PSA: Malicious plugins: NanoGuard Anticheat and InfiniteDispenser

Discussion in 'Community News and Announcements' started by EvilSeph, Sep 11, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph Retired Staff

    It has come to our attention that the plugins "NanoGuard Anticheat" and "InfiniteDispenser" have been distributing potentially malicious code hidden within their update process. We urge all server admins running these plugins or who have run these plugins to read this PSA carefully and follow the advice given immediately.

    We strongly advise all server admins to cease using these plugins immediately:
    • NanoGuard Anticheat (Default file name: NanoGuardJAR.jar or similar)
    • InfiniteDispenser (Default file name: InfiniteDispenser-3.2.jar or similar)
    As a general precaution, we strongly recommend that all server admins perform a full examination of their server, keeping an eye out for unknown plugins or suspicious behaviour - as is proper on a periodic basis. We also would like to remind server admins to avoid running anything with root or admin privileges without taking the proper precautions to safeguard against the security risks it poses.

    In accordance with our community policies regarding malicious code, these projects and their files have been completely removed from our sites and the individuals associated have been banned. While we do not - and cannot - guarantee we'll catch everything, our approval process is an ever evolving aspect of our project and we believe that it is an integral piece in providing server admins with peace of mind when running their servers.

    Thanks for your continued support and understanding in this matter,
    EvilSeph
    - on behalf of the Bukkit Project
     
  2. Offline

    FrozenBrain

    Well I still don't know how the Approval team could miss two plugins downloading Jar files from an encrypted URL and running them using reflection. How come they didn't check the updater in these cases?
     
  3. Offline

    zolcos

    Even after this, my last plugin approval time was still decently fast, so thanks.
    Say, do you provide any stats on plugin submissions/rejections? It would be cool if you could point to an automatically generated chart and say "99% of known malicious code was stopped in the approval process" or something like that
     
  4. Offline

    lepel100

    Thanks bukkit team :)
     
  5. Offline

    creepers84

    I used InfiniteDispenser Once! I'm Scared? What exactly did the code execute?
     
  6. Offline

    woodzy

    awsome work Bukkit, the community cant thank u enough for the find.
    i had down loaded this, but i havent installed it yeat, goo thing to :p
    Madster456, u face is the best reaction to the "Thank you" for this.
     
  7. Offline

    jtdemille

    I had nanogaurd enabled my whole server time, about a month, I hope I'm not comprimised!
     
  8. Offline

    HeroCC

    I have used InfiniteDispenser before. Is my server safe? I have not seen the pluginupdate.jar yet. If someone could decompile the source for me, that would be great. I may attempt to remove the bad code, so I can use the plugin again. This was a large part of my server.
     
  9. Offline

    TnT Retired Staff

    If you have it, remove it. Check over your server thoroughly. There are other competing plugins that are safe to use.
     
  10. Offline

    Hockeymikey

    I think it is unjust to ban all users of these projects as there may be some that were unaware with this malicious code such as an artist.
     
  11. Offline

    Dpasi314

    How do you differentiate from the people who intentionally put in the malicious code and who was unaware? For all you know or the DBO team knows, the Artist could have been the one who did it. Albeit, unlikely, but possible.
     
  12. Offline

    Hockeymikey

    I think checking PM's between the users would be a good way to double check. You can never know but it is unjust to ban all of them just because of a suspicion and paranoia. The group should be barred from posting plugins, working, ect until a proper investigation is executed and looks into the incident. Hardly fair to a user (like the artist) you maybe worked with them once to provide graphics and never talked to them again. Banned for basically cooperating in the community with your talent.
    That's just my 2 cents on the matter.
     
  13. Offline

    Noraaronoraaron

    I found a page about a person WANTING to have a person make NanoGuard.

    Link: http://paxii.de/forum/index.php?page=Thread&threadID=205

    Hope TnT sees this!
     
