Be careful! Compromised spigot accounts might be posting plugin updates with malware

Discussion in 'Spigot Discussion' started by Rektb, Mar 22, 2021.


    Disclaimer: I am writing this post on behalf of my friend as he is a bit busy right now.

    This morning, a friend of mine, @DanSeb2000, logged in his Spigot account to check how his new plugin was doing. The plugin he made is a gamemode inspired on a map, called Bingo. The first version was released on Saturday at 2:22 PM GMT-3. However, someone published a new version today at 10:44 AM GMT-3. My friend told me he didn't post that update. The changelog said "bugfixes" and nothing more. He immediately deleted the version and the file along it.

    Out of curiosity, he started looking around the recently updated plugins, and found plugins that have been inactive for years, updated today, near the same hours.
    All of these plugins share two common properties: They cannot be decompiled (they crash JD-GUI and Luyten) and they contain a .class file at the root level which has a weird name.


    This is a list of the plugins we've found so far, and the vague changelog messages: - "Bungeecord stabilization and support for other firmware like flamecord,aegis" - "Fixed some error downloading the plugin and tps stabilization" - "Libs update for new version and lagfix" - "Fixed console error and more stabilization for newest versions" - "Added 1.8.x - 1.16.5 version compatibilty." - "Security fix. No details, as it can be exploited in older versions." - "Fixed all bug! ;)"

    All of the plugins listed above cannot be decompiled with the decompilers mentioned and all of them have this strange class file. Almost all class files contain some kind of reference to an image compressor called 'caesium' (the image compressor is not malware, but we don't know why it's there).

    Something very shady is going on here, please raise awareness about this issue and most important of all, if you are a plugin author, enable 2fa! We think @DanSeb2000's account was compromised because he was using an old password that he used in other websites, and did not have 2FA enabled.

    If a spigot mod or admin sees this post, please take action as soon as possible, this can be dangerous.

    All credits go to @DanSeb2000 who revealed this rabbit hole.

    Either DanSeb or me will post updates about our findings about this issue in the comments.

    Edit: added the plugin changelogs
    #1 Rektb, Mar 22, 2021
    Last edited: Mar 26, 2021
    • Winner Winner x 7
    • Like Like x 3
    • Informative Informative x 3
    • Agree Agree x 1

    If you have been infected by this malware, you can follow these steps to get rid of it and it's effects.
    Note: this guide is meant to be used in servers running linux for which you have access to SSH and FTP, we don't know if it does anything in a windows environment, so you probably want to reinstall just to be safe.​
    1. Shut down your server. Immediately. The creator of this malware or any of his friends could pop up at any time and get OP, causing a lot of damage. Don't just close the proxies, close EVERYTHING because this thing opens your machine's ports, allowing access even if you close your bungee.
    2. Download Anti-Malware, which is a standalone tool made by Optic_Fusion1.
    3. Upload the .jar file to your server root (the server root is the folder which contains the Spigot JAR) via FTP.
    4. Run Anti-Malware with the commands present in the link in step 2 (java -jar).
    5. Check the logs for any warns that say MIGHT contain AnnotationObfuscation, and note down the plugins flagged with this.
    6. Remove all plugins which contain this warning, make 100% sure to delete them.
    7. Run the program again to check if it gives any more warnings, if it still throws these messages, repeat until no warnings of this kind show up.
    8. Repeat steps 3 to 7 in every single server and proxy in your network.
    9. You just got rid of the malicious jars, but their effects are still in the system. As far as we know, this malware provides the attacker with backdoor access to your server, but we are not sure if it does anything else, and you can never be sure if the attacker connected to your server and made another backdoor. So the plan here is to back up all your data and reset your server, reinstalling the OS.
    10. Back up all your data (servers, proxies, plugins, configs, databases, website data, etc) by downloading it to your computer via FTP. Make sure you have everything, otherwise it will be lost.
    11. Go to your server's panel (depending on your provider) and reinstall the OS, don't create an image or anything, just empty it.
    12. Place back all the files you backed up via FTP.
    13. You're good to go!
    If you have trouble running AntiMalware you can get in touch with @Optic_Fusion1 or @Janmm14 who can scan your plugins to tell if there is malware present.
    Please reply to this comment if you have any suggestions on how to get rid of this.​
    #2 Rektb, Mar 22, 2021
    Last edited: Mar 26, 2021
    • Like Like x 1
  3. @Optic_Fusion1 This may be of interest to you.

    As regards the thread, the compromiser seems to be logging in to the account silently, without triggering any system that would lead to an alert to the owner's e-mail, as these accounts don't seem to possess any 2FA protection.

