Be careful! Compromised spigot accounts might be posting plugin updates with malware

Discussion in 'Spigot Discussion' started by Rektb, Mar 22, 2021.

  1. A while ago I posted a suggestion to notify users when a resource is deleted through moderation. I'm still so glad that this was implemented.
    • Agree Agree x 3
    • Like Like x 1
  2. #22 BinGesterbt, Mar 25, 2021
    Last edited: Mar 25, 2021
  3. Wow, I was thinking that was a keylogger like malware 'cause it always was asking for my VM pass.
    It's like a backdoor that tries to create a lot of users, open custom ports and disables ufw. I don't know what "pochinegri" is, but it seems to only affect linux/debian servers. url is a rust launcher and the nasapaul one seems deleted

    Ps. (dangerous commands)
    rm -rf /root/
    sudo rm -rf /

    Tries also to delete everything on your vpn/vm xD
    • Like Like x 1
  4. As @Optic_Fusion1 pointed out, the bash script makes two interesting requests:

    Code (Text):
    Code (Text):
    The first link seems to be a download of a cracked rust launcher, and the second link gives a 404, as he probably deleted the content before we could see it. But this is not all, the website (Don't visit it, it might have some kind of ip logger or other) has a landing page.

    The page (and also their owner) seems to be romanian. If you scroll down you can find all their social media.

    Youtube channel:
    And a discord invite: 6W2yTtVMWB - I do not recommend joining the server

    The youtube channel is pretty interesting, as he seems to be into backdooring machines, in the videos titled "root uri free" you can see what I mean. This is the latest

    Judging by their edgy profile photos, bios and descriptions, etc, I guess our "hackerman" is a script kiddie who got his hands on some bash script from a hacking forum.
  5. translate it from italian and u get "few niggers".
  6. I spammed his telegram channel he used as C&C with fake new infected ips, and issued mc commands to infected machines with a broadcast message that the server is infected.

    Later on I fucked with his obfuscation - a part of his key for deobfuscation came from another telegram's channel title which i was able to edit.

    This made the script kiddie quite mad, telling me through the channel title how they lost the battle but not the war and that they'd come back stronger.

    This specific malware is now not working anymore and trying to start a server with that malware plugin will likely make the plugin not starting and maybe it might even get into an endless while loop while trying to start the infected plugin.

    The telegram bot was ultimately removed from both channels used.

    I am still actively monitoring the used bot to see if anything changes, if it gets added to a new channel or added back to the existing channel.

    We will have to keep our eyes open far more sharply, that one plugin's update was on here for over a month.

    What the malware did additionally on ALL infected machines:
    • Get own ip, get bukkit port, get ssh port and send it to telegram channel
    • Create a new linux user and gave it a password he knew, gave that user no-pasword sudo rights
    What the C&C was capable of:
    • Create a new linux user with random name & pw and send it over telegram (gave that user no-pasword sudo rights as well)
    • Trying to edit root user pw to a new random pw and send it over telegram
    • Execute minecraft console commands and report back that it did
    • Execute linux commands and report back that it did
    He started this project on January 6 in 2021.

    We have a list of all infected ips, but we will not release it, as some targets might still be vulnerable due to the nature of the executed commands.
    Btw. the manually issued commands Optic_Fusion1 sent here were targeted to specific infected machines, and we ofc have the taret of each of those commands as well.

    Edit: The script kiddie knows of this thread.

    Edit 2: This specific malware was re-enabled by him. I am continuing to spam him fake new ips.
    #26 Janmm14, Mar 26, 2021
    Last edited: Apr 13, 2021
    • Winner Winner x 1
    • Friendly Friendly x 1
  7. major cringe moment
    • Like Like x 2
  8. Last night someone on this site has set an avatar that's inappropriate, I've reported it anonymously, woke up this morning and a 40k post account on my forums had a user come back from the dead with the avatar.

    Something's clearly fishy. Because that's a coincidence I don't believe in.
  9. Optic_Fusion1

    Resource Staff

    Agreed, I'll be downloading & mass scanning everything as well as going back to checking everything as soon as it's uploaded or updated.
    #29 Optic_Fusion1, Mar 26, 2021
    Last edited: Mar 26, 2021
    • Agree Agree x 1
  10. Wouldn't the Minecraft server have to run under a privileged account to do that?
  11. Optic_Fusion1

    Resource Staff

    A lot of new-ish server owners don't know how to secure their shit so they end up running it under the root account
    • Like Like x 1
  12. You don't believe how many people are running their minecraft servers as root. Well I'm doing it as well for a server my brother and his friends play on sometimes, but I know what I'm doing and I'm not downloading random plugins.

    There are also many tutorials out there who don't ask for setting up another linux user account for a minecraft server.

    I only got my vps infected once through sonatype-nexus-oss v3 being vulnerable and I had it accidentally set up to run as root :cry:. Once I figured that out, it got its own user acc and an update.
    #32 Janmm14, Mar 26, 2021
    Last edited: Mar 26, 2021
  13. Every time I point it out to people who run as admin stuff they reply: I honestly don't know or don't care. It works, why break it..

    And even then, all those people who run MySQL because they think they need it for their plugins, but they skip sudo mysql_secure_installation xD among many other basic precautions.

    [email protected]:~# mysql
    ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
    [email protected]:~#

    If you don't get that, you have work to do.
  14. Optic_Fusion1

    Resource Staff

    Ya boi see's a thread idea "Basic precautions so your shit doesn't get hacked"
  15. @MrDienns has a batch of security threads that talks about domino effect, fallback, backups, basic actions, and i dunno what. It's worth a read for server owners - if not only to think about a few things and take some precautions.
  16. Optic_Fusion1

    Resource Staff

    I'm pretty sure even that skips over things like "sudo mysql_secure_installation" last time i checked, so a thread going into that stuff would be useful for new server owners.

    Another thing server owners can do is start the server via the Anti-Malware by doing "java -jar MCAntiMalware.jar --serverJar <path>", uses a custom security manager which logs a bunch of stuff
  17. unfortunaly thats not compatible with some premium plugins (crack prevention)
  18. Optic_Fusion1

    Resource Staff

    That's not surprising
  19. It's meant to be abstract; teach you a mindset, not give you a straight up checklist to follow. If I were to mention every single point, I'd miss out on a bunch and give a false sense of security. Rather, the thread teaches people about how these kind of hacks work, what allows them to work like that, and what you can (abstract) do mitigate those risks.
  20. Optic_Fusion1

    Resource Staff

    True true. A new thread could be made though, which would go into securely setting up linux & a spigot server or something. Wouldn't have to go into every little detail but just enough to where skript kiddies couldn't do anything. So setting a non-root account, setting up mysql securely and stuff like that.
    • Like Like x 1
    • Agree Agree x 1