Be careful! Compromised spigot accounts might be posting plugin updates with malware

Discussion in 'Spigot Discussion' started by Rektb, Mar 22, 2021.

  1. Why tf do people do these types of things..
     
  2. SAME ISSUE, all players gets kicked and console i receive this:

    [21:17:56] [User Authenticator #22/WARN]: [LiteBans] AsyncPlayerPreLoginEvent.getAddress() == null (*GaelMinecraftPS)
    [21:17:56] [User Authenticator #19/INFO]: UUID of player *GaelMinecraftPS is b3bbee3f-974c-377d-be53-d4bfa4edf8b8
    [21:17:56] [Server thread/INFO]: [email protected][id=b3bbee3f-974c-377d-be53-d4bfa4edf8b8,name=*GaelMinecraftPS,properties={},legacy=false] (


    [Server thread/ERROR]: Could not establish a connection with BungeeCord, try using BungeeConnector: https://bit.ly/3ekm1pD
    [INFO] at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:302)
    [INFO] at org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.java:62)
    [INFO] at org.bukkit.plugin.SimplePluginManager.fireEvent(SimplePluginManager.java:509)
    [INFO] at org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.java:494)
    [INFO] at java.lang.reflect.Method.invoke(Unknown Source)
    [INFO] at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:298)
    ... 13 more

    and the jar has orebfuscated code, its a threat! my server is not firewalled, is hosted from PEBBLEHOST.
     
  3. This guy specifically is trying to form a botnet, which is basically a group of "zombified" computers (desktops, laptops, servers, even things like IP cameras, your smart fridge, etc), then they control those infected devices to do things like bitcoin mining, ddosing, and other illegal activities.
     
  4. Mommy didnt teach to not download random stuff from the internet :rolleyes:
     
  5. This would seemingly imply that it's bungeechord that got compromised and telling you to download a payload.

    You got bungee from this site or from the host or some dodgy setup?
     
  6. Firewall your servers if possible, your servers should not be responding to random pings/requests. Someone is joining your bungee servers as a spoofed uuid and faking stacktrace messages (hard to tell without full logs but looks like it) which redirects you to a malicious plugin (don't click on link) and that'll get you malware
     
  7. Use BungeeGuard
    Edit: Or FakeMessageFix
     
    #87 Janmm14, Apr 20, 2021
    Last edited: May 6, 2021
  8. Pebblehost cancelled my server automaticly by a malware 1 year ago, a java class assist but my server is now clean no malware, all plugins purchased, this attack its too rare, kicks all players with nobody online and console throws this message to download payload, never happened before, somebody tried bypass the bungeecord ip forward message with own bungeecoord, BUT i have ipwhitelist plugin for only connect my official bungeecord, i would try the firewall setting, but i would know hiow this possible=?
     
  9. ->
    Edit: Or FakeMessageFix
     
    #89 Janmm14, Apr 21, 2021
    Last edited: May 6, 2021
  10. Hey there, I have read the thread and I have some doubts about someone who works on a certain "anti exploit (see link at the end of the post)" Don't know what plugin @ignorantcross runs which printed that console error. The reason why I write this is because of this

    Code (Text):
    [ALERT 73] Download this plugin to fix this NTE Kick issue: https://2no.co/2j29A6
    from Janmm14's post, I guess that console message comes from some plugin which got deleted on spigotmc... but upon inspection, this message below uses the 2no.co website. Suspicious eh?

    Code (Text):
    [Server thread/ERROR]: Could not establish a connection with BungeeCord, try using BungeeConnector: https://bit.ly/3ekm1pD
    By checking the bit.ly on https://getlinkinfo.com, it shows me this:[​IMG]

    the "Effective URL" is interesting, the website "2no.co/2GYM##" is a IP logger (as stated by Janmm14). Since this shortener URL logs our IP address, I used Tor Browser to check it and redirects me to https://www.spigotmc.org/resources/2ls-exploitfixer-the-ultimate-antiexploit-plugin.62842/

    The guy who manages the library Hamster is known being blocked with another plugin that forced me to ditch the antiexploit plugin/the library.
     
