Malware! EssentialsHeal v2.3.4 (bitcoin mining?)

Discussion in 'Spigot Plugin Help' started by abhisantos, Jul 13, 2018.

  1. Recently i found out that there is a malware in my dedicated server that is mining bitcoins throught a plugin.
    This bitcoin mining process takes 600% of cpu resources on the machine, making it crash!
    I tried to find out what plugin is doing that, but could not find.

    This plugin "EssentialsHeal v2.3.4" is not installed, there is no such file or jar related to this plugin but when the server is starting:
    [Server thread/INFO]: [EssentialsHeal] Loading EssentialsHeal v2.3.4
    [19:04:39] [Server thread/INFO]: [EssentialsHeal] Enabling EssentialsHeal v2.3.4

    So I believe this plugin is triggering the bitcoin mining.
    I tried using plugin manager reloaded to unload the plugin but it didn't work.

    Anyone got an idea how can I find if this is the plugin causing the malware and if positive, a way to remove it?

    Server is spigot 1.8.8.

    Thanks in advance.

    Edit: I can't even find this plugin EssentialsHeal v2.3.4 around in internet anywhere!
  2. FrostedSnowman

    Resource Staff

    show your plugins. the jar is probably just renamed
  3. [​IMG]
  4. Optic_Fusion1

    Resource Staff

    Any idea on when this started? if so you would be able to narrow down the list even more
  5. Weaves

    Resource Staff

    Are any of these newly installed? Can you do a timings report of it?
    • Agree Agree x 1
  6. My best guess would be NoRain1.3.jar. It is by far the smallest plugin on that list, and is useless. You can just disable rain with /weather clear and /gamerule doWeatherCycle false.
    • Optimistic Optimistic x 1
  7. FrostedSnowman

    Resource Staff

    if you could share these with us or pm me these:

    All of the book exploits
  8. Optic_Fusion1

    Resource Staff

    sending a DL here would be useful, or at least pming me these as well, i could find time to come up with an anti-malware or anti-bitcoin miner program for future issues
  9. Weaves

    Resource Staff

    It would also be useful to see your entire startup log. Are any of these plugins from somewhere that is not Spigot?
    • Agree Agree x 1
  10. Optic_Fusion1

    Resource Staff

    You know, the longer this type of thing goes on, the more useful an anti-malware software specifically made for java becomes
    • Like Like x 1
  11. @abhisantos how do you know its Bitcoin mining?

    I'm sure your machine crashed right after you installed the plugin that is causing the trouble.
    I mean if it crashed your machine and took up 600% of resources you must have noticed it right when it started occuring.
    Or at least I assume people install plugins one by one and do testing in between instead of throwing them all in there hoping it will work.
    #11 RamonRobben, Jul 13, 2018
    Last edited: Jul 13, 2018
  12. Optic_Fusion1

    Resource Staff

    some people probably just throw a bunch of plugins together and just say fuck it
  13. Some people just like to live dangerously
  14. Optic_Fusion1

    Resource Staff

    Not an issue for me though since i personally would end up coding everything my self xD
  15. Optic_Fusion1

    Resource Staff

    Now that i think about it, i could probably do something like this, HOWEVER that requires me to actually have plugins that are malicious, PM me any plugins that are actually malicious (this goes to anyone reading this just not Weaves) and i can also look into adding a way to remove it via a anti-malware software
  16. Well I removed ALL plugins and started the server..
    WHen it starts.. guess what.. the process pops out again:


    More than that, even with no plugins in the folder, the EssentialsHeal "plugin" loads and is enabled in the log:

    [21:16:24] [Server thread/INFO]: Set PluginClassLoader as parallel capable
    [21:16:24] [Server thread/INFO]: [EssentialsHeal] Loading EssentialsHeal v2.3.4
  17. Weaves

    Resource Staff

    How did you get your spigot jar?
  18. Okay so it is actually a Monero Miner.
    Maybe you can share the start.bat file. Or tell us if you downloaded the spigot jar somewhere else because if you did. get rid of it and get a new one from the official spigot.

    Also it could be that your entire machine has been compromised. In that case do a full re-install if possible. Or contact your hosting provider.

    I'm pretty curious to what the full XMR address is because I always wondered if they make any money at all.
  19. Optic_Fusion1

    Resource Staff

    send me your spigot.jar and plugins, i can go through them, see which are compromised and then provide a fix for future issues like this, however in this case, it seems to be that your spigot jar is compromised as well
  20. BINGO! And solved.
    It was the spigot.jar that was compromised and had a malware/bitcoin miner process.
    I am not sure, but i think it was downloaded from the "yves mirror" website.

    I downloaded it from there because I don't know how to obtain the spigot 1.8.8 jar officialy or through the build tools...

    If allowed and if you guys want i can post here a link to the malware/compromised spigot.jar file.
    • Funny Funny x 1