• During the first week of June we've seen intermittent cases of our webservers coming close to capacity. We've started deploying additional resources to address this. During this process we've also started smaller tweaks to our infrastructure to improve performance and availability.
• These changes were reviewed and tested and found to be working with both old and new installations.
• On Saturday and Sunday we brought the first new nodes online and got them to handle requests normally.
• On Sunday around 8:00 CEST an update was done on the licensing data to accommodate the new parameters. During this update a manipulation error occurred in the dataset containing the piracy blacklist - a special blacklist for confirmed pirated installations.
• Systems continued to operate normally at this point.
• On Sunday between 9:00 CEST and 9:30 CEST we started applying the final changes to new nodes to enable our optimizations.
• The input error mentioned earlier together with the infrastructure changes caused all licenses to be matched with the blacklist in error. Blacklisted daemons will shut down after a grace period.
• The logs started showing an increasingly large number of blacklisted checks coming through. This was not noticed initially because log entries we monitor for are usually errors and the systems we were working on were just forwarding the requests.
• Upon noticing this irregularity we immediately started checking the blacklist and parameters to see whether this behavior could be explained by licenses somehow being falsely blacklisted but the licensing data looked fine.
• We then went ahead and disabled the blacklist functionality entirely, this was completed around 9:45 CEST. By this time some daemons have passed the safety delay for the blacklist change and shut down (mostly version 2.3 because of the lower delay). Other daemons had reverted to the free version and would stay in this state until their next status check.
• During our investigation we found a single malformed entry in the blacklist dataset that caused this issue. The infrastructure changes had an unexpected effect when paired with the invalid data in that list so all requests from new nodes got flagged as pirated.
• Due to the limited timeframe and the fact that only some nodes were causing this, daemons were affected randomly depending on when their license check was due and what node their request landed on. We expect that about 25-30% of daemons have been affected in some way.

• Incomplete tests: While we have tested the process before deployment we have not had the most up to date data for the tests. The invalid entry should have been part of our test set before deployment.
  We intend to address this by enforcing a delay between infrastructure changes to allow for more rigorous testing.
• Missing validity checks: There was no way for the system to create the offending entry automatically, all data is checked beforehand and inserts only happen with valid data. However, once manually introduced, the validity checks for data returned by the database were insufficient and enabled this behavior.
  We intend to address this by re-implementing the blacklist functionality entirely with today's situation in mind and with every line of code being absolutely sure of the data it is handling.
• Piracy handling: As we know it most famously from games, piracy is a real issue and it's been an issue for us as well with a large number of pirated installations in the wild a while ago. We've taken a lot of steps to deal with this, always careful to not affect legitimate users in a negative way. Up until today this has worked very well, we've been able to reduce the number of pirated installations without adversely affecting other users. However, just as how anti piracy measures in games that prevent legitimate users from playing are unacceptable, it's unacceptable for our own measures to affect our legitimate users.
  We intend to address this in two ways:
  1. Allow for more time for affected installations. While it's usually clear what's a pirated installation and what's not, there's always room for doubt so we intend to greatly increase any time delays related to licensing. For example the time delay between a piracy warning and the actual daemon shutdown will be increased.
  2. Clear communication: Right now when an installation is identified as pirated, there is not enough warning for users. Some of that is intentional as crackers will use such messages as starting point for creating patches. Nevertheless, we're going to add clearer log messages as well as admin messages within the panel itself so users always stay informed.

