Dangerous plugins

Hello everybody,

Sometimes, people want to hack your server and make these dangerous plugins. I work at a Dutch hosting compagny, and today I had someone who had it. They send him a plugin called MiniGames+.

Later he started a ticket saying people are OPing thereselfs and he can't deop them. It seems to be MiniGames+'s fault.
So I downloaded the plugin and opened it with JD-GUI.

First, the package:
<snip>
Well... Other package name than the pluginname. Continueing, I typed in the package name in Google, got 1 result:
[1.5.1] Force op plugin DOWNLOAD & RUN FILES! (Also can run/download exe!)

Oh gosh, this isn't good. But I continued to the source. I saw a PlayerListener, so let's check it out:
<snip>

Oh no.... Line 65 to 77, I can get OP, ohmygoshhhhhh.




So I warn everybody: Only download plugins from Dev.Bukkit.Org (DBO). They are checked by staff (and hopefully good checked) and very more reliable than plugins you got from people. Be aware!

 

Of course you should only download from bukkitdev, otherwise you're gonna see this.

 

I know, thats why I placed a warning from what a customer got today.

 

I guess people haven't learned yet ...

 

True. But not all people are that smart

 

woah, nice plugin!

 

Hey do you still have the JAR?

I've been looking for a minigames plugin for my server!

 

They tried uploading the same file with a different name to BukkitDev. Didn't get too far.

 

Locked.

There are a lot of dangerous plugins out there, that is why we go through great lengths to ensure all files on dev.bukkit.org are free of malicious code.