Malware?

Question

Malware?

lokka30 opened this issue 4 years ago · 9 comments

lokka30 commented 4 years ago

Yikes.

netherfoam · Answer 1 · 2021-04-05T08:36:04.000Z

Oof, I'm guessing I've had a compromised account in Spigot:

Thanks for letting me know

lokka30 · Answer 2 · 2021-04-05T08:43:52.000Z

Oof, I'm guessing I've had a compromised account in Spigot:

Thanks for letting me know

I wish Spigot were more open with the reason as to why resources were deemed 'malicious'. The alert never stated it was due to a compromised account and the severity of the malware. 😦

netherfoam · Answer 3 · 2021-04-05T08:46:14.000Z

Yeah, I saw a page on the forum over here https://www.spigotmc.org/threads/list-of-found-malware.389467/ assuming a compromised account. Though I'm getting a feeling my account wasn't compromised by the looks of it. I'm about to have a look into why the tool is picking up my plugin. Could be some Hibernate usage that's tripping it up. Could be legit. Scary.

netherfoam · Answer 4 · 2021-04-05T08:56:19.000Z

False positive. MaxBansPlus depends on Hibernate 5.3.4 which depends on Antlr, which is falsely assumed to be malware:

$ java -Xmx1048m -jar MCAntiMalware.jar
[AntiMalware] [18:48:53] [WARNING]: The resource {0} cannot be found
[AntiMalware] [18:48:53] [INFO]: Using locale en
[AntiMalware] [18:48:53] [INFO]: Initializing
[AntiMalware] [18:48:53] [INFO]: Any bugs and/or false-positives should be reported here: https://github.com/OpticFusion1/MCAntiMalware/issues
[AntiMalware] [18:48:53] [INFO]: Downloading databases
[AntiMalware] [18:48:54] [INFO]: Finished downloading databases
[AntiMalware] [18:48:54] [INFO]: Registering checks
[AntiMalware] [18:48:54] [INFO]: Finished registering checks
[AntiMalware] [18:48:54] [INFO]: Setting up Auto-Updater
[AntiMalware] [18:48:54] [INFO]: Finished initializing
[AntiMalware] [18:48:57] [DETECTED]: File: plugins\maxbans-plus-2.0.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.GetRuntime Class Path: antlr/build/Tool
Remaining files to scan: 0

Appears to be a false positive after all, but if this is going to be an issue with Spigot, I might have to look at refactoring Hibernate out of the project.

Super appreciate letting me know though!

lokka30 · Answer 5 · 2021-04-05T09:29:17.000Z

False positive. MaxBansPlus depends on Hibernate 5.3.4 which depends on Antlr, which is falsely assumed to be malware:

$ java -Xmx1048m -jar MCAntiMalware.jar
[AntiMalware] [18:48:53] [WARNING]: The resource {0} cannot be found
[AntiMalware] [18:48:53] [INFO]: Using locale en
[AntiMalware] [18:48:53] [INFO]: Initializing
[AntiMalware] [18:48:53] [INFO]: Any bugs and/or false-positives should be reported here: https://github.com/OpticFusion1/MCAntiMalware/issues
[AntiMalware] [18:48:53] [INFO]: Downloading databases
[AntiMalware] [18:48:54] [INFO]: Finished downloading databases
[AntiMalware] [18:48:54] [INFO]: Registering checks
[AntiMalware] [18:48:54] [INFO]: Finished registering checks
[AntiMalware] [18:48:54] [INFO]: Setting up Auto-Updater
[AntiMalware] [18:48:54] [INFO]: Finished initializing
[AntiMalware] [18:48:57] [DETECTED]: File: plugins\maxbans-plus-2.0.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.GetRuntime Class Path: antlr/build/Tool
Remaining files to scan: 0

Appears to be a false positive after all, but if this is going to be an issue with Spigot, I might have to look at refactoring Hibernate out of the project.

Super appreciate letting me know though!

All good, and I am very sorry that you had to deal with a false positive :)

netherfoam · Answer 6 · 2021-04-12T12:28:39.000Z

So, I've spoken with OpticFusion and md_5 and it's actually both: The plugin hosted on Spigot was replaced with malware, and the false positive exists in the authentic plugin. If your machine ran the version of the plugin downloaded from Spigot between Mar-2021 and April-2021, then it's probably been infected.

The Bukkit version hasn't been affected

lokka30 · Answer 7 · 2021-04-13T09:07:02.000Z

So, I've spoken with OpticFusion and md_5 and it's actually both: The plugin hosted on Spigot was replaced with malware, and the false positive exists in the authentic plugin. If your machine ran the version of the plugin downloaded from Spigot between Mar-2021 and April-2021, then it's probably been infected.

The Bukkit version hasn't been affected

Thanks for the info.

Is there anything known as to the strength of the malware?

netherfoam · Answer 8 · 2021-04-13T11:11:03.000Z

https://www.spigotmc.org/threads/be-careful-compromised-spigot-accounts-might-be-posting-plugin-updates-with-malware.496738/page-2#post-4122390 this details what the malware is known to do, but there could absolutely be other side effects. I have a feeling most of the damage will be done if the user running the server is root, but there's a very real chance that other attacks were made other than just trying to create a back door

Removal tips here if you've used the malware version: https://www.spigotmc.org/threads/be-careful-compromised-spigot-accounts-might-be-posting-plugin-updates-with-malware.496738/#post-4119279

lokka30 · Answer 9 · 2021-04-13T14:08:11.000Z

Thanks :) Was running a test server on Windows so seems like I will be fine.

Share to