Changelog for 2.4.0-pre12:
- Added filter to only show users with roles in server user list
- Allow MySQL SSL connections without client certificate
- Compilation optimization to improve performance
- Don't scroll JAR dropdown search box
- Fixed sidebar flashing when reloading page in collapsed state
- Minor fixes for new themes
- Recursively send signals to child processes (fixes Kill button not working when using launcher)
- Updated Yii framework
Changelog for 2.4.0-pre11:
- Fixed quota update and display not always working correctly
- Fixed server command callback not overriding all variables
- Added CONF_FILE variable
- Improved backup delay display when a previous backup completed successfully
- Make sure the WORKING_DIR variable is set even before the server is started
- Several minor fixes for both centered and flat themes
- Show file size on full backup restore page
- Updated DE translation
- Flat theme: Fixed main menu display on small screens
- Flat theme: Fixed plugin page display
- Flat theme: Fixed sidebar flashing when reloading page with the sidebar collapsed
Changelog for 2.4.0-pre10:
- Added default command for full backup on server creation
- Added separate limit for number of full backups
- Added setting to disable automatic deletion of full backups after reaching the limit
Changelog for 2.4.0-pre9:
- Added additional parameters to server stop and get usage callbacks
- Added daemon_id parameter to all callbacks
- Fixed stacktrace in get usage callback
- Fixed stacktrace in command handling
Changelog for 2.4.0-pre8:
- Added TTL value when creating CloudFlare subdomain
- Added ability to run scripts as daemon
- Added callback for modifying reported server resource usage
- Added callback for overriding daemon server commands
- Added drop shadow to resource display for better visibility
- Added fullBackupCommand setting
- Added getMoveStatus API call
- Added new parameter to findServers API call to return all server details
- Added runScript/getScript API calls
- Added setting for forced templates per conf file allowing for fully automated mod installation
- Added support for using font icons instead of images
- Added theme configuration file to allow for more flexible theming of the panel
- Allow headers to be overridden in the main config file
- Allow server to start with nonexistent template
- Always allow superusers to edit a user theme
- Enabled online plugin list by default
- Expand variables in select server conf settings
- Fixed MySQL DB password update for some MySQL versions
- Fixed TERM signal not always being sent on Windows
- Fixed a rare issue where a scheduled task would never run depending on the scheduled time
- Fixed an error when creating a player without a server
- Fixed an issue where an invalid theme can prevent user profile display
- Fixed an issue where server console could become stuck
- Fixed backup buttons when using delayed daemon queries
- Fixed conf file daemon ID filter not always working correctly
- Fixed configuration reloading not working under certain conditions
- Fixed current page not being marked on lists with multiple pages
- Fixed daemon filter in getStatistics API call
- Fixed encoding issue with command cache under Windows
- Fixed local plugin list losing sort/filter settings when running a plugin action
- Fixed navbar overlapping with datepicker
- Fixed plugin downloads
- Fixed resource display on initial page load
- Fixed timezone in web FTP client
- Implemented CPU limit support for Docker containers
- Implemented IPv6 support for daemon connections
- Implemented SSL support for MySQL connections
- Implemented UDP support for Docker containers
- Implemented ability to get script output
- Implemented delayed daemon query setting to speed up page loads
- Implemented new JAR dropdown list with support for icons and lookup
- Implemented new full backup method with support for external directories
- Implemented new theme
- Implemented support for conditional scheduled tasks
- Implemented support for grouping parameters for the Startup Parameters feature
- Implemented support for stopping servers using signals instead of console commands
- Improved JAR/conf download compatibility
- Improved daemon list performance in server view
- Improved log output for failed scripts
- Improved plugin downloads to be faster for some sources
- PHP compatibility fixes
- Return memory usage of all daemons in getConnectionMemory API call when daemon ID is 0
- Updated libraries used to generate themes
- Use POST requests in sample API implementation if CURL isn't available

downloadHeadersPlugins = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding":"gzip, deflate", "User-Agent": "Mozilla/5.0 (Multicraft Plugin Manager) like FireFox/45.0", "DNT": "1", "Connection": "keep-alive"}
downloadHeaders = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "deflate", "User-Agent": ""}

• Fixed downloader for certain plugin lists
• Fixed json encode on installations with broken iconv libraries
• Fixed user creation under certain conditions
• Fixes for legacy PHP versions as well as PHP 7.2
• Set correct quota when initializing a server
• Updated Yii to latest version
• Updated default server.properties options

• Implemented additional ports feature allowing users to assign a random port to their server
• Implemented default server settings override page
• Implemented global FTP access feature
• Implemented partial console updates for improved performance and less bandwidth usage
• Created new installer for Windows
• Added header based clickjacking protection
• Plus additional small and large features, improvements and fixes!

