PSA: Malicious plugins: NanoGuard Anticheat and InfiniteDispenser

Discussion in 'Community News and Announcements' started by EvilSeph, Sep 11, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph

    It has come to our attention that the plugins "NanoGuard Anticheat" and "InfiniteDispenser" have been distributing potentially malicious code hidden within their update process. We urge all server admins running these plugins or who have run these plugins to read this PSA carefully and follow the advice given immediately.

    We strongly advise all server admins to cease using these plugins immediately:
    • NanoGuard Anticheat (Default file name: NanoGuardJAR.jar or similar)
    • InfiniteDispenser (Default file name: InfiniteDispenser-3.2.jar or similar)
    As a general precaution, we strongly recommend that all server admins perform a full examination of their server, keeping an eye out for unknown plugins or suspicious behaviour - as is proper on a periodic basis. We also would like to remind server admins to avoid running anything with root or admin privileges without taking the proper precautions to safeguard against the security risks it poses.

    In accordance with our community policies regarding malicious code, these projects and their files have been completely removed from our sites and the individuals associated have been banned. While we do not - and cannot - guarantee we'll catch everything, our approval process is an ever evolving aspect of our project and we believe that it is an integral piece in providing server admins with peace of mind when running their servers.

    Thanks for your continued support and understanding in this matter,
    EvilSeph
    - on behalf of the Bukkit Project
     
  2. Offline

    Compressions

    EvilSeph Thanks for bringing this to our attention! :)
     
    Skyost likes this.
  3. Offline

    drucrazy

  4. Offline

    LaxWasHere

  5. Offline

    moose517

    i thought that part of the file approval process was decompiling jars and checking for things like that. must not be t thorugh if that managed to slip through.
     
    Aengo likes this.
  6. Offline

    ThaSourceGaming

    Thank you for letting us know.
     
  7. Offline

    TheMagicPack

    Thanks for notifying us!
     
  8. Offline

    timtower Administrator Administrator Moderator

    EvilSeph Could you tell what the malicious content was?
     
    tyzoid, Awesomeman2, Archarin and 5 others like this.
  9. Offline

    dreadiscool

  10. Offline

    JaguarBolt

    Removing InfiniteDispenser now. Such a pity, it was a really useful plugin.
     
  11. Offline

    Samthelord1

    Who was da authorz? Same people? What was it doing? I'm scared that I've been on a server with them >.>
     
  12. Offline

    timtower Administrator Administrator Moderator

  13. Offline

    Cirno

    Code:java
    1. private static String load(String s, boolean en)

    The URL was encrypted, and the load method basically decrypted it.
    It was a simple rotate/unrotate 10 call. Maybe that triggered it?
    Also had some weird a DNS query class; don't know what that's used for.

    edit: Pointed to the creator's website to a file named pluginupdate.jar. Don't know; I found a 1.5.2 version online (not giving out link obviously).
     
  14. Offline

    DaddyDBJ21

    :confused: man, I saw InfiniteDispenser and thought "Ooh, that'd be a neat plugin for giving stuff out at spawn". Glad I forgot about it. :p thanks for bringing this to our attention!
     
  15. Wow, low blow.
     
  16. Offline

    inventorman101

    I'm guessing we won't be seeing the authors of these plugins anymore
     
  17. Offline

    chasechocolate

    Yup.
     
  18. Offline

    inventorman101

  19. Offline

    Heliocloud

    Nice catch. This was a good plugin for drop parties :p :/
     
  20. Offline

    Dpasi314

    Good catch Bukkit Dev Team!
    Glad you guys caught this before it got too out of hand!
     
  21. Offline

    UltiFix

    And to think I could have swarn I used this last year.... So glad I couldnt figure out how to use it :) Saved me! Yay to my stupidity
    EDIT:
    And I mean the infity dropper thing
     
  22. Offline

    bob7

    Wow? Are you sure it was malicious? What if it was just an updater?
     
  23. Offline

    iiHeroo


    I think they'd know.....
     
  24. Offline

    LandonTheGeek

    Good catch guys! Thanks for notifying us!
     
  25. Offline

    MCPhantom

    OMG i have the exact plugin!! im stopping my server for 2 days while i make an examination!!
     
  26. Lolz ur signature... That'd be a torture server...

    Logging in...
    BANNED?
     
  27. Offline

    Wingzzz

    Great work :)
     
  28. Offline

    TnT

    All files are decompiled. I won't make excuses - the code was simply missed. For this, I take full responsibility. I have put the team under a great deal of pressure to decrease approval times.
    However, no fast approval time is worth this happening.

    We have tightened up our process and re-educated our staff. There may be mistakes made, but we will always improve our process and strive to bring the best experience we can to our community.
     
  29. Offline

    dark_hunter

    You don't need to feel bad or sorry, your a human being. People make mistakes, you learn and move on and be better at it.
     
  30. Great find. Thankfully my sever, or the ones I dev for are not using any of these! Glad to see you guys hard at work!

    Thanks again!

    ~Madster
     
Thread Status:
Not open for further replies.

Share This Page