A recent report from su1414 on spigotmc.org has alerted us to a security backdoor in spigot plugins developed by user ForSoft, including Minator, SkySneak, and others.
This malware sends an HTTP request to a server owned by ForSoft, letting them know which servers run their plugins, AND, more importantly, gives ForSoft and any other users with knowledge of the backdoor the ability to get OP on those servers.
“When you type <removed for security reasons> in chat you get an item named “cOP” and then when you click it in your inventory it hides command output and gives you op.” -su1414
Spigot Staff have already taken measures to ban the user and remove their plugins from the resources directory. They’ve also sent a notification on their website to all users who have purchased or downloaded the plugins to let them know to remove the plugins from their servers.
It is advised that you immediately remove these plugins from your server and look for alternative solutions in other plugins from other developers.
Check if you have ForSoft plugins on your server:
User Cats (Optic_Fusion1), has sent us a script which you can run on your server to find if any of the plugins you have installed utilize this exploit. Using this script should not be seen as a full solution, as there could be false positives or missing notices, but it could help you find some known bad actors on your server. It’s best if you review the source code of the plugins you have installed, or ask another developer to help you with that if you don’t know how.
How To Install:
- Download the zip file at the button below. You can also review the source code at the link under the button.
- Extract the zip file to get Finder.jar
- Upload the Finder.jar file to your plugins folder. The file is not a plugin, but it does go in your plugins folder.
- Run the jar file in a shell, terminal, or cmd with the command “java -jar Finder.jar”
- This will create a “plugins” folder inside of your “plugins” folder. Within that is a “Finder” folder, and within that is a “log.txt” file.
- Open the log.txt file to see if there are any plugins listed that could be potential malware.
Again, you should review all of your plugins to make sure they are from reputable developers to ensure there are no other plugins which have similar exploits or security flaws.
Story Source: Optic_Fusion1