A
Admincraft3mo ago
quin

XSS... But probably not. Backend access probably through some plugin

PingSeeker got me :Sad: How do I get rid of him? There was a modrinth plugin I had installed and I'm pretty sure its what allowed them to get access. They are able to make changes to files and unban themselves. They also have access to console. I'm using pufferpanel hosting through Oracle. My current and only plan is just to entirely recreate the server but I don't know how much access they have to the machine. They claim they used XSS (cross site scripting?) but I don't know much about that.
43 Replies
Admincraft Meta
Admincraft Meta3mo ago
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close !close !solved !answered
Requested by qchex#0
quin
quinOP3mo ago
https://mclo.gs/pIbalA4 logs from when they supposedly gained op
mclo.gs
Purpur 1.21.1 Server Log [#pIbalA4]
1252 lines | 4 errors
ProGamingDk
ProGamingDk3mo ago
its just complete bullshit huh wait, gave steak interesting...
quin
quinOP3mo ago
I wish but he is actually able to unban himself and op himself It is not bullshit
ProGamingDk
ProGamingDk3mo ago
sorry there has been a resent amount of bullshit fifth coloumn threats seemed like another one of em lol send plugin list
quin
quinOP3mo ago
I deleted several
No description
ProGamingDk
ProGamingDk3mo ago
is rcon enabled in server.properties?
quin
quinOP3mo ago
No this is my best guess for which one couldve done it https://modrinth.com/plugin/launch-pads
ProGamingDk
ProGamingDk3mo ago
run antimalware scan for one, it can show basic stuff
ProGamingDk
ProGamingDk3mo ago
GitHub
GitHub - OpticFusion1/MCAntiMalware: Anti-Malware for minecraft
Anti-Malware for minecraft. Contribute to OpticFusion1/MCAntiMalware development by creating an account on GitHub.
quin
quinOP3mo ago
I clone it straight to the straight to the server directory right
ProGamingDk
ProGamingDk3mo ago
and yes its a ai created malware
Admincraft Meta
Admincraft Meta3mo ago
We have uploaded your file to a paste service for better readability
Paste services are more mobile friendly and easier to read than just posting a file
Requested by progamingdk
ProGamingDk
ProGamingDk3mo ago
read the instruction yeah, malware
quin
quinOP3mo ago
lmfao so much
ProGamingDk
ProGamingDk3mo ago
github is clean but th ver but the jar uploaded to modrinth isnt
quin
quinOP3mo ago
No description
quin
quinOP3mo ago
so should i go through and reinstall each of the plugins
ProGamingDk
ProGamingDk3mo ago
way more needed delete all jars in the server, like basically all folders and more
quin
quinOP3mo ago
yikes, gotcha thank you
ProGamingDk
ProGamingDk3mo ago
plugin folders ar egenerally fine just not the jars
quin
quinOP3mo ago
Everything not modified recently should be fine right? Or should I just be safe and go through everything Coreprotect was detected and modified in november so probably not
ProGamingDk
ProGamingDk3mo ago
everything
quin
quinOP3mo ago
Thank you, they don't have access anymore
ProGamingDk
ProGamingDk3mo ago
np, already reported it to modrinth not that its gonna do much as they will continue to make 100nds of new plugins but /shrug/
quin
quinOP3mo ago
Yeah I reported as well. They made it sound like the github version also had somesort of injector as well, don't know how true that is but maybe worth taking a look going to be much more careful with what i add in the future, lesson learned
codertommy
codertommy3mo ago
<script>$("#rconCommand")[0].value='give @a cooked_beef';$("#sendRconCommand")[0].click();$(".row-standard").remove();</script> could be exploiting a vulnerable panel, but it might just be a cover for abusing a malicious plugin given you're using a decent panel, if the antimalware flags something, it's probably that
ProGamingDk
ProGamingDk3mo ago
it was ^^ his launchpad plugin
codertommy
codertommy3mo ago
yeah i saw how prevalent is malware on modrinth?
ProGamingDk
ProGamingDk3mo ago
recently its gotten bad with ai plugins and its usually with version updates
codertommy
codertommy3mo ago
ah makes sense i'm surprised they don't scan the jar given how large accounts get compromised on occasion
ProGamingDk
ProGamingDk3mo ago
Everything You Need to Know About Ethanol
Relatively unknown yet already present on several hundred servers. Like Fractureiser, it is promoted by the user mori0 / Riesenrad to “troll” servers. What lies behind it.
ProGamingDk
ProGamingDk3mo ago
it has dangerous stuff but it has a bunch of troll commands aswell --
quin
quinOP3mo ago
reading through this is actually horrifying, thankfully my attackers weren't super malicious otherwise i'm pretty sure they could've deleted everything in my server directory
ProGamingDk
ProGamingDk3mo ago
you did delete server.jar, cache folders, versions folder, libraries etc right just to make sure they infect EVERYTHING
quin
quinOP3mo ago
Yes, everything except databases, configs, and world folders
ProGamingDk
ProGamingDk3mo ago
usually if its not in a docker etc container its a straight hard wipe the pc its that bad
quin
quinOP3mo ago
It was actually scary how empty my directory was lol
𝐁𝐢𝐪𝐮𝐚𝐭𝐞𝐫𝐧𝐢𝐨𝐧𝐬
Probably a good idea to report this plugin, how do you usually do this? Massive report or just one and hope for the best?
ProGamingDk
ProGamingDk3mo ago
as many people report as possible but issue is its ai done
𝐁𝐢𝐪𝐮𝐚𝐭𝐞𝐫𝐧𝐢𝐨𝐧𝐬
java skill issue btw, I think the infected version got taken down

Did you find this page helpful?