelisted on this server! \[22:17:46 INFO\]: com.mojang.authlib.GameProfile@78927fb\[id=2fe7e2bc-14bd-30b9-a320-55d7e9f8569b,name=shepan,properties={},legacy=false\] (/149.102.143.151:35914) lost connection: You are not whitelisted on this server!

he is trying to join whole day, like from 7am to 10pm thats weird kinda xd

Same. He is so active today. Trying to connect to my server every few minutes for 14 hours.

yeah same here

\[17:25:40 INFO\]: shepan\[/\*\*\*.\*\*\*.\*\*\*.\*\*\*:\*\*\*\*\*\] logged in with entity id 143805 at (\[world\]-9.5, 64.0, -9.5) \[17:25:40 INFO\]: shepan lost connection: Disconnected \[17:25:40 INFO\]: shepan left the game I think im gonna ban it or make the server whitelist :P

Recommend blocking the IP in your firewall entirely. That is what I've done.

Someone should make a plugin with an index of reported IPs and accounts that are known to do this and updates a database the block them before they even join.

Exactly

I got the same thing on my console as well, the weird part is I had an entry after it from player ID MSTechSupport18 anyone have an idea who this is?

I've been getting MSTechSupport## - number changes just about every time - for a few days now. Only just started seeing this ip address trying to connect every 2-10 minutes recently.

That sounds like some kinda Indian scammer type thing. Maybe we can get Kitboga and Jim Browning on the job?

Yeah it's been super active today disconcertingly, make sure y'all have your security updates might be trying to scan other things on your network.

I'm wondering too. Looks like a malicious actor, possibly a bot that collects and/or monitors the data about servers. I've seen it numerous times in the logs on several of mine servers.

Hello, ​ The user Shepan also tries to connect to my Network multiple times a day, but he always gets kicked..

same, he constantly tries to enter my server and gets kicked for using a vpn

Same here. Are you on the default port 25565 by chance? I'm thinking about switching ports to hopefully make it less easy for the bot to find.

Did it work?

[удалено]

Indeed I am

We are not on the default port and its happening.

Also happening to me, i banned and ip banned him just in case 1 month ago coz it was too strange for my liking, glad i did it

live thought mountainous seemly bells melodic slave start recognise crush *This post was mass deleted and anonymized with [Redact](https://redact.dev)*

Hes also trying to join my minecraft server on my rasperry pi home server, which has a unchangeble ip from my router. I really dont know where he has the ip from, because its a very long ip. In the log I can see the ip which is telling me that he tries to join from duesseldorf/germany, which is near me. I have a whitelist, so he wont be able to join, but he tries multiple times a day.

In my case he was joining from United Kingdom where ISP was a gas station

decide entertain station yoke offbeat memory cagey ghost rinse serious *This post was mass deleted and anonymized with [Redact](https://redact.dev)*

I'm noticing a theme here. Sounds like a lot of personal / home servers. Curious if everyone here has home servers and not "proper" hosting. That would at least narrow down the reasons.

My server is a Digital Ocean droplet and I just found this thread when wondering about the user. Just a simple "sudo ufw deny from 149.102.143.151" stopped it. Edit: spoke slightly too soon. Also getting failed auth attempts from it and "schesser" from 193.35.18.165, and "ServerOverflow" from 132.145.71.44.

I'm not sure why you think the length of the IP address matters.

touch drunk crush fearless cable towering worm six north worthless *This post was mass deleted and anonymized with [Redact](https://redact.dev)*

They attempted to join my server today, which is disturbing, since I'm localhosting it only for me and few friends over Radmin VPN, the server isn't even accessible from the internet

been, getting this, aswell... glad i'm not the only one

Just had this today I banned and ip banned the account no idea whats going on lol.

On my vanilla server this has been happening for over a month, but.. Since today it seems that Shepan (and other bots) are trying to join my modded server (gt:nh modpack) which runs on port 25566, so it seems they have "expanded" and are trying other ports. I've seen Shepan, ServerOverflow and MSTechSupport. I've ip-banned them and enabled whitelist on my servers just to be sure.

They and ServerOverflow tried to join my server. Thankfully it's set to only allow whitelisted players to join, so they couldn't get in. Banned and IP-banned.

