PSA: Malicious plugins: NanoGuard Anticheat and InfiniteDispenser

Discussion in 'Community News and Announcements' started by EvilSeph, Sep 11, 2013.

Thread Status:
Not open for further replies.
  1. Offline


    It has come to our attention that the plugins "NanoGuard Anticheat" and "InfiniteDispenser" have been distributing potentially malicious code hidden within their update process. We urge all server admins running these plugins or who have run these plugins to read this PSA carefully and follow the advice given immediately.

    We strongly advise all server admins to cease using these plugins immediately:
    • NanoGuard Anticheat (Default file name: NanoGuardJAR.jar or similar)
    • InfiniteDispenser (Default file name: InfiniteDispenser-3.2.jar or similar)
    As a general precaution, we strongly recommend that all server admins perform a full examination of their server, keeping an eye out for unknown plugins or suspicious behaviour - as is proper on a periodic basis. We also would like to remind server admins to avoid running anything with root or admin privileges without taking the proper precautions to safeguard against the security risks it poses.

    In accordance with our community policies regarding malicious code, these projects and their files have been completely removed from our sites and the individuals associated have been banned. While we do not - and cannot - guarantee we'll catch everything, our approval process is an ever evolving aspect of our project and we believe that it is an integral piece in providing server admins with peace of mind when running their servers.

    Thanks for your continued support and understanding in this matter,
    - on behalf of the Bukkit Project
  2. Offline


    EvilSeph Thanks for bringing this to our attention! :)
    Skyost likes this.
  3. Offline


  4. Offline


  5. Offline


    i thought that part of the file approval process was decompiling jars and checking for things like that. must not be t thorugh if that managed to slip through.
    Aengo likes this.
  6. Offline


    Thank you for letting us know.
  7. Offline


    Thanks for notifying us!
  8. Online

    timtower Administrator Administrator Moderator

    EvilSeph Could you tell what the malicious content was?
    tyzoid, Awesomeman2, Archarin and 5 others like this.
  9. Offline


  10. Offline


    Removing InfiniteDispenser now. Such a pity, it was a really useful plugin.
  11. Offline


    Who was da authorz? Same people? What was it doing? I'm scared that I've been on a server with them >.>
  12. Online

    timtower Administrator Administrator Moderator

  13. Offline


    1. private static String load(String s, boolean en)

    The URL was encrypted, and the load method basically decrypted it.
    It was a simple rotate/unrotate 10 call. Maybe that triggered it?
    Also had some weird a DNS query class; don't know what that's used for.

    edit: Pointed to the creator's website to a file named pluginupdate.jar. Don't know; I found a 1.5.2 version online (not giving out link obviously).
  14. Offline


    :confused: man, I saw InfiniteDispenser and thought "Ooh, that'd be a neat plugin for giving stuff out at spawn". Glad I forgot about it. :p thanks for bringing this to our attention!
  15. Wow, low blow.
  16. Offline


    I'm guessing we won't be seeing the authors of these plugins anymore
  17. Offline


  18. Offline


  19. Offline


    Nice catch. This was a good plugin for drop parties :p :/
  20. Offline


    Good catch Bukkit Dev Team!
    Glad you guys caught this before it got too out of hand!
  21. Offline


    And to think I could have swarn I used this last year.... So glad I couldnt figure out how to use it :) Saved me! Yay to my stupidity
    And I mean the infity dropper thing
  22. Offline


    Wow? Are you sure it was malicious? What if it was just an updater?
  23. Offline


    I think they'd know.....
  24. Offline


    Good catch guys! Thanks for notifying us!
  25. Offline


    OMG i have the exact plugin!! im stopping my server for 2 days while i make an examination!!
  26. Lolz ur signature... That'd be a torture server...

    Logging in...
  27. Offline


    Great work :)
  28. Offline


    All files are decompiled. I won't make excuses - the code was simply missed. For this, I take full responsibility. I have put the team under a great deal of pressure to decrease approval times.
    However, no fast approval time is worth this happening.

    We have tightened up our process and re-educated our staff. There may be mistakes made, but we will always improve our process and strive to bring the best experience we can to our community.
  29. Offline


    You don't need to feel bad or sorry, your a human being. People make mistakes, you learn and move on and be better at it.
  30. Great find. Thankfully my sever, or the ones I dev for are not using any of these! Glad to see you guys hard at work!

    Thanks again!

Thread Status:
Not open for further replies.

Share This Page