search

netherfoam / MaxBans

The original MaxBans - A Bukkit plugin to manage account bans, mutes and punishments
12 stars 20 forks source link

Malware? #84

Closed lokka30 closed 3 years ago

lokka30 commented 3 years ago

image Yikes.

netherfoam commented 3 years ago

Oof, I'm guessing I've had a compromised account in Spigot:

image

Thanks for letting me know

lokka30 commented 3 years ago

Oof, I'm guessing I've had a compromised account in Spigot:

image

Thanks for letting me know

I wish Spigot were more open with the reason as to why resources were deemed 'malicious'. The alert never stated it was due to a compromised account and the severity of the malware. 😦

netherfoam commented 3 years ago

Yeah, I saw a page on the forum over here https://www.spigotmc.org/threads/list-of-found-malware.389467/ assuming a compromised account. Though I'm getting a feeling my account wasn't compromised by the looks of it. I'm about to have a look into why the tool is picking up my plugin. Could be some Hibernate usage that's tripping it up. Could be legit. Scary.

netherfoam commented 3 years ago

False positive. MaxBansPlus depends on Hibernate 5.3.4 which depends on Antlr, which is falsely assumed to be malware:

$ java -Xmx1048m -jar MCAntiMalware.jar [AntiMalware] [18:48:53] [WARNING]: The resource {0} cannot be found [AntiMalware] [18:48:53] [INFO]: Using locale en

[AntiMalware] [18:48:53] [INFO]: Any bugs and/or false-positives should be reported here: https://github.com/OpticFusion1/MCAntiMalware/issues [AntiMalware] [18:48:53] [INFO]: Downloading databases [AntiMalware] [18:48:54] [INFO]: Finished downloading databases [AntiMalware] [18:48:54] [INFO]: Registering checks [AntiMalware] [18:48:54] [INFO]: Finished registering checks [AntiMalware] [18:48:54] [INFO]: Setting up Auto-Updater [AntiMalware] [18:48:54] [INFO]: Finished initializing [AntiMalware] [18:48:57] [DETECTED]: File: plugins\maxbans-plus-2.0.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.GetRuntime Class Path: antlr/build/Tool Remaining files to scan: 0

Appears to be a false positive after all, but if this is going to be an issue with Spigot, I might have to look at refactoring Hibernate out of the project.

Super appreciate letting me know though!

lokka30 commented 3 years ago

False positive. MaxBansPlus depends on Hibernate 5.3.4 which depends on Antlr, which is falsely assumed to be malware:

$ java -Xmx1048m -jar MCAntiMalware.jar [AntiMalware] [18:48:53] [WARNING]: The resource {0} cannot be found [AntiMalware] [18:48:53] [INFO]: Using locale en

[AntiMalware] [18:48:53] [INFO]: Any bugs and/or false-positives should be reported here: https://github.com/OpticFusion1/MCAntiMalware/issues [AntiMalware] [18:48:53] [INFO]: Downloading databases [AntiMalware] [18:48:54] [INFO]: Finished downloading databases [AntiMalware] [18:48:54] [INFO]: Registering checks [AntiMalware] [18:48:54] [INFO]: Finished registering checks [AntiMalware] [18:48:54] [INFO]: Setting up Auto-Updater [AntiMalware] [18:48:54] [INFO]: Finished initializing [AntiMalware] [18:48:57] [DETECTED]: File: plugins\maxbans-plus-2.0.jar MIGHT be infected with Spigot.MALWARE.SystemAccess.GetRuntime Class Path: antlr/build/Tool Remaining files to scan: 0

Appears to be a false positive after all, but if this is going to be an issue with Spigot, I might have to look at refactoring Hibernate out of the project.

Super appreciate letting me know though!

All good, and I am very sorry that you had to deal with a false positive :)

netherfoam commented 3 years ago

So, I've spoken with OpticFusion and md_5 and it's actually both: The plugin hosted on Spigot was replaced with malware, and the false positive exists in the authentic plugin. If your machine ran the version of the plugin downloaded from Spigot between Mar-2021 and April-2021, then it's probably been infected.

The Bukkit version hasn't been affected

lokka30 commented 3 years ago

So, I've spoken with OpticFusion and md_5 and it's actually both: The plugin hosted on Spigot was replaced with malware, and the false positive exists in the authentic plugin. If your machine ran the version of the plugin downloaded from Spigot between Mar-2021 and April-2021, then it's probably been infected.

The Bukkit version hasn't been affected

Thanks for the info.

Is there anything known as to the strength of the malware?

netherfoam commented 3 years ago

https://www.spigotmc.org/threads/be-careful-compromised-spigot-accounts-might-be-posting-plugin-updates-with-malware.496738/page-2#post-4122390 this details what the malware is known to do, but there could absolutely be other side effects. I have a feeling most of the damage will be done if the user running the server is root, but there's a very real chance that other attacks were made other than just trying to create a back door

Removal tips here if you've used the malware version: https://www.spigotmc.org/threads/be-careful-compromised-spigot-accounts-might-be-posting-plugin-updates-with-malware.496738/#post-4119279

lokka30 commented 3 years ago

Thanks :) Was running a test server on Windows so seems like I will be fine.