Announcement Hostflow Malware | Security Advisor

IMPORTANT SECURITY ADVISOR
Our security team has identified a malware called "Hostflow" that has started to circulate among Minecraft plugins (obtained from untrusted/unofficial sources, such as cracked plugins or downloads from unofficial websites), this malware is capable of modifying other plugins on the server.
The current working theory is if the server starts with an infected plugin all plugins will be modified and will be infected, if this happens you will need to delete all plugin jars and re-download them.

What does this malware do?
This malware sends server information to client.hostflow.eu:5050/ws and can execute console commands remotely, so this is a complete backdoor/"force op" if you are infected.

What steps have we taken to protect our users from this malware?
We have firewalled their command and control server, this means that if your server is infected it should not be able to communicate with the control server.

We have also added a variant that can detect and remove this malware:

2021-06-17_14-46.png

After installing this variant start the server and look at your console for results, if you are not infected then just re-install back to the version you normally use.
2021-06-17_14-49.png

There is also a "Remove" version, that will clear out any infected plugins (this is not recommended tho, we recommend you delete your plugins folder and re-download it from the official source)
 

AquificYT

Aquific - Happy to help!
This is greatly appreciated, although I probably won't use it because I actually have a separate server host which I use for testing, so I do not need this, but I appreciate you trying to protect people's servers.
 

A_S

New member
If you have this malware, you may have recently received a join link for a discord server, spamming across your server and server console.
The hostflow CnC (Command & Control) server was hacked by a few greyhat hackers. They put your server into quarantine until you remove the malware infected plugins. If you bypass quarantine your server will be automatically wiped to prevent the spread of the malware from your infected server. (Ask IceRush about his Doritos Network after they bypassed the quarantine)

Some info:
The malware code is self replicating. This means the malware spreads and injects into other plugins, making it hard to remove.

How do you remove it:
There are a few tools that help remove the malware, but the best method is this one.

Step1, Delete all your plugins in your server (If you have custom plugins or plugins you cant find anymore, well tough shit, delete them all! ) You can keep configs, config and data files are not affected, only the .jar themselves.

Step2, Redownload them from their websites, like spigot or blackspigot, [DO NOT USED CRACKED PLUGINS] If you have a paid plugin from a developer, you should try to contact them and ask nicely if they have a copy.

Step3, Using a java decompiler like JD-GUI or fernflower, inspect all of your plugins for the malware.
Look for: L10.class or L10.java at the end of a class name. All of versions of hostflow malware have the javassist library/package. But not all plugins that use javassist normally, have the malware. So you must look for the {pluginname}L10.class .

Step4, If you found the malware in any of the plugins, DO NOT INSTALL THAT PLUGIN, contact the website or private dev who made it, and inform them that it has the hostflow malware. Blackspigot and Spigot are working hard to help combat the influx of malware infested plugins and hackedclients.


Step5, Please check the file sizes of each plugin, once you've wrote them down, Install the clean plugins back into your server and restart.

Step6, Some versions of hostflow malware clone it's code into the server jar.
This means you will NEED to redownload and replace the server jar. So go to getspigot or paper or whatever server you are using, and download the same version and reinstall it on your server, removing the old copy of the server jar.

Step7, Check each plugin .jar file size again and if any/all of them have increased in size, then you are still infected and repeat the steps over again or use a hostflow remover.
If all the .jar file sizes stay the same, then congratulations, your server is malware free!
 
Last edited:
Top Bottom