  14. Offline

    Bobcat00

  15. Offline

    Gravity Retired Staff

    Private Messages are called private for a reason. We do not have the physical ability to intrude upon user's conversations by the very nature of the system. We only view conversations to which we have been invited by a user, doing otherwise is a violation of trust. In any case, it is highly unlikely that doing so would give us any more information than we already have

    A proper investigation has been executed, and the details in the OP is the result of that investigation. I understand your concern, but I can assure you that we do not take this situation lightly, and have taken all the proper steps to handle it and help ensure it doesn't happen again.
     
  16. Offline

    zorro1o1

    Wait so should i remove NoCheatPlus?!!?!
     
  17. Offline

    lol768 Retired Staff

    Please read the post. NoCheatPlus is not one of the identified malicious plugins
     
  18. Offline

    zorro1o1

    Oh! sorry i mixed up between Anticheat and NoCheatPlus XD well i am good then :D
     
  19. Offline

    Gravity Retired Staff

    Again, you need to read carefully. This is not referring to AntiCheat (my plugin) - it is referring to "NanoGuard Anticheat" which is from a different author, and has no code shared with my plugin whatsoever.
     
  20. Offline

    Nathan C

  21. Offline

    creepers84

  22. Offline

    0x1FE

    no. rule #1: never assume you're safe.
    irc botnet.

    trying to build a botnet from minecraft servers (which are often dedicated)... would give huge capacity for ddos etc.
    very clever i must say.
     
    carlgo11 likes this.
  23. Offline

    LoganDark

    Oh no yes, I never heard of these plugins.

    Thanks for notifying us though! I want to give you [diamond][diamond][diamond][diamond][diamond][diamond][diamond][diamond][diamond][diamond]
     
  24. Offline

    stuntguy3000

    Er no they didn't...

    I don't know how this could of been missed. Ouch guys.
     
  25. Offline

    Gravity Retired Staff

    Removed offtopic posts. This post concerns exactly two plugins, both of which have been named in the original post; discussion of your own plugins can take place elsewhere.
     
    KingFaris11 likes this.
  26. Offline

    Plo124

    Um, I got the DispenserRefil.jar file, which I still have on my PC, theres no pluginupdate.jar in the folder, does that mean the virus has renamed it and hidden it elsewhere? My opinion is that was an older version, that didn't have the Malware on it.
     
  27. Offline

    Lolmewn Retired Staff

    Plo124 Read closely. InfiniteDispenser was malicious, DispenserRefil isn't.
     
  28. Offline

    TnT Retired Staff

    Offtopic posts removed.
     
  29. Offline

    Mineitup

    Wait. Can't someone just delete the malicious class file or code from the plugin? Because it seems that easy for me.
     
  30. Offline

    Bobcat00

    At the very least, I would delete ALL jars (including craftbukkit) and re-download them. You should also check your ops.txt and permissions files.

    They may have also compromised your SSH keys or left a shell script on your system.
     
  31. Offline

    PhoenixFlight

    Three things.

    1) Nice job catching it. I've never touched either of these plugins so I'm not entirely sure exactly how their system worked, but I'm going to guess (from how incredibly obvious the code in the updater is) that the normal plugin was mostly clean, but would download the secondary malicious jar separately. If that's the case, I can definitely see why it could be missed. 2-3 lines in a huge plugin is much easier to miss than a whole package called "attack."

    2) I've done my fair share of work as a TA/tutor in classes where kids are using java, and I'm going to go out on a limb and assume that the average plugin source is just as messy, if not moreso. Weird variable names, massive methods, etc etc. Unless I already understood every aspect of whatever project I was looking at, it was hard to figure out what their code was doing. I'm incredibly impressed by just how good the bukkitdev staff is at figuring out everyone's code. Props.

    3) Okay I can't remember what #3 is so let's just go with "Read the first post!!!!!"
     
    autoit4you and lol768 like this.
Thread Status:
Not open for further replies.

Share This Page