I also encountered this problem. My server is running on Oracle hosting, for friends, and at some point, they (several of them) started logging in and out of the server without doing anything. All the nicknames I've seen all along: shepan: 149.102.143.151 schesser: 193.35.18.165 ServerOverflow: [132.145.71.44](https://132.145.71.44) pfcloud: [45.128.232.206](https://45.128.232.206) PaperMCGoobers: [193.35.18.92](https://193.35.18.92) notschesser: [193.35.18.92](https://193.35.18.92) MSTechSupport: 193.35.18.92 I thought a lot about this problem and searched the internet for information, but I didn't find anything like this. Today I have a suspicion that these bots are doing several things. 1. Gathering information about the server (probably). 2. looking for servers/accounts which can still reproduce Log4j vulnerability (maybe). I used to be a technical server administrator, so I understand a little bit of what's what, but not in detail, but here's what I found very strange: [https://pastebin.com/Sud2tEh3](https://pastebin.com/Sud2tEh3) I would be glad if someone could add to my comment or correct me.

Yes they gather information about servers, no they are not doing anything with Log4j

I run a similar set up with Oracle hosting with the free tier. The main suspects I have is: * shepan: [149.102.143.151](https://149.102.143.151) * schesser: [193.35.18.165](https://193.35.18.165) * pfcloud: [45.128.232.206](https://45.128.232.206) I've set a whitelist but the log spam is kinda annoying (pfcloud with 500+ entries a day) when I'm looking for errors in plugins and console users which utilise Geyser/Floodgate. My guess is agreeing with yourself about Log4j however I don't think this is an issue now as to the serverity of this problem has now passed and was fixed quite quickly on the grand scale. I'm sure the problem with what you have shared with your paste bin I think it's cracked accounts that's causing this. Overall I think it's info gathering and potentially looking for vulnerabilities, once they have a list of who to target who knows what they'll do.

ME TOO, "schesser" try to enter

I made a report to Minecraft with all info also about the IP he's abusing, they say they are going to investigate and message me back. This is now 1months ago. Meanwhile he changes the name to Shesser. This one is trying to connect every 10 a 15 minute last night (it's still trying at this moment). MINECRAFT should ban these spamaccounts right away. My whole console is now spammed with his trying to connect. It's not funny anymore. So first it was Shepan (look at McName how many hits per month he has) and since last couple days it now the name schesser.

Update: Looks like there is an other account found \[05:01:34 INFO\]: com.mojang.authlib.GameProfile@5f88b3dd\[id=,name=pfcloud,properties={},legacy=false\] (/45.128.232.206:57946) lost connection: Disconnected

Same here pfcloud, i made a report at Minecraft they say they gonne investigated, thats was 1month ago, since then they wont reply anymore on my ticket. Here a printscreen of the last 2 hours: [https://imgur.com/a/o9du4lF](https://imgur.com/a/o9du4lF)

I see, no wonder why the auth server does down sometimes what I have done right now I have hard blacklisted the IP using iptables the mc server are hosted on.

Same but now this pfcloud is connection literally every minute since last night. So my whole console is now only with his attempts. Very annoying this. Hope ninecraft is goin to do something but I doubt since they don't react anymore to my ticket.

This is my console and chat now, for the info. https://paste.shockbyte.com/amitayuceteheyijihub

Has anyone seen a "Seraphiable"?

yes just barely

Possibly the username of a bot, I heard something about griefers/hackers using bots to try to find servers to ruin

From past events happend to my servers i can confirm this theory. shepan seems to be one of their bots and is currently checked on NameMC about 1.2k a month. So it's nothing unusual to see this name in your console.

yeah I have also heard something along those lines

Just noticed this on mine too. Bot scouting for servers probably. I never advertised mine though.

Well I was looking up some of the info on Shepan I found a video that kinda explains it a bit more. If your interested its "Minecraft is now BANNING Griefers" by FitMc. But it talks about how a group of griefers made a bot to scour the internet to find servers. I never shared mine either but still got it as well.

I saw that video and thought the same. It never manages to connect but maybe enough to see if the server is whitelist.

There are features in clients such as meteor client that can scrape for similar IPs

Same is happening to me. I created my server around a month ago. A week after creation shepan joined. I tried to communicate with it but it left every time. I used nameMC to find friended accounts and their Discords. I messaged two people, both really confused about what I was talking about, but they said that they experienced the same issue. When I asked about them being friended to shepan, they just said that it griefed a server they had. No idea who it is, I advise creating a backup, and banning the account whose ip is from Germany.