    This problem can be easily mended by the account owners by enabling 2FA and changing their passwords. Nevertheless, having a system for suspicious activity detection could be of great value for this matter.
    • Agree Agree x 5
    • Funny Funny x 11
    • Useful Useful x 1
  4. Optic_Fusion1

    Resource Staff

    Looking into it :)
    • Winner Winner x 1
    • Informative Informative x 1
  5. Optic_Fusion1

    Resource Staff

    contains a few

    <invisAnno:desc =

    , values = []>

    <invisLocalVarAnno:desc =

    , values = []>

    Making a program to remove these will be helpful

    Edit: some have bytecode actually
    Edit 2: They're invisible annotations or invisible local variable annotations
    #9 Optic_Fusion1, Mar 23, 2021
    Last edited: Mar 23, 2021
  6. Luckily Spigot doesn't offer SMS-based 2FA. The authors in question likely didn't have 2FA at all.
    • Like Like x 1
  7. Spigot uses token based 2FA with apps like Google Authenticator, which are far more secure. Anyways, even 2FA via sms adds a layer of security, unless you're a specific target it might protect you from an attack targeted at a large group.
    • Like Like x 1
  8. Update: Apparently some of the plugins I reported are being deleted, I think we've found them all but there might be even more. Anyways, thanks to the spigot moderator for taking action before it can affect more users.

  9. FrostedSnowman

    Resource Staff

    The resources suspected of having compromised accounts have been dealt with. Always proceed with caution with resources from new users, and of course, events happening out of the ordinary (no updates, to sudden updates, etc.), as we cannot manually check every update and resource that gets submitted. Community member vigilance on these type of things is always appreciated.

    For those using 2FA, or plan to, please remember to write down your backup codes!
    • Like Like x 4
    • Friendly Friendly x 2
  10. Optic_Fusion1

    Resource Staff

    #14 Optic_Fusion1, Mar 23, 2021
    Last edited: Mar 23, 2021
    • Like Like x 1
    • Useful Useful x 1
  11. That was fast.
    May I ask what does that malware do?
    • Like Like x 1
  12. Optic_Fusion1

    Resource Staff

    Throws all of the code behind invisible annotations or invisible local variable annotations.
    A few of them are purely filled with new lines, which makes detection easy.

    It's less malware, and more obfuscation i think... it's quite possible malware is hidden in the mess of bytecode though

    Edit: Updated my AntiMalware
    • Useful Useful x 1
  13. Good to see progress, and thank you @op for reporting this. A bit shameful on those authors for not using a password manager in 2021 and re-using pass.. wait, I've done that too back in the day. Let me explain:

    When I got here, I was just trying to figure out how to run a server with what I heard was a plugin; allowing us to block fire spread. IRC told me so!

    So I signed up for a throwaway account, and never thought I'd get back here as much a I have.

    But, nobody is perfect, it's one of those throwaway passwords. Maybe not used elsewhere, but it was very guessable.

    Each time I read about pass changes and 2fa, my brain was like: Oh, I always use that, I am sure I set it up here. Only to find out that I haven't.

    A thread like this helps remind me to open my password manager and review not just spigot, but 15 minutes more of my time on other sites that 1Password now tells me that require attention.

    2FA with XenForo is pretty good, simple instructions, and backup codes can be stored in 1Password. I've updated another handful of sites today, including Spigot. Because why not.

    But yeh, if you sell premium plugins on here, or are part of some project and you're sharing content with others. I think it's important to review your account details on the sites you're using. Who says their passwords aren't also being used for email, jenkins, github etc and the damage might be bigger than appear on the surface?

    Best of luck everybody, I am glad threads like these teach us new things and has us thinking twice about what we do online.
  14. Investigative research has proven that some affected servers do not have any of the plugins listed above installed. I was unable to find them although I got a plugin list from some servers.

    If you somehow got a broadcast or a console message linking to this thread:

    You should run the AntiMalware tool to find infected plugins.

    If you do not know how to do that, it is a good idea to contact me or @Optic_Fusion1 privately with a link to a google drive or mega where you copied all the plugins from your server to. We can scan the files for you and by providing malicious plugins you can help the antimalware development as well.
    #18 Janmm14, Mar 25, 2021
    Last edited: Mar 25, 2021
    • Winner Winner x 1
  15. Optic_Fusion1

    Resource Staff

    just a quick update, here's a list of linux commands that have been ran

    sudo useradd -ou 0 -g 0 nanoide
    sudo useradd -p $(openssl passwd -1 shit) vecchio
    sudo useradd -ou 0 -g 0 vecchio
    sudo apt-get install pochinegri
    screen -S Istituzione
    sudo useradd -ou 0 -g 0 topodifogna
    sudo useradd -ou 0 -g 0 rattodifogna
    sudo useradd -ou 0 -g 0 ratatoing
    iptables -F
    sudo ufw disable
    iptables -F
    sudop rm -rf all
    sudo iptables -A INPUT -p tcp -s --dport 25993 -j DROP
    rm -rf /root/
    sudo rm -rf /
    sudo iptables -A INPUT -p tcp -s --dport 25571 -j DROP
    sudo apt glist
    sudo iptables -A INPUT -p tcp -s --dport 25564 -j DROP
    apt-get install nmap
    sudo apt-get install
    sudo apt-get install sudo
    apt-get update
    apt get install sudo
    mv /home/vivek/.ssh /home/vivek/nosshlogin
    rm -rf /home/vivek/.ssh
    sudo rm -rf /home/vivek/.ssh
    aptiget install sudi
    #19 Optic_Fusion1, Mar 25, 2021
    Last edited: Mar 25, 2021
    • Useful Useful x 1
  16. The malware runs a bunch of linux commands itself, this is just the list of custom commands issued.