We've seen a lot of reports of a new malware going around Minecraft servers. It seems to be spread by compromised Spigot plugin-author accounts, and is somewhat difficult to detect. We do know that the following exception is caused by it:
If you see this in your logs, that server is most likely infected. There are other indicators too - the compromised JAR will have inside of it a file called plugin-config.bin. We do have a one-liner for searching for this in your plugin directories, if you're on a Linux system:
If you're on a Windows system you can run this command in your plugins directory:
Run the above while in your server or plugin directory, and if you get a match, you likely have an infected plugin. If you do not get a match, that is a good thing - you are likely not infected.
@Optic_Fusion1 's AntiMalware tool on https://github.com/OpticFusion1/MCAntiMalware has caught onto this malware about a month ago already and catches more variants of it. We highly suggest users run this tool as it contains checks for a lot more malware sources. If this tool reports any malware found, be sure to double check whether it's a false positive or not (known example: ForceOP check falsely triggers on a handful of plugins because of how it's used in plugins).
If you do get a match or think that you are infected, you should delete all of your JAR files and re-download them, as the malware spreads itself to other JARs. You should also immediately reinstall your machine, as this malware is known to install system services outside of Minecraft. It might be more effort, but it is important that infected machines are reinstalled, or else the malware will remain.
If you frequently download plugins from third-party sources e.g. SpigotMC, it's not a bad idea to do routine checks with this tool e.g. once a month or so. Remember to only download reputable plugins from reputable sources & authors.
Keep an eye out, and thanks.
Code:
java.net.NoRouteToHostException: No route to host
If you see this in your logs, that server is most likely infected. There are other indicators too - the compromised JAR will have inside of it a file called plugin-config.bin. We do have a one-liner for searching for this in your plugin directories, if you're on a Linux system:
Code:
grep -R "plugin-config.bin" .
If you're on a Windows system you can run this command in your plugins directory:
Code:
findstr /sml /c:"plugin-config.bin" *
Run the above while in your server or plugin directory, and if you get a match, you likely have an infected plugin. If you do not get a match, that is a good thing - you are likely not infected.
@Optic_Fusion1 's AntiMalware tool on https://github.com/OpticFusion1/MCAntiMalware has caught onto this malware about a month ago already and catches more variants of it. We highly suggest users run this tool as it contains checks for a lot more malware sources. If this tool reports any malware found, be sure to double check whether it's a false positive or not (known example: ForceOP check falsely triggers on a handful of plugins because of how it's used in plugins).
If you do get a match or think that you are infected, you should delete all of your JAR files and re-download them, as the malware spreads itself to other JARs. You should also immediately reinstall your machine, as this malware is known to install system services outside of Minecraft. It might be more effort, but it is important that infected machines are reinstalled, or else the malware will remain.
If you frequently download plugins from third-party sources e.g. SpigotMC, it's not a bad idea to do routine checks with this tool e.g. once a month or so. Remember to only download reputable plugins from reputable sources & authors.
Keep an eye out, and thanks.
Last edited by a moderator: