[Report] PAID Resource with backdoor

Discussion in 'Community Feedback and Suggestions' started by su1414, Feb 4, 2019.

Thread Status:
Not open for further replies.
  1. Hello. I have no idea where should I post this, so I'm posting it here.

    I was checking recent updated resources and found a plugin called SkySneak (https://www.spigotmc.org/resources/skysneak.64598/). Just some simple plugin for sneaking instead of using bone meal. But it weighed 150KB so I decided to decompile it and see why. And it was just a big obfuscated code. All strings were made very strange way (https://pastebin.com/iaCydMz2), like he wanted to hide some text. I decided to check and run some of these in my computer and... well... it's a backdoor. When you type rf34f478249Hj827 in chat you get an item named "cOP" and then when you click it in your inventory it hides command output and gives you op. The plugin also sends a http request to his server, so he can know where he can get a free OP.

    I'm writing about this here, instead of just reporting the resource, to make sure someone from administration will find it and ban him. The plugin's author has a paid resource and its Lite version is also obfuscated, but also much bigger, so I can't check it for backdoors.

    Also, sorry for my bad English, I'm not a native speaker.

    UPDATE: His premium resource also has this backdoor. Just checked it. Install the LITE version(https://www.spigotmc.org/resources/now-free-minator-clever-ai-1-7-1-13.50034/) and type "rf34f478249Hj827" in chat.
     
    #1 su1414, Feb 4, 2019
    Last edited: Feb 4, 2019
  2. md_5

    Administrator Developer

    Use the report button...
     
  3. I did, but there is no confirmation whether I reported it correctly and also it's taking some time, while people are downloading the plugin and their servers might be destroyed
     
  4. UPDATE: His premium resource also has this backdoor. Just checked it. Install the LITE version and type "rf34f478249Hj827" in chat.
     
  5. I can confirm this.
    The scariest part now is that IF his resources get removed, there are still plenty of downloads out there being used on servers.

    I typed that phrase into chat, a GUI pops up with a golden apple that says "OP"
    when clicking it, this prints in console
    Code (Text):
    [15:09:33 INFO]: Gamerule sendCommandFeedback is now set to: false
    [15:09:33 INFO]: Nothing changed. The player already is an operator
    [15:09:33 INFO]: Gamerule sendCommandFeedback is now set to: true
    right after that the server reloads a few times
     
    • Winner Winner x 1
    • Friendly Friendly x 1
  6. He deserves a ban, in my opinion.

    EDIT: Administrators have written the post. Why isn't he already banned? :unsure:
     
    • Like Like x 4
    • Agree Agree x 1
  7. I agree 100% .... i just checked the "lite" version of that other plugin, same thing!
    Im assuming the paid resource has the same thing as well
     
  8. looks like i have something else to add to my anti-malware software :p
     
    • Like Like x 3
  9. I don't know whats worse, this poor attempt at obfuscation, or head databases attempt at hiding the url they use to download the database *shrug*
     
    • Like Like x 1
  10. That's sad md_5 already knows about it, multiple people reported it and people can still download/buy the plugins and get their servers destroyed. I hope the administration will at least somehow warn everyone who bought/downloaded the plugin about what can happen to their server
     
    • Like Like x 1
  11. He had a resource called "SkySneak" which I found to contain a backdoor yesterday. It did get removed thankfully but he's been allowed to re-upload it. Makes no sense but that's how the current system is sadly. I personally don't see why he isn't banned though. Stuff like this destroys servers and just ruins and makes the community look bad.
     
    • Like Like x 1
  12. he was just banned ;)
     
    • Friendly Friendly x 1
  13. Awesome. His other plugins are still public though. I'd suppose they'd be taken down though.
     
  14. We did it! But I guess there are still people using those plugins :/
     
  15. Recently spigot added a thing to notify anyone who downloaded a plugin, that it was removed, and why.

    EX:
    Screen Shot 2019-02-04 at 4.24.18 pm.png

    This is really the best they can do. If someone has downloaded it, hopefully they log in and see this message so they can remove the plugin.
     
  16. This was already a discussion when minator was released originally.
    Give them some time to go through it all :)

    Yeah, that surprised me too.

    Welp, it should be solved now. Onwards to the next dodgy one.


    For those interested in reviewing their resources:
    https://www.spigotmc.org/threads/maliciouscodefinder.315808/
     
    • Funny Funny x 1
  17. I downloaded that plugin and didn't get a notification. Did I do something wrong?
     
  18. i have a feeling the system isn't perfect, i feel like its 50/50 for me.... maybe its a timing thing?!?! I have no idea.
     
  19. I think all people who REPORTED it, not downloaded get a notification
     
  20. you are supposed to get it even if you didn't report it.
    It was something md_5 added so people were notified of plugins they are using being deleted due to something bad.... ie force op
     
Thread Status:
Not open for further replies.

Share This Page