Info: Virus loader in July 28th version of the plugin. #16
Comments
|
Hi Phoenix, yes effectively. On July 28 my spigot account was hijacked (my password was on a db leak and I didn't enabled 2fa on Spigot) and a malicious plugin was uploaded. You can always open the project code with IntelliJ Idea and compile it with OpenJDK16.0.1 and check if the version that I upload is the same on the code. The binary uploaded here isn't obfuscated either so de-compiling it and checking if it is what I said it is shouldn't be too hard. I added a warning on the Spigot project page and I'm uploading a new version that will also warn users about the compromised plugin. |
|
Good to hear you got in touch with the Spigot team. Did they have any information on who/where from your account was used? Were you able to show you were subject to a leak? Still trying to figure out if you were involved in this. The owners of the Amazon control server are currently under (legal) investigation. |
|
You may want to publish further advice on your Spigot page: It is of little help to only remove the plugin file. The virus itself still remains active on the system. Me and a friend of mine only observed one variant of malicious file: A Coin miner. To remove it people have to check I cannot confirm there might not be other malicious files; there may be other variants that were automatically downloaded. But users should keep an eye out on this. They can use clamav / tmux on Linux and Malwarebytes on Windows to clean their system. |
This comment has been minimized.
This comment has been minimized.
MarioFinale
changed the title
MarioFinale
changed the title
|
Over six months old, the version with a virus loader has been purged from most 3rd party providers. |
Dear MarioFinale,
your plugin is officially open source, but that does not mean the file on Spigot consists of the files seen here in public.
Who uploaded the file to Spigot?
The text was updated successfully, but these errors were encountered: