Malware! EssentialsHeal v2.3.4 (bitcoin mining?)

Discussion in 'Spigot Plugin Help' started by abhisantos, Jul 13, 2018.

  1. FrostedSnowman

    Resource Staff

    i dont think its coming from yive's mirror. are you sure you got it from there?
     
    • Agree Agree x 1
  2. Optic_Fusion1

    Resource Staff

    That's what i'm looking into
     
  3. Optic_Fusion1

    Resource Staff

    Yea, ran luytens search for the URL, 59% of the way done, didn't really find anything, looked in a few places it might be, so either it's in the jar and luyten and i haven't found it, or it's comming from a different infected jar file

    Edit: i'd still like OPs spigot jar file however, i'll run a search and check it in the morning
     
  4. is getbukkit site safe?
     
  5. gzx

    gzx

    It's illegal, and nobody can guarantee that it's safe. BuildTools is the only reliable way to obtain Spigot or CraftBukkit.
     
    • Like Like x 1
  6. Optic_Fusion1

    Resource Staff

    #46 Optic_Fusion1, Jul 13, 2018
    Last edited: May 16, 2019
  7. Optic_Fusion1

    Resource Staff

    well, OP just sent me the jar, there's already a noticable change, it's probably the jar, he isn't sure if it's from the mirror website, i don't really think it is
     
  8. That comes from a well known miner pool. their website is supportxmr.com
    If you go to the Get Started page of their website you can see those lines as examples for how to setup your miner.

    I think OP's machine was taken over completely instead of the spigot.jar.
    I think the malicious file just binded itself to that Jar and or other jars.
     
  9. FrostedSnowman

    Resource Staff

    that doesn't explain the EssentialsHeal
     
  10. Optic_Fusion1

    Resource Staff

    looking into the jar OP provided

    has a 4.1MB yml file i can't open, looking into the src literally right after i post this
     
    • Like Like x 1
  11. Optic_Fusion1

    Resource Staff

    I've decided that sharing specifics is NOT a good idea, however a software to detect and remove this threat won't be hard to create
     
  12. Actually after removing the malicious spigot.jar, the mining process was gone, fortunately.
     
  13. Nice, but anyway I have learned my lesson.
    I am redownloading all my network's spigot jars from BuildTools now.
     
    • Like Like x 1
  14. Optic_Fusion1

    Resource Staff

    check your messages :3 there's something else that i need that might be useful
     
  15. Optic_Fusion1

    Resource Staff

    Delete PluginMetrics.jar
     
  16. Optic_Fusion1

    Resource Staff

    Looks like the PluginMetrics.jar is obfuscated, already trying to deobfuscate it though :p
     
  17. Could a plugin have patched his spigot.jar to include the miner? I recently had an incident where an admin upgraded to an unofficial development version of Citizens he found somewhere. The server would crash on load with a message to contact BlackSpigot. Now, the .jar files on my network are symlinked into a folder owned by another user, and thus not writeable, and I think that's what made it crash. Unfortunately I was so focused on getting to server running (and telling my admins to be really careful about what jar files they use) that I forgot to take a copy of the file.
     
  18. Optic_Fusion1

    Resource Staff

    Since this is an easy fix, i'll start working on a software to detect it shortly and as a note to self, get around to making VirtualBox use x64
     
  19. Optic_Fusion1

    Resource Staff

    Working on the program ^.^

    also once again, if you end up getting a malicious plugin, send it to me in a message so i can look at it and create a fix for it (and then report the resource so it gets deleted) ^.^
     
  20. I belive It's NoClientCrash.