• Fixed Docker port range feature
• Fixed bruteforce protection when using SQLite
• Fixed plugin downloads sometimes not working
• Improved parsing for certain console output formats
• Updated http library

• Implemented automatic JAR update feature on startup
• Implemented support for JAR categories and categorized listing
• Implemented getOwnApiKey function to better support apps using the API
• Added support for FTPS
• Fixes for PHP 7.1
• Improved clickjacking protection
• Added additional ports setting for servers, map additional ports to Docker containers
• Improved brute-force protection
• Increased time between ingame messages for free version
• Many, many more small and large features, improvements and fixes!

• Show warning when Docker is enabled multiuser mode isn't
• Implemented IP lookup for DOCKER_IP variable since Docker doesn't support hostnames
• Fixed misplaced condition on login screen
• Fixed default settings for new versions of Docker
• Fixed several net2ftp translation encodings
• Fixed resource usage reporting for servers running in Docker

    static $apiUrl = 'http://plugins.multicraft.org/bg_compat/bukkit';

• Support for running servers in Docker containers
• Two-factor authentication using Google Authenticator
• Subdomain and SRV record creation using CloudFlare (allows connecting to servers without specifying a port)
• Spigot and Pocketmine support for plugin browser
• User role customization
• IP filter for staff users
• Security improvements
• Many, many more small and large features, improvements and fixes!

• Remote for Multicraft (Android)
  The Remote for Multicraft App is for Minecraft server admins that use Multicraft control panel. Connect to your Multicraft control panel to check your server status and players from your phone. Features:
  • server stats: RAM, CPU, player count
  • power controls: start/stop/kick/ban/pardon
  • player list and info: level, online/offline, last seen time
  • status check of Minecraft's and Mojang's services
• MobileCraft (iOS)
  MobileCraft is the portable version for the famous hosting platform "Multicraft". It fits anyone from server hosts to casual server owners. All you need to have to control your server, just one click away. You can view your console, kick players, start and stop your server anytime of the day with just a click in MobileCraft.
  • Server management (start, stop, restart, delete, suspend, resume)
  • Console (view console, and send console commands)
  • Online players (kick and ban players directly from the app with a button)
  • User management (change password, delete users, list servers)
  • MYSQL database (create, change password)
  • And many more!
• PocketPanel for Minecraft (Android)
  Server Administration shouldn't be hard - now, it's easy:
  • Control your server with actions like start, stop, restart and more.
  • Check your console and run commands.
  • For panel administrators, create servers, delete them and control servers globally.
  
  
  
  

  Billing System Modules

  25. February 2016
  All Multicraft billing system modules are being updated for Multicraft 2.0. The Blesta module has already supported features that the other modules lacked but it's also being updated for the latest changes in Multicraft. The WHMCS module is currently in beta at a lowered price and it's expected to be released soon. The BoxBilling module has already been released and its documentation updated.
  
  Blesta
  The module supports most functions already, some new server fields will be added with the next release. The module is developed and maintained by Blesta so it's included for free with the billing system.
  
  WHMCS
  The module has been overhauled to allow all settings to be configured with added support for configurable options and custom fields for any server/module setting. Changes and documentation can be found here. Once it's released the new module can be requested through a support ticket from an address that has previously purchased the module.
  
  BoxBilling
  The module has been updated for the latest version of BoxBilling and additional server/module settings have been added. The updated documentation can be found here. The new module can be requested through a support ticket from an address that has previously purchased the module.
  
  
  
  
  

  Multicraft 2.0.1

  02. February 2016
  Multicraft 2.0.1 has been released as a first maintenance release of the latest Multicraft version. This release contains mostly minor cosmetic changes and fixes so upgrading is optional and only required if you are encountering any of the issues listed in the changelog.
  
  On the daemon it is sufficient to replace the "bin/multicraft" binary. On the panel you can replace the panel files without running the install.php since there have been no database changes.
  