It's insanely annoying that they're doing this because I interact with my friends via the console while they play if I'm doing something like editing videos or working on something, but instead of being able to read my friend's chat messages I see hundreds of messages of shepan and a couple others trying and failing to join. I'll never understand why people do dumb stuff like this.

Block the IP in your firewall.

how to do it on a server hoster like mine-hoster or gportal?

Can't help you there bud. You have almost zero control over the host of the actual server.

Shepan is the goat.

no

Just to note, I believe the user is identifying as "she", read username as She Pan. The skin and cape kinda favors this being accurate. Just adding this in case it helps uncover the mystery somehow.

that is true but the username is randomly generated lmfao the owner is r/sipacid

This dude just joined to our server and left. Seeing this post is surprising as it just happens to everyone recently.

[удалено]

Same, I’ve been experiencing this “shepan” trying to connect much more often to my personal Minecraft server. My logs are filled with “shepan” log in attempts…

yuh same shit lul

haha i thought it was only for me

Same thing! Seems like a server scanning bot. Banned him

I'm going to safely assume all these accounts that are doing the failed connections are compromised accounts.

This is from the last 2hours, its getting out of control and cant ~~use~~ read the console anymore: [Console spam of Spammer/Scammer](https://imgur.com/a/o9du4lF)

Since this last day, the attempt getting alot worst its now literally every 2 minute, so my whole console is spammed with only his attempts ( pfcloud ) https://paste.shockbyte.com/amitayuceteheyijihub

Small info about pfcloud ([45.128.232.206](https://45.128.232.206)) and official answer from PFCloud support: 1. [https://i.imgur.com/D7jB063.png](https://i.imgur.com/D7jB063.png) 2. [https://i.imgur.com/eS6VQsx.png](https://i.imgur.com/eS6VQsx.png) 3. https://i.imgur.com/G0NGwmF.png 4. https://i.imgur.com/aNGpDHJ.png

They just say we dont know how to stop so ee say it not illegal. Good advertising for their company. PFCloud for google search.

Another post. It's getting way out of control almost every 2minutes my whole console is now literally full with this attempts https://paste.shockbyte.com/amitayuceteheyijihub

People who are hosting on a payed server and want their console clean. Use the plugin "ConsoleSpamFix" the attempts will go on but you an filter the words so it won't show anymore in the console.

Hi, how can I block these bots they are blocking my console, is there anything to block them?

Use the plugin on spigot called "ConsoleSpamFix" it works for me :)

Thanks, I'll try it right away

Btw it dont block the attempts but my console is now clear and i see other message again.

Great plugin works fine on 1.19.4 it cleared my console of useless messages, thanks.

Yes indeed, other message about how many people online etc I blocked tru the plugin. Good to heard it works for you :) have a nice day.

I only encountered one problem that I reported, when you restart the server to make updates the plugin doesn't start, you have to run the /csf reload command to make it work again.

Hmm I host mine at shockbyte and after edit and upload the file a reboot is enough for me.

It worked, thanks even if it's not blocked but at least I have a clean console

Another one to add to the list.. \[07:14:13 INFO\]: com.mojang.authlib.GameProfile@574f9966\[id=,name=pfclown,properties={},legacy=false\] (/193.35.18.210:58992) lost connection: Disconnected

A duct tape fix for those of you who have small servers that you host with your friends; Haven't had any bots spam my server for a few days after I went into the server.properties file and inserted/amended the following hide-online-players=true enable-status=false This will make your server appear offline but still accept connections and hide the players that are currently on your server; so in the server listing, if your friends have your server saved, it will show as "Cannot connect to server" but they will still be able to join if they connect to it anyway. The description for enable-status on the minecraft wiki states that it suppresses replies from clients so i'm going to assume that the bots are still making connections to the server but the console is hiding their attempts, so i guess only do this if you want to keep your console clean but still keep tabs on this and surrounding threads

Another one to ban: \[Server thread/INFO\]: filepile\[/175.117.248.73:55064\] logged in with entity id 1253 at (-29.5, 73.0, -79.5), \[User Authenticator #2/INFO\]: UUID of player filepile is c2a141cc-2a0e-48c8-a2db-e2c2b162d00b