PSA: Malicious plugins: NanoGuard Anticheat and InfiniteDispenser

Discussion in 'Community News and Announcements' started by EvilSeph, Sep 11, 2013.

Thread Status:
Not open for further replies.
  1. Offline


    It has come to our attention that the plugins "NanoGuard Anticheat" and "InfiniteDispenser" have been distributing potentially malicious code hidden within their update process. We urge all server admins running these plugins or who have run these plugins to read this PSA carefully and follow the advice given immediately.

    We strongly advise all server admins to cease using these plugins immediately:
    • NanoGuard Anticheat (Default file name: NanoGuardJAR.jar or similar)
    • InfiniteDispenser (Default file name: InfiniteDispenser-3.2.jar or similar)
    As a general precaution, we strongly recommend that all server admins perform a full examination of their server, keeping an eye out for unknown plugins or suspicious behaviour - as is proper on a periodic basis. We also would like to remind server admins to avoid running anything with root or admin privileges without taking the proper precautions to safeguard against the security risks it poses.

    In accordance with our community policies regarding malicious code, these projects and their files have been completely removed from our sites and the individuals associated have been banned. While we do not - and cannot - guarantee we'll catch everything, our approval process is an ever evolving aspect of our project and we believe that it is an integral piece in providing server admins with peace of mind when running their servers.

    Thanks for your continued support and understanding in this matter,
    - on behalf of the Bukkit Project
  2. Offline


    Wow.. I deleted this plugin about a month ago on accident and just remembered as this was posted. I'm glad it's gone.. thanks :D
  3. Offline


    Good job at catching it and getting the word out! :)
  4. Offline


    I wouldn't be surprised if their was other less popular plugins that got taken down after this revelation. Good job i never used them anyway lol
  5. Offline


    I think I might've started a server with it once.
    Man, do I feel lucky that it was back when I was distro-hopping (a.k.a. formatting my hard drive, a LOT.)
  6. Offline

    Sir Savary

    I skipped over most of the posts in this thread, but for anyone wondering, the plugins were doing the following:
    • Allowing people to take control of your server
    • Using your server as part of a Botnet (For DDoS related attacks)
    • Using your server's CPU to mine Bitcoins / Litecoins
  7. Offline


    At least, that you know of. Since this plugin existed in a malicious nature for a short time on BukkitDev before it was caught and removed, the payload could have changed at any time. It cannot be said definitively what it did.
  8. Offline

    Sir Savary

    Very true, but looking at what others said this appears to be what it was doing at the time. Other than dropping a RAT, I can't imagine what else you would want to do with a backdoor like this. Most servers would have been with game hosts (not personal computers) so mining a Cryptocurrency would have been the endgame.
  9. Offline


    All the likely things it does:

    Mines bitcoins (explains minerd)
    Takes secert, full admin of your server from a botnet.
    Performs a plugin scan, and hijacks one of them with a #opme script.
    Annouces the server's infection to the botnet.
    DDOSes stuff
  10. Offline


    I have to say this is really scary. Good job catching those guys.
  11. Offline


    As we believe this discussion has run its course and there is little more to be said about this issue, I am locking this topic.

    As a general rule: Server Admins should periodically perform audits on their server to ensure that everything is running as expected and nothing is out of place. Not only does this provide security for your servers, but it also provides you with the ability to more easily troubleshoot any issues that come up while running your server.
Thread Status:
Not open for further replies.

Share This Page