Are all bukkit plugins safe?

Discussion in 'Bukkit Discussion' started by mrme123, Mar 10, 2014.

Thread Status:
Not open for further replies.
  1. Offline


    I know this probably seems like a stupid question but ill explain why im asking, plugins that get uploaded to bukkit are they checked and made sure they are safe before they get uploaded public? My server control panel got hacked so, im just curious if its a plugin or just something else, ive never download plugins from random people only bukkit, thanks :)
  2. Offline


    All plugins that are uploaded to BukkitDev, have been checked by the BukkitDev staff for an malicious code.
  3. Offline


    Thankyou Jozeth, i would feel better being told from a bukkit staff member but much obliged.
  4. Offline


    Good luck with that.

    No, ALL Bukkit plugins are not safe. No, ALL Bukkit plugins on BukkitDev are not guaranteed to be safe. BukkitDev checks all approved plugins for malicious code but there is no promise that they won't miss something, it's happened before. However, it is the best system there is in place and those problems are rare.
  5. Offline


    They are as safe as they can be if you download them from BukkitDev

    The only way you can ensure that all the plugins you want are safe is to write them all yourself
  6. Offline


    If the plugin description says something like, "Before I got xxx, my server was so laggy! Now that I have it, there is no lag at all! Players are ecstatic!", maybe you want to think twice before downloading it.
    drtshock and caelum19 like this.
  7. Offline


    If you search arround the forums for a while you'll find people complaining about project approvement times :p
    Also, have a Hoolean free of charge.
  8. Offline


    mrme123 Security scan it Before you run it
  9. Offline

    Hoolean Retired Staff


    Howdy hey! Hoolean here. Us BukkitDev Staff have the job of checking all plugins uploaded for malicious code, so everything's safe and dandy for you to use wherever possible :)

    Generally, to prevent what you've described happening:
    • Only download plugins you trust (you can trust plugins from but the Bukkit staff cannot guarantee safety elsewhere)
    • Don't use the default password for your server control panel, use something secure and hard to guess - not the same as any other passwords you use also, if possible
    • Ensure your server panel in general is secure
    • Only give administrator permissions to those you trust
    danjb2000 and caelum19 like this.
  10. Offline


    Great advice Hoolean
    What I like to do with passwords is have one base password, say "<'3;!&*.djfy45" and then add a 1337 name for the service I use it with, for example

    Hoolean likes this.
  11. Offline

    Cirno, Caprei, drtshock and 1 other person like this.
  12. Offline

    Hoolean Retired Staff

    Just made a quick random password generator for y'all to use (source)!

    Post this into your browser address bar:
    data:text/html,<html><body><h1 id="pw"></h1><script>var pwLength;do{pwLength=parseInt(prompt("Insert password length (e.g. 16):"))}while(isNaN(pwLength));var pw="";for(var i=0;i<pwLength;i++){pw+=String.fromCharCode(41+Math.floor(Math.random()*(122-41)))}document.getElementById("pw").innerHTML=pw</script></body></html>
    caelum19 likes this.
  13. Offline


    I entered like 9 trillion characters...I think I broke my browser.
  14. Offline

    Hoolean Retired Staff


    And that's why we stick to nice sensible numbers, like 8 trillion. ;)
    Niknea, caelum19 and Garris0n like this.
  15. Offline


    should have made it send passwords to you :3
    also what if you're unlucky and get 12345678? haha
  16. Offline


    Thank you Hoolean, i got a little paranoid after situations that have happened to my server, im not saying that everything is safe but some people suggested it may have been a key-logger, but im honestly not sure, im creating quite a large hub network but ive been testing different plugins but the ones that havnt been downloaded much are the ones im worried about which is why i asked.
    Hoolean likes this.
  17. Offline


    I'm only worried about the plugins who already exist before the PSA malicious aprovement system I think they are hard to track though if people won't report the plugin for example as they think its just their server.

    I had the same with that InfiniteDispenser plugin I used it a pretty long time but I only noticed lots of lag and the player biped moved very glitchy then I just shutdown my server for one year due other problems however for that case I made a decision to write my own plugins:)

    however I don't think its fair to blame bukkit dev staff though they do a great job to keep bukkit safe!, also I think its very impossible/bad to ask the staff to recheck all those plugins before the PSA update though, just keep reporting your findings seems suitable;).
  18. Offline


    I didnt blame bukkit for anything lol i was just concerned about something which i wanted to get an answer for.
  19. Offline


    Garris0n - I'm not talking about NoLagg. I'm talking about a new plugin, currently waiting for approval, which I'm told is a "poisoned plugin". The description has no details about what it actually does, just a bunch of random quotes about how awesome it is. That's a warning sign that the plugin may not be legitimate.

    I believe this is the second time this month someone has attempted to get this plugin approved.
  20. Offline


    It was just a joke :p Poisoned plugins tend to be hilariously badly coded messes whenever I've seen them. I doubt anybody would manage to get one of those onto BukkitDev. I would be very careful about other sources though. I once saw an "amazing anticheat plugin" on MinecraftForums so I thought "yeah right..." and downloaded it. Decompiled it and, to my...utter lack of surprise, it was a horribly coded force-op.

    Even on the side of having an awful description, I've had a plugin rejected because I didn't specify there were no permissions/commands, so I doubt "it stopz lagz" is going to get by on its own anyway.
  21. Offline


  22. Offline


    I understand, but the majority of "poisoned plugins" are some kids who barely know Java decompiling plugins like NoCheatPlus and adding hilariously-badly-coded force-ops and "#commandhere" commands. Those were particularly well made/documented, not just your average "no lag if u instal" plugin.
  23. Offline

    TnT Retired Staff

    Every single day we remove someone's attempt at getting something malicious onto BukkitDev. I think any service that does not proactively check plugins uploaded to their site is doing their community a disservice. It is incredibly popular to try to get something malicious onto unsuspecting servers.

    We cannot guarantee safety on every plugin, as that would be a foolish guarantee. What we can tell you is we do decompile every single plugin submitted and do our best to make sure its free from any nasty surprises you may find. Also, steer away from unapproved projects or unapproved files - we have not checked them over yet.
    Borlea and Hoolean like this.
Thread Status:
Not open for further replies.

Share This Page