Plugins safe?

Discussion in 'Spigot Discussion' started by Kalinox, Jul 5, 2018.

  1. Are all plugins on here safe?
  2. no guarantee, but safer than bukkit
  3. No guarantee that all free plugins are safe.
    But I'm pretty sure premium plugins get checked.

    Try to scan the plugin using VirusTotal
  4. BGHDDevelopment


    I would recommended decompling all plugins you download looking for code that is not allowed. Premium resources are only checked on first release so do it there as well.
  5. 9/10 Its safe, If the plugin is popular thats more likely, If you are downloading a less popular plugin I'd check reviews (Do it even if it's popular to be safe)
    If you are a developer as the guy above said you can always look over it, But there is no way to check every free resource, I think someone made a tool that looks for malicious code but not sure how well it works
  6. ScarabCoder

    Resource Staff

    Resources with any kind of malicious code don't tend to stick around for very long due to the fact that they get reported and removed. If you're downloading a popular plugin with several hundred downloads for the latest version you should be good.
    • Agree Agree x 1
  7. Thats why my report i made on a person who uploaded a empty skript and tried to advertise his altshop got denied?...........
  8. Premium plugins are certainly safe because they get checked by administrators.
  9. 2008Choco

    Junior Mod

    Ehhh that's not necessarily true. Yes, Resource Staff check premium resources, but only on initial upload. Someone could very well publish a resource, have it approved and later write in some malicious code without us knowing. Until someone reports it, we'd be unaware. It would be impossible to check every single update published by an author. Always nice to be cautious of everything you download.
    • Useful Useful x 1
  10. And keep in mind that the plugins that upload in this case the "Pemiums", can have malware one never knows .... but if they are safe and for that they are the Staff of Resources.
  11. ScarabCoder

    Resource Staff

    Was it deleted? It's possible the wrong button was clicked. Anyway, afaik empty resources aren't against the rules. Sometimes we'll just contact the author, it's easy to accidentally upload the wrong file.
  12. Be especially careful about new plugins with not a lot of downloads. I post mine with the source code, but even then unfortunately I don't see a way to make sure the .Jar you download is built from the posted code without decompiling the jar yourself... I doubt spigot decompiles every (if any??) of the jars they host. Would be neat if they had a service where devs could post their code and the jar would be built by Spigot, that way they could ensure the "source code" was actually the source.

    So no... Plugins really are not safe imo and can access files on your server. Unfortunately it is really not even safe to rely on plugins with a few hundred downloads since good malware is very difficult to detect and there is no guarantee anyone is even really looking :(

    Most are probably fine, but no doubt there some bad ones out there. We are certainly an easy target... jars/exe files are super dangerous and people throw em around like candy around here. The best way to go about using them is to use the source code and build the jar yourself, or only use plugins from developers you trust.
    #12 FakeSaint, Jul 12, 2018
    Last edited: Jul 12, 2018
  13. The title was like "NFA Alts (selly link) 0.01$" and on the pay it said the selly link. Yes it got removed. But my report didnt pass through. Pretty sure i archived the page.
  14. The forums isn't as safe as it should be. See my signature for a suggestion that's still in progress. Any major resource here (with plenty of downloads & reviews) should be fine. Smaller ones are more likely to be unsafe. Also note that plenty of malicious resources simply have boosted reviews, so don't blindly give or take on the reviews. If the resource submit time in combination with the amount of downloads and reviews looks unrealistic, you may want to download it, compile it and report it if anything weird shows up.
  15. A good way would also be setting up IPtables or some firewall to intercept outgoing connections through ports that you don’t want open. It could stop reverse shells (people accessing your console from their home computer)

    What this won’t stop is accessing your console from in game. There’s no known plugin to counter that yet, you just need to be careful for now. What you could do is decompile every plugin you see, and search for:

    bin/sh (forgot this exact one)
    Any IPs
    (Or anything else you know is malicious in nature)

    Additionally, you could put the jar through VirusTotal, though stuff like setting op and executing server commands through backdoor a won’t be detected. It’s also frankly very easy to manually hide code from fast searches for any novice developer (like with Reflection).

    However, it’s quite rare. I myself have never encountered one. I doubt you’d see one unless you frequently run and use different newly uploaded plugins. If not, if a plugin has at least a thousand unique downloads and positive reviews, I’d say it’s pretty safe.
  16. thats Trash, if the Plugin contains Force op.. its not detected
  17. There are A LOT more free plugins that get added than premium ones, resource staff can't check every. single. free plugin out there for malicious code, it's free, decompile it and look for your self or ask someone else to
  18. i mean its not the best idea to trust virustotal with spigot Plugins
  19. Decompile means get a decompiler like luyten...turn the plugin into source code using the decompiler then going through said source code looking for malicious code..of course an anti-virus is useless..
  20. ik what a Decompiler is haha i just wanted to tell him that its useless to use an antivirus for plugins...

Share This Page