Security Report: InfiniteDispenser - NanoGuard Anticheat

Discussion in 'Server & Community Management' started by Corin, Sep 13, 2013.

Thread Status:
Not open for further replies.
  1. This is a full security report for the incident that occurred on DBO (dev.bukkit.org) where two malicious plugins made it onto Curse servers for the public to download.

    This report is for *nix systems and Macs primarily in terms of removal and such however the report is valid for all systems.

    Description

    The plugins in question did their job on the outside but it downloaded a second jar called "pluginupdate.jar", this was the malicious jar in question, since then this has been pulled from their site where it was hosted.

    Inside this jar contained an IRC bot which created an IRC botnet on EsperNet and various other tools such as a bitcoin miner, attack methods (SYN, UDP and HTTP), the Minecraft slowloris attack method that was used against other servers early august and allow remote code and shell execution.

    These attacks could be controlled and executed via a channel/PM on EsperNet while allowing the creator to update, get system info, execute shell commands, allow remote downloads, op themselves on your server, get the IP address, see your uptime, mine bitcoins and more.

    The apparent project name for this was the "bukkitboatnet" or "the boatnet".

    Detection

    While apparently the botnet has been destroyed and taken down, if you indeed did have these plugins on your system, the odds are you're likely still in quite serious danger seeing as once the malicious jar made it onto your system it allowed for shell execution, so rooting it from there wouldn't have been too hard or they could have even added an SSH keychan to your system allowing them to login from applications such as PuTTY.

    Running these commands should be enough to find out if you are indeed infected/a drone.
    This will need to be run as root.
    updatedb
    locate -i pluginupdate.jar
    locate -i NanoGuard
    locate -i InfiniteDispenser
    locate -i dhsh.sh

    If any of those indeed do return results, you are more than likely infected.

    Removal

    While removing the jars can "stop" the threat of being part of the IRC botnet, it's not much use if they indeed have compromised your system.

    For the "easy" but less secure method, follow this:
    1. Stop all of your Minecraft servers, do not start them up until you have finished this.
    2. Take a note of all your plugins you use.
    3. Remove ALL jar's in your Minecraft directory, do not leave any. (That means the spigot/bukkit jar too and any libs). Doing this will prevent the odd case that it might have hijacked another plugin.
    4. Navigate to the home directory of your Minecraft servers and find the folder called .ssh, inside it may or may not be SSH keys. If you yourself do use SSH keys, the quickest method is to quickly snatch your public key and rm -rf the .ssh folder itself then replace it with a new one and put your public key back in.
    5. Redownload your plugin/server software's jar's and check your ops.txt and permissions for the odd chance that they did in fact get ranks/op.
    6. Check /etc/passwd for any new accounts (It'll likely be at the bottom of the file).
    7. Reboot the system to remove any rouge processes
    8. If all seems good from a common sense point of view, start it back up and you should be safe
    Note that guide is NOTthe safest method and is not guaranteed to cure you, however it can can keep you mildly safe.

    For the "hard" but failsafe method, follow this:
    1. Stop all of your Minecraft servers, do not start them up until you have finished this.
    2. Back your server files up to a remote location
    3. Reinstall your distribution of choice.
    4. While it is reinstalling go through your operating system, follow steps 2-5 on the above method.
    5. Reinstall it all as you would and relax knowing you're 99% clean of it.
    ~ Corin
     
    #1 Corin, Sep 13, 2013
    Last edited: Sep 14, 2013
    • Informative Informative x 11
    • Like Like x 1
    • Useful Useful x 1
  2. libraryaddict

    Patron

    Instructions too hard.

    I'm too lazy.

    Cba.

    Can you give me a plugin or a script I can just copy/paste in?
     
    • Funny Funny x 4
  3. SuperSpyTX

    Supporter

    I'd love to see these samples of these projects.

    If anyone has a copy of InfiniteDispensers including the malicious JAR, I would like a copy to analyze it, I would not use it for anything else.
     
    • Agree Agree x 3
  4. pls make libsMaliciousCodeRemover.jar thx
     
    • Funny Funny x 1
    • Optimistic Optimistic x 1
  5. libraryaddict

    Patron

    ILL BAN U!!!
    REMOVE UR POST WHERE YOU TALK ABOUT MY CODE
    ITS HIDDEN AND NO ONE IS MEANT TO KLNOW

    REMOVE THE POST OR I BAN! @@@ I BAN U!!!

    I TELL MD_5 AND HE WILL BAN U!!!

    IM FRIENDS WITH HTE OWNER!!!
     
    • Funny Funny x 12
  6. joehot200

    Supporter

    InfiniteDispenser? This dosen't include InfinityDispenser? That's what i've been using on my server.
     
  7. This plugin is not affected.
     
    • Informative Informative x 1
  8. jtaylor69

    jtaylor69 Retired Moderator
    Retired

    Great write up Corin!
    Surprised there's no expletives too :p
     
  9. GunfighterJ

    GunfighterJ Retired IRC Staff
    Retired

    Should note, as I was looking through this with corin at the same time.

    dhsh.sh may not be on your system, as it was removed during the process of it being executed. Thus leaving behind the process from whatever was in dhsh.sh

    Easiest way to get rid of this is to simply restart the box the server was running on.

    Also locate and updatedb are part of the package called locate
     
  10. joehot200

    Supporter

    wut?
     
  11. locate/updatedb are installed by default on all systems.

    Just means rebooting will clean up any crap left still running.
     
    • Like Like x 2
  12. +1

    Glad about this, cause I was just looking into installing one of those plugins....
     
    • Agree Agree x 1
  13. PhanaticD

    Patron

    which versions of infinitedispenser were infected?
     
  14. All probably.
     
    #14 Corin, Sep 14, 2013
    Last edited: Sep 14, 2013
  15. PhanaticD

    Patron

    Hmm well i used to have a really old version and i couldnt find any new authorized keys or accounts
     
  16. GunfighterJ

    GunfighterJ Retired IRC Staff
    Retired


    There are two "InfiniteDispensers" out there that go by that name. The malicious one, which is the point of this topic, and one that was made by youtuber Sethbling over a year ago for one of his minigames. Sethbling's version is safe and it was never on dev.bukkit.org. If you are using that version you are safe; however, this malicious plugin was on dev.bukkit.org and if you happened to use it it's safe to assume that no version of it was ever safe.
     
  17. Yeah, because anyone in their right mind would give you a botnet...
     
    • Like Like x 2
    • Funny Funny x 2
  18. SuperSpyTX

    Supporter


    >Implying you knew I wasn't going to be doing binary analysis.

    EDIT: I already have it now. So too late.
     
    #18 SuperSpyTX, Sep 15, 2013
    Last edited: Sep 15, 2013
    • Disagree Disagree x 1
  19. SuperSpyTX

    Supporter

    Alright sorry but

    in one of the classes, this exists:
    private static final boolean ARE_WE_HIDING_FROM_THE_FBI = true;

    Seriously?

    Don't believe me?
    [​IMG]
     
    #19 SuperSpyTX, Sep 15, 2013
    Last edited: Sep 15, 2013
    • Funny Funny x 2
    • Creative Creative x 1
  20. Except Arch.
     
Thread Status:
Not open for further replies.