Kimsufi Anti Hack - AutoItemReload

Discussion in 'Systems Administration' started by EHCanadian, Jul 13, 2019 at 5:26 PM.

  1. I have been having some troubles with the fallowing plugins.

    Code (Text):

    2019-07-13  11:55 AM            14,055 ActionBarAPI-1.5.4.jar
    2019-07-13  11:55 AM         1,061,218 AgarthaLib.jar
    2019-07-13  11:55 AM         1,806,064 AsyncWorldEdit-3.6.6.jar
    2019-07-13  11:55 AM             8,819 AutoItemReload-v1.6.jar
    2019-07-13  11:55 AM         4,203,047 BKCommonLib-1.14.3-v1-SNAPSHOT.jar
    2019-07-13  11:55 AM           101,501 BlocksHub-3.1.0.jar
    2019-07-13  11:55 AM         1,090,594 ChatControl-8.2.12.jar
    2019-07-13  11:55 AM           702,583 ChestShop.jar
    2019-07-13  11:55 AM            10,335 CommandHook.jar
    2019-07-13  11:55 AM           348,574 CoreProtect-2.17.5.jar
    2019-07-13  11:55 AM            71,111 EditableSign-7.0.0.jar
    2019-07-13  11:55 AM           284,975 EssentialsMysqlStorage-1.20.4.jar
    2019-07-13  11:55 AM         1,467,350 EssentialsX-2.17.0.0.jar
    2019-07-13  11:55 AM            15,450 EssentialsXSpawn-2.17.0.0.jar
    2019-07-13  11:55 AM            62,908 ExtraContexts.jar
    2019-07-13  11:55 AM           143,875 FlagsCopy_v1.1.1.jar
    2019-07-13  11:55 AM           437,019 HolographicDisplays-2.3.3-SNAPSHOT.jar
    2019-07-13  11:55 AM             7,961 HolographicDisplaysAPI-2.3.3-SNAPSHOT.jar
    2019-07-13  11:55 AM             8,261 InfiniteDispenserX.jar
    2019-07-13  11:55 AM            37,261 InfoBook.jar
    2019-07-13  12:03 PM           176,200 latest.log
    2019-07-13  11:55 AM            40,683 LightCleaner-1.13.1-v1.jar
    2019-07-13  11:55 AM         1,306,034 LuckPerms-Bukkit-4.4.1.jar
    2019-07-13  11:55 AM         1,393,929 mcMMO.jar
    2019-07-13  11:55 AM            62,426 MysqlEconomyBank-v1.13.2.jar
    2019-07-13  11:55 AM           516,899 MysqlPlayerDataBridge-v3.29.4.jar
    2019-07-13  11:55 AM            54,943 NoPlugins.jar
    2019-07-13  11:55 AM         2,616,564 nuvotifier-2.5.3.jar
    2019-07-13  11:55 AM           147,831 PixelPrinter.jar
    2019-07-13  11:55 AM           343,788 PlaceholderAPI-2.10.3.jar
    2019-07-13  12:08 PM                 0 plugin.log
    2019-07-13  11:55 AM         1,483,042 ProtocolLib.jar
    2019-07-13  11:55 AM         1,481,880 RedProtect-7.6.2-b247-Universal.jar
    2019-07-13  11:55 AM            11,634 SimpleJail.jar
    2019-07-13  11:55 AM           113,469 statuecreator.jar
    2019-07-13  11:55 AM            40,651 TimeIsMoney.jar
    2019-07-13  11:55 AM           175,585 ultimatetimber-2.0.0.jar
    2019-07-13  11:55 AM           273,727 Vault.jar
    2019-07-13  11:55 AM         1,319,636 VotingPlugin.jar
    2019-07-13  11:55 AM            13,189 WebSender.jar
    2019-07-13  11:55 AM           143,854 WorldBorder.jar
    2019-07-13  11:55 AM         2,508,387 worldedit-bukkit-7.0.1-SNAPSHOT-dist.jar
    2019-07-13  11:55 AM            96,025 WorldEditCUI-1.5.jar
    2019-07-13  11:55 AM         1,070,880 worldguard-bukkit-7.0.1-SNAPSHOT-dist.jar
    2019-07-13  11:55 AM           115,173 WorldGuardExtraFlags.jar
    2019-07-13  11:55 AM            33,919 WSEvents-0.8.jar
     
    Since kimsufi only grants three notifications of anti hack before they put your rental
    in rescue mode and you have to wipe the os. I was wondering the best way to locate
    a plugin that is "malicious" or being exploited. This is my second occurrence with this since
    June 9th. Since it random and seems to be spaced out I "think" one of the plugins that may be
    older may have been exploited as the console doesn't indicate anything going on. It has a list
    of ip's it hitting. It getting that list from somewhere. I was actually investing when I notice the java
    process network outbound spike to 75%.

    Here is some ip's one of these "plugin" have been targeting.

    54.37.85.227:25565 UDP --- 16384 1966080
    54.37.244.110:27019 UDP --- 16384 1736704
    217.182.34.201:27015 UDP --- 16384 1736704
    37.187.244.22:9987 UDP --- 201 ATTACK:UDP
    54.37.244.110:80 UDP --- 16384 3538944
    31.214.160.148:27017 UDP --- 16384 1114112
    85.190.152.14:27019 UDP --- 16384 1245184
    54.37.244.110:80 UDP --- 16384 3538944

    Anyone else run any of the plugins listed and notice high outbound traffic randomly?

    Anyone have suggestions on the best way to explore what each plugin is using in resorces
    and network activity when spigotmc is active?
     
  2. I'd say use my AntiMalware, but it doesn't really take this sort of thing into account, send me the jars and i'll look through them :)
     
    • Agree Agree x 1
  3. I have sent you a link to the plugins. Because some of them are "premium" and you are a active dev I trust you will only debug.

    I am open to other solutions too.
     
  4. AutoItemReload perhaps, seems similar to other malware i've found recently
     
    • Agree Agree x 1
  5. What do you see it doing. It is calling home, Fetching something external?
     
  6. Since it's obfuscated, not 100% sure.
    However, IF it's connected to the other jars, probably connects to a website, downloads malicious code and runs that
     
    #6 Optic_Fusion1, Jul 13, 2019 at 6:24 PM
    Last edited: Jul 13, 2019 at 6:31 PM
  7. Managed to properly decompile it, AutoItemReloader is definitely malicious, remove it
     
  8. Could you show what you see?
     
    • Agree Agree x 1
  9. Took a look. I see the site I used did not decompile that part so I used http://www.decompiler.com

    Looked at String var38 = new String(Base64.getDecoder().decode("dXBkYXRlNGxpZmUueHl6"));
    https://www.base64decode.org/ with the string dXBkYXRlNGxpZmUueHl6 gives update4life.xyz that redirects to a youtube video.

    That alone is enough to validate your reason. I'll let the support team over at kimsufi know with a link to this post as a solution found.

    Shame that a plugin dev has go this route in a malicious sense.

    I appreciate your time in this. Hopefully that the only plugin that was the issue.
     
  10. if you connect to update4life.xyz with port 666 you'll get the malicious code, though you'd have to use different methods to get the actual code
     
    • Agree Agree x 1