  11. The redirect of the 2no.co link can be changed at any time. If it is linking to a plugin on spigotmc, it is likely trying to be a genuine message.
    The 2ls exploit fixer plugin and its author are unrelated to the attacker. At some point such a link also redirected to IPWhitelist plugin on spigotmc.
    If it is linking to something on github or some file sharing website, it is 99% a malicious plugin.

    That URL with BungeeConnector originally pointed to the jar file in https://github.com/MaaklaXD/MaaklaXD/

    You can use https://www.redirect-checker.org/ instead of TOR btw to get the redirect target url even of 2no,co / iplogger,org links.

    No, such messages can appear in your console even without malicious plugins. It is only happening to spigot (or its forks) servers behind bungeecord with ip-forwarding active which are not firewalled with a system firewall and do not use latest version BungeeGuard as alternative to a system firewall.
    I asked spigotmc in private if they could fix this log message exploit, but unfortunaly md_5 seems to be busy currently, so no patch is out so far.

    Therefore I am promoting latest BungeeGuard version for now which does not log this in plaintext anymore, but base64-encoded. BungeeGuard setup is not that trivial though, you also need the plugin on your BungeeCord and its config set up.
     
    #91 Janmm14, Apr 22, 2021
    Last edited: May 6, 2021
  12. You can now use my new plugin FakeMessageFix to prevent your console getting spammed with the here recently mentioned fake messages.
     
  13. Hiding the msgs doesn't mean the issue is resolved ??
    They should be aware they're compromisable through misconfiguration.
     
    • Agree Agree x 1
  14. Such messages can appear even if some IPWhitelist plugin is present and kicks the players attempting to join directly / not through the correct bungeecord.

    This is meant for such cases specifically. Many minecraft server hosts don't allow you to edit the system firewall and then people have to resort to ip whitelist plugins.
     
    #94 Janmm14, Apr 27, 2021
    Last edited: Apr 27, 2021
  15. https://github.com/mrfdev/1MB/blob/master/Resources/MCF/1MB-mplcheck.sh

    1MB-mplcheck.sh
    chmod a+x 1MB-mplcheck.sh
    you can put that in the server directory (right in front of plugins/) and run it:
    ./1MB-mplcheck.sh

    .l_ignore <- If you have that file in your directory, or jars that got infected, then woops? ..
    The conversation came up on a discord in a galaxy far away, and I wanted to check my own dirs and jars. Since I have multiple servers I thought it was nice to have a little script to help, and I might as well share it.

    Output:
    Code (Text):
     % ./1MB-mplcheck.sh
    Checking...

    File: ./plugins/CMI8.8.3.7.jar
    File: ./plugins/DiscordSRV-Build-1.23.0-SNAPSHOT-ead56e2.jar
    File: ./plugins/Geyser-Spigot (1).jar
    Binary file ./plugins/Geyser-Spigot (1).jar matches
    File: ./plugins/LuckPerms-Bukkit-5.3.30.jar
    File: ./plugins/TryMe6.2.3.0.jar
    File: ./plugins/floodgate-bukkit (1).jar
    Binary file ./plugins/floodgate-bukkit (1).jar matches

    Oops, I also found ./plugins/.l_ignore - maybe you're infected...

    Done checking... (If the list has entries with 'Binary file matches', then you are in trouble.

     %
     
    Note please that this output was in a vm with test data, it wasn't actually infected.
     
    #95 mrfloris, Apr 30, 2021
    Last edited: Apr 30, 2021
  16. This is a completely different virus though. OpticFusion1's Antimalware detects it as L10, because that malware creates its malicious loader in a file named like the main class but with L10 at the end. The file .l_ignore in the jar is indicating to the virus that the jar was already modified to also spread the virus.
    It was found by me by accident as customers of AAC complained that it detected its jar being modified and refused to start, I then informed OpticFusion1 about it and he added it to his database. This was end of July 2020.
     
    #96 Janmm14, Apr 30, 2021
    Last edited: Apr 30, 2021
  17. It didn't detect it when i checked, used todays jar

    And even if it's another malware, it's just showing that there's more going around than what we see here. I could have also not shared it :)
     
  18. I don't complain about you sharing it, just wanted to add my information to it.

    The antimalware detects it differently (I think its looking for the "L10" string and sth. else)
    If you have an actually infected jar and not just a test jar with that .l_ignore file and its not detected by the antimalware, pls send it to me.
     
    • Like Like x 1