How can my server be infected?

If your server is infected with a Remote Access malware variant this malware reports back to a remote computer of the author, allows them to run any commands on your server, grief your server, OP themselves, delete your files, perform actions that break our terms of service, or worse. This is not a good thing to have on your server which is why we have built our anti-malware system to detect this.

All kinds of plugins can be infected, both from legitimate sources such as SpigotMC or Bukkit and - much more likely - illegitimate sources. We strongly advise you to be careful when downloading and installing any plugin to your server.
How do I recover my sever?

Unfortunately, due to the nature of these infections, removing it can sometimes be a bit tedious. The way this infection works is that, you install one infected plugin and suddenly it will go around and infect every single other plugin on your server. Therefore, every single JAR file including the legitimate plugins has been infected and must be deleted.

Steps To Removing An Infection

- Stop the server and do not start it back up until you have finished removing the infection. Starting the server up mid-way through will reset your progress to removing the previously infected files.
- Delete every single plugin JAR from your server.
- Delete every copy of these plugins from your computer.
- Re-download your plugins from SpigotMC or the original source of the plugin.
- Create a backup of your servers files via the backup/restore page prior to re-placing them in your plugins folder.

How can I prevent my server from being infected?

Check if the author is reputable
Check the ratings on the plugin
If the plugin is fairly new (or authors account is new), be vary careful
Check the "discussion" tab of the resource, does anyone complain of malicious code being run?
If you're still unsure, Look into decompiling the plugin using tools such as jd-gui

For any further questions regarding this please create a ticket here
Was this article helpful?
Cancel
Thank you!