Want a better Minecraft server? Read about SpigotMC here!
Separate names with a comma.
Discussion in 'Spigot Plugin Help' started by abhisantos, Jul 13, 2018.
i dont think its coming from yive's mirror. are you sure you got it from there?
That's what i'm looking into
Yea, ran luytens search for the URL, 59% of the way done, didn't really find anything, looked in a few places it might be, so either it's in the jar and luyten and i haven't found it, or it's comming from a different infected jar file
Edit: i'd still like OPs spigot jar file however, i'll run a search and check it in the morning
is getbukkit site safe?
It's illegal, and nobody can guarantee that it's safe. BuildTools is the only reliable way to obtain Spigot or CraftBukkit.
*sigh* just use the official buildtools, or use https://www.spigotmc.org/resources/minecraft-server-builder.55605/ since that's easier-ish and uses buildtools so you can be sure that there is no virus
well, OP just sent me the jar, there's already a noticable change, it's probably the jar, he isn't sure if it's from the mirror website, i don't really think it is
That comes from a well known miner pool. their website is supportxmr.com
If you go to the Get Started page of their website you can see those lines as examples for how to setup your miner.
I think OP's machine was taken over completely instead of the spigot.jar.
I think the malicious file just binded itself to that Jar and or other jars.
that doesn't explain the EssentialsHeal
looking into the jar OP provided
has a 4.1MB yml file i can't open, looking into the src literally right after i post this
I've decided that sharing specifics is NOT a good idea, however a software to detect and remove this threat won't be hard to create
Actually after removing the malicious spigot.jar, the mining process was gone, fortunately.
Nice, but anyway I have learned my lesson.
I am redownloading all my network's spigot jars from BuildTools now.
check your messages :3 there's something else that i need that might be useful
Looks like the PluginMetrics.jar is obfuscated, already trying to deobfuscate it though
Could a plugin have patched his spigot.jar to include the miner? I recently had an incident where an admin upgraded to an unofficial development version of Citizens he found somewhere. The server would crash on load with a message to contact BlackSpigot. Now, the .jar files on my network are symlinked into a folder owned by another user, and thus not writeable, and I think that's what made it crash. Unfortunately I was so focused on getting to server running (and telling my admins to be really careful about what jar files they use) that I forgot to take a copy of the file.
Since this is an easy fix, i'll start working on a software to detect it shortly and as a note to self, get around to making VirtualBox use x64
Working on the program ^.^
also once again, if you end up getting a malicious plugin, send it to me in a message so i can look at it and create a fix for it (and then report the resource so it gets deleted) ^.^
I belive It's NoClientCrash.