  
  • Fixed missing server suspend icon in classic theme
  • Fixed some potentially unhandled exceptions on the daemon
  • Fixed password length not being enforced on password reset
  • Fixed PHP7 error in net2ftp
  • Improved FTP login error message for clarity
  • Updated Yii to latest version
  • Updated copyright notices for 2016
  • Updated library links on about page
  • Installation: Hide typed value on password in put in setup.sh and fixed escaping of certain characters
  • Installation: Remove other access rights to setup.config for safety
  • Installation: Work around Chrome autocomplete in install.php
  • MulticraftAPI.php: Added missing parameter for createPlayer
  • MulticraftAPI.php: Fixed potential warning
  • MulticraftAPI.php: Improved error reporting
  
  
  As always, we highly appreciate all feedback, bugreports and suggestions and we will continue improving Multicraft based on your feedback.
  
  
  
  
  

  Multicraft 2.0.0

  12. December 2015
  We are proud to announce the release of version 2.0.0 of Multicraft! A lot of effort has gone into making sure that we can implement as many user suggestions as possible with this new version of Multicraft to make it even more powerful and easy to use. The release has been postponed a number of times because of feature requests that we consider to be very useful to the vast majority of Multicraft users. Due to this we have begun offering preview releases for download longer before the final release than usual. If you're running a preview release we strongly recommend upgrading to the final 2.0.0 version.
  
  In addition to implementing countless new features and improvements we have also been able to make Multicraft even more secure thanks to the researchers who have contributed to our Bug Bounty Program we have running with Bugcrowd.
  
  As part of this release we are replacing the Windows all-in-one package with the Multicraft Bitnami Stack for Windows for personal use. There is also a Multicraft Bitnami Stack for Linux that we recommend for personal use if you cannot install all requirements for Multicraft. For hosting providers we still recommend using our Linux packages for maximum security and flexibility.
  
  In good Multicraft tradition the length of the changelog is record breaking. There have been so many new features and changes that even a summarized list of the most important changes would be too long for this news entry so here's just a small selection:
  
  • New theme using Bootstrap
  • Improved server crash and console handling, including the option to use .conf files for arbitrary JAR names
  • New Staff role for full access to all servers without giving access to panel settings
  • Server template system
  • Improved Bukkit plugin list
  • Optional startup parameters
  • API improvements and additions
  • Security improvements
  • Linux filesystem quota support
  • Configuration reloading
  • Improved performance, particularly for very large installations (1000+ servers)
  • Removed single instance restriction so you can run multiple daemons with different Owned license keys on the same system
  • Reduced the number of times the banner is shown in the free version
  • Many, many more small and large features, improvements and fixes!
  
  
  ×

  Multicraft 2.0.0 Changelog

  Close
  See the Full Multicraft 2.0.0 Changelog
  
  We highly appreciate all feedback, bugreports and suggestions and we will continue improving Multicraft based on your feedback.
  
  
  
  
  

  Multicraft Bug Bounty Program

  22. May 2015
  As a last step before the finalization of the new release we have ordered a security review for Multicraft and we have launched a Bug Bounty program with the good folks over at Bugcrowd.
  The program has initially been launched as private so if you're interested in participating and earning monetary rewards for reporting security critical bugs please head over to bugcrowd.com to register for a researcher account. Once you have done so please let us know so we can add you as a researcher to our program.
  
  The bug bounty program will be made public in the future once we have left the initial selection of researchers enough time to review the code.
  
  
  
  
  

  Blesta Multicraft Module - Updated

  29. September 2014
  We are happy to announce that the good folks over at Blesta have developed a module to fully support Multicraft with their billing software platform. A video of the module in action can be seen in their blog entry regarding this development:
  Blesta Blog: New Multicraft Module
  
  The module is part of the official v3.3 release of Blesta so you do not have to install any addons to use this module. If you are using an older version of Blesta you can download the module separately from this forum post.
  
  The documentation for this new module can be found here:
  Blesta Multicraft Module Documentation
  
  You can try the new module without obligation by installing the free trial of Blesta and connecting it to your existing Multicraft installation.
  
  We will also be sending out 15% discount coupons for Blesta owned licenses with every new purchase of any Multicraft license.