Info: Virus loader in July 28th version of the plugin.
PhoenixIV opened this issue ยท 5 comments
Dear MarioFinale,
your plugin is officially open source, but that does not mean the file on Spigot consists of the files seen here in public.
Who uploaded the file to Spigot?
Hi Phoenix, yes effectively. On July 28 my spigot account was hijacked (my password was on a db leak and I didn't enabled 2fa on Spigot) and a malicious plugin was uploaded.
My GitHub account is way more secure so that shouldn't be a problem.
You can always open the project code with IntelliJ Idea and compile it with OpenJDK16.0.1 and check if the version that I upload is the same on the code. The binary uploaded here isn't obfuscated either so de-compiling it and checking if it is what I said it is shouldn't be too hard.
I added a warning on the Spigot project page and I'm uploading a new version that will also warn users about the compromised plugin.
Good to hear you got in touch with the Spigot team. Did they have any information on who/where from your account was used? Were you able to show you were subject to a leak?
Still trying to figure out if you were involved in this.
The owners of the Amazon control server are currently under (legal) investigation.
You may want to publish further advice on your Spigot page: It is of little help to only remove the plugin file. The virus itself still remains active on the system. Me and a friend of mine only observed one variant of malicious file: A Coin miner. To remove it people have to check .config
in their mc server folder for Linux. There is a shell script running and the program itself is located at /.config/mysqlda/mysqlda
. Under Windows the virus is at \Roaming\www\mysqldb.exe
.
I cannot confirm there might not be other malicious files; there may be other variants that were automatically downloaded. But users should keep an eye out on this.
They can use clamav / tmux on Linux and Malwarebytes on Windows to clean their system.