Closed BillyDas closed 3 years ago
QuickShop jars contain build data that allow you to check if a jar has been modified. Newer builds have a built-in self checker that sends you warnings.
The warning usually looks like SHA-1 digest error or Security risk detected and most of them point to org/maxgamer/quickshop/QuickShop.class. Once you see one of them, your Server has been infected! This is usually caused by the "L10" malware
If that is the case, then: 1.Delete the malicious Plugin immediately! 2.Make a full backup of your Server 3.Scan your Server with this Anti-Malware Tool: https://www.spigotmc.org/resources/spigot-anti-malware-detects-over-300-malicious-plugins.64982/ 4.Delete the malicious jar it reported 5.Re-download deleted jar, then scan again to make sure you got rid of the malware (May have false-positive, so feel free to ask if not sure) 6.Congratulations! You have cleaned the malware from your server!
so basically every plugin i have says it "MIGHT" be infected. @sandtechnology thoguhts on this? Would you be willing to look at the log and give me your thoughts?
We have received couples of report for that, usually it was infected by "L10" malware (Reported by the anti-malware tool I mentioned above), if does, you all plugins will be infected, so you have to re-download all plugins again.
You my friend are a legend <3 ill get to it. Is there anywhere i can contact you?
Discord channel which mentioned in our plugin page: https://www.spigotmc.org/resources/quickshop-reremake-1-16-ready-say-hello-with-rgb.62575/
hey hey So i just replced all the plugins that said they were infected and haven't booted the server. still getting this output though althought i JUST replaced them, do you think there could be some false positives (e.g Citizens Force OP?)
[16:29:11] [INFO]: Initializing
[16:29:11] [INFO]: Any bugs and/or false-positives should be reported here: https://github.com/OpticFusion1/MCAntiMalware/issues
[16:29:11] [INFO]: Registering checks
[16:29:11] [INFO]: Finished registering checks
[16:29:11] [INFO]: Setting up Auto-Updater
[16:29:11] [INFO]: Finished initializing
[16:29:12] [DETECTED]: File: plugins/nuvotifier-2.7.2.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.Process Class Path: com/vexsoftware/votifier/io/netty/util/NetUtil
[16:29:14] [DETECTED]: File: plugins/MythicMobs-4.12.0.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: io/lumine/xikage/mythicmobs/utils/config/properties/types/IconProp
[16:29:14] [DETECTED]: File: plugins/MythicMobs-4.12.0.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: io/lumine/xikage/mythicmobs/drops/droppables/CommandDrop
[16:29:14] [DETECTED]: File: plugins/MythicMobs-4.12.0.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: io/lumine/xikage/mythicmobs/skills/mechanics/CommandMechanic
[16:29:14] [DETECTED]: File: plugins/MythicMobs-4.12.0.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: io/lumine/xikage/mythicmobs/skills/mechanics/CommandMechanic
[16:29:15] [DETECTED]: File: plugins/Quests-4.0.4.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.Process Class Path: me/blackvein/quests/libs/mysql/cj/admin/ServerController
[16:29:15] [DETECTED]: File: plugins/NexEngine.jar MIGHT be infected with Spigot.MALWARE.L10.A Class Path: su/nexmedia/engine/NexPluginL10
[16:29:15] [DETECTED]: File: plugins/MythicMobs-4.12.0.jar MIGHT be infected with Spigot.MALWARE.NickSystem.A Class Path: io/lumine/xikage/mythicmobs/skills/mechanics/BlackScreenEffect
[16:29:16] [DETECTED]: File: plugins/LastLoginAPI/lib/com/h2database/h2/1.4.200/h2-1.4.200.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.Process Class Path: org/h2/util/SourceCompiler
[16:29:16] [DETECTED]: File: plugins/Advanced-Portals-0.6.0.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: com/sekwah/advancedportals/bukkit/portals/Portal
[16:29:16] [DETECTED]: File: plugins/TimeIsMoney.jar MIGHT be infected with Spigot.MALWARE.DropEdit.A Class Path: plugin.yml
[16:29:16] [DETECTED]: File: plugins/PlugMan.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.Process Class Path: org/apache/commons/io/FileSystemUtils
[16:29:17] [DETECTED]: File: plugins/Citizens.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: net/citizensnpcs/trait/CommandTrait$NPCCommand
[16:29:17] [DETECTED]: File: plugins/Citizens.jar MIGHT be infected with Spigot.MALWARE.L10.A Class Path: net/citizensnpcs/CitizensL10
[16:29:18] [DETECTED]: File: plugins/EssentialsX-2.18.2.0.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.Process Class Path: com/earth2me/essentials/Backup'''
Citizens.jar and NexEngine.jar should be the source of L10 malware
Why would nex engine be malware? Is this no a legit plugin?
Yes is the plugin, but it was infected by L10 malware, may be just because you forget to replace it?
Describe the bug:
Quickshop is fialing to boot up. Gives me a "Sha-256 Error in the console" Paper 1.16.5 Quickshop Latest Release.
To Reproduce:
Literally, turn on the server and it just gives me this error.
Expected behavior:
Expected to start up without issues and activate the plugin
Additional context: