Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Malware

Malware refers to malicious code that performs an action that the user does not agree with, or would not agree with if they knew about it.

Where malware comes from

If you encounter malware while having cracked plugins installed on your server, the cause of the malware will almost certainly be one of these plugins. Malware most often comes from cracked plugins.

Although malware can occur in standard plugins downloaded from verified sites, the chances of encountering one are minimal.

Of course, malware can occur not only in plugins but also in mods (see here), but when it comes to malware in the context of a Minecraft server, the cause of malware is almost always a cracked plugin.

If you download plugins from verified sites, you don’t have to worry about malware, although there is a (minimal) risk, as with any other software on the internet.

How to detect malware

Unless the malware itself starts performing visibly noticable actions, you probably won’t notice its presence.

If the malware is generating network traffic, you can detect the presence of malware by observing it. If you notice that the plugin files are larger than the original files, you probably have malware on your server spreading to other plugins (beware - plugin files can be altered by Paper repamming. Modified jars are located in the /plugins/.paper-remapped/ folder).

However, malware does not need to do any of these things. It always depends on how the particular malware works. If you don’t notice either of these things, you may still be infected with malware. However, if the malware does one of these activities, you can easily determine that you have been infected.

Another tool (probably the easiest one to use) that can help in detecting malware is MCAntiMalware, but of course it is not 100% reliable and can even detect legitimate plugins.

Malware behavior

Malware behavior can vary. It is malware like any other, thus it always depends on the specific malware. It can attack just the server itself, but also the whole system. For this reason, it is good idea to have servers in an isolated environment (containerized with Docker).

It can serve, for example, to create a backdoor to the server itself, but also to the whole machine, or be used to perform botnet attacks.

The most typical malware behaviour to date has been that when an infected plugin was enabled, the malicious code spreads to all other plugins and opened a backdoor for the attacker to control the server as he want, thus they could perform any commands they wanted. This once resulted in all servers infected with a specific malware being attacked to the point that all players were banned and permissions were destroyed (number of infected servers was surprising, it was not just a few).

There was also widespread malware that was targeting the entire computer, which could be a problem especially if you hosted the server on a personal computer.

How to get rid of malware

If the malware is spreading to other files, the following steps should be taken: if the malware-infected server is running in an isolated environment, it is usually sufficient to delete all executable files (basically all .jar files). This includes plugins (the plugins themselves, which are .jar files, not their folders with configuration and data), libraries (/libraries/) and server jar.

Warning! Always delete all files at once and do not start the server before deleting all of them, otherwise the malware may spread to other files again on startup!

There are more sophisticated ways that malware can work, but in the vast majority of cases this method should be sufficient to get rid of the spreading malware.

If the environment in which the Minecraft server is running is not isolated and the malware gets into the entire system, this is a slightly bigger problem. Act as if you have any other malware on your computer (ideally reinstall the entire system).

Malware detection by antivirus

Due to the nature of malware in Minecraft plugins (and mods), antivirus tools are almost never able to detect it (before the plugin runs). Therefore, tools like VirusTotal are absolutely not to be relied upon in this regard. Virtually all malware that has appeared has not been detected by VirusTotal.

Therefore, the only reliable way to determine if a plugin contains malware is to decompile it and read the source code (if possible). Logically, the reader of this code must understand it well enough to be able to judge if the code contains potentially malicious parts.