Villager Saver

Villager Saver

310 Downloads

Info: Virus loader in July 28th version of the plugin.

PhoenixIV opened this issue ยท 5 comments

commented

Dear MarioFinale,

your plugin is officially open source, but that does not mean the file on Spigot consists of the files seen here in public.

Who uploaded the file to Spigot?

commented

I need to help

commented

Hi Phoenix, yes effectively. On July 28 my spigot account was hijacked (my password was on a db leak and I didn't enabled 2fa on Spigot) and a malicious plugin was uploaded.
My GitHub account is way more secure so that shouldn't be a problem.

You can always open the project code with IntelliJ Idea and compile it with OpenJDK16.0.1 and check if the version that I upload is the same on the code. The binary uploaded here isn't obfuscated either so de-compiling it and checking if it is what I said it is shouldn't be too hard.

I added a warning on the Spigot project page and I'm uploading a new version that will also warn users about the compromised plugin.

commented

Good to hear you got in touch with the Spigot team. Did they have any information on who/where from your account was used? Were you able to show you were subject to a leak?

Still trying to figure out if you were involved in this.

The owners of the Amazon control server are currently under (legal) investigation.

commented

You may want to publish further advice on your Spigot page: It is of little help to only remove the plugin file. The virus itself still remains active on the system. Me and a friend of mine only observed one variant of malicious file: A Coin miner. To remove it people have to check .config in their mc server folder for Linux. There is a shell script running and the program itself is located at /.config/mysqlda/mysqlda. Under Windows the virus is at \Roaming\www\mysqldb.exe.

I cannot confirm there might not be other malicious files; there may be other variants that were automatically downloaded. But users should keep an eye out on this.

They can use clamav / tmux on Linux and Malwarebytes on Windows to clean their system.

commented

Over six months old, the version with a virus loader has been purged from most 3rd party providers.
Enough notice has been shown.