XSS... But probably not. Backend access probably through some plugin
PingSeeker got me :Sad:
How do I get rid of him? There was a modrinth plugin I had installed and I'm pretty sure its what allowed them to get access. They are able to make changes to files and unban themselves. They also have access to console.
I'm using pufferpanel hosting through Oracle. My current and only plan is just to entirely recreate the server but I don't know how much access they have to the machine. They claim they used XSS (cross site scripting?) but I don't know much about that.
43 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by qchex#0
https://mclo.gs/pIbalA4
logs from when they supposedly gained op
its just complete bullshit
huh wait, gave steak interesting...
I wish but he is actually able to unban himself and op himself
It is not bullshit
sorry there has been a resent amount of bullshit fifth coloumn threats seemed like another one of em lol
send plugin list
I deleted several
is rcon enabled in server.properties?
No
this is my best guess for which one couldve done it https://modrinth.com/plugin/launch-pads
run antimalware scan for one, it can show basic stuff
GitHub
GitHub - OpticFusion1/MCAntiMalware: Anti-Malware for minecraft
Anti-Malware for minecraft. Contribute to OpticFusion1/MCAntiMalware development by creating an account on GitHub.
I clone it straight to the straight to the server directory right
and yes
its a ai created malware
We have uploaded your file to a paste service for better readability
Paste services are more mobile friendly and easier to read than just posting a file
message.txt
Requested by progamingdk
read the instruction
yeah, malware
lmfao so much
github is clean but th ver
but the jar uploaded to modrinth isnt
so should i go through and reinstall each of the plugins
way more needed
delete all jars in the server, like basically all folders
and more
yikes, gotcha
thank you
plugin folders ar egenerally fine
just not the jars
Everything not modified recently should be fine right? Or should I just be safe and go through everything
Coreprotect was detected and modified in november so probably not
everything
Thank you, they don't have access anymore
np, already reported it to modrinth not that its gonna do much as they will continue to make 100nds of new plugins but /shrug/
Yeah I reported as well. They made it sound like the github version also had somesort of injector as well, don't know how true that is but maybe worth taking a look
going to be much more careful with what i add in the future, lesson learned
<script>$("#rconCommand")[0].value='give @a cooked_beef';$("#sendRconCommand")[0].click();$(".row-standard").remove();</script> could be exploiting a vulnerable panel, but it might just be a cover for abusing a malicious plugin
given you're using a decent panel, if the antimalware flags something, it's probably thatit was
^^
his launchpad plugin
yeah i saw
how prevalent is malware on modrinth?
recently its gotten bad with ai plugins
and its usually with version updates
ah makes sense
i'm surprised they don't scan the jar given how large accounts get compromised on occasion
https://blog.onelitefeather.net/en/everything-you-need-to-know-about-ethanol/ its legitimately a troll malware
Everything You Need to Know About Ethanol
Relatively unknown yet already present on several hundred servers. Like Fractureiser, it is promoted by the user mori0 / Riesenrad to “troll” servers. What lies behind it.
it has dangerous stuff but it has a bunch of troll commands aswell --
reading through this is actually horrifying, thankfully my attackers weren't super malicious otherwise i'm pretty sure they could've deleted everything in my server directory
you did delete server.jar, cache folders, versions folder, libraries etc right
just to make sure
they infect EVERYTHING
Yes, everything except databases, configs, and world folders
usually if its not in a docker etc container its a straight hard wipe the pc
its that bad
It was actually scary how empty my directory was lol
Probably a good idea to report this plugin, how do you usually do this? Massive report or just one and hope for the best?
as many people report as possible
but issue is its ai done
java skill issue
btw, I think the infected version got taken down