Wierd server connections

[Chayylan]

After using some plugins downloaded from here, I can confirm they're generally safe. However, I noticed some strange behavior. Someone, or possibly multiple people, is trying to connect to my server using different IPs and ports, likely through a VPS or proxy. The connections show names like "MicrosoftSupport" or "AntiPirate," which makes me think it's someone targeting leaked plugins.


Has anyone else experienced something like this?

 

[FateKid]

This would be the first time I'm hearing about this type of plugin activity from something on NullForums. Please let me know which plugin you're referring to.
Without knowing what content this discussion is about; I can't do much.

 

[Chayylan]

Luckily, I was able to trace it back to MythicHUD-1.2.1.jar or Oraxen, which I downloaded from:
https://nullforums.net/resources/my...anilla-look-auto-resource-pack-builder.10987/

https://nullforums.net/resources/oraxen-custom-items-blocks-emotes-furniture-resourcepack-and-gui-1-18-1-21-1.8778/

That means its one of these two.

 

[FateKid]

Luckily, I was able to trace it back to MythicHUD-1.2.1.jar or Oraxen, which I downloaded from:
https://nullforums.net/resources/my...anilla-look-auto-resource-pack-builder.10987/

https://nullforums.net/resources/oraxen-custom-items-blocks-emotes-furniture-resourcepack-and-gui-1-18-1-21-1.8778/

That means its one of these two.

Could you provide us with the logs in question? You can use a service such as https://mclo.gs/ to privately provide the logs without any IPs or other personal details.

 

[Chayylan]

Unfortunately, I ended up deleting the host entirely for safety and created a new server to get a different IP. I did manage to save a log from last night to investigate further. The connections came from multiple IPs. Some were unique, while others reused the same IP with different ports. A few were traced to locations in France and Poland.


Here’s the log if anyone wants to take a look:
https://mclo.gs/TF4cjYk
start line 48

[
{
"uuid": "f7e9b246-320d-3e87-9dbf-0feb21df3751",
"name": "MicrosoftSupport",
"created": "2025-04-05 00:21:07 +0000",
"source": "Console",
"expires": "forever",
"reason": "The Ban Hammer has spoken!"
}
]

 

[Chayylan]

It wasn't a DDoS or bot attack. They were just constantly "trying" to connect by difrent ip and ports. So I believe there must be some hidden reason or intention behind it, maybe even something malicious. Based on the strange names, the only conclusion I can think of is that it's some sort of "pirate hunting" activity.

Post automatically merged: Apr 5, 2025

Speaking of plugins, most of them were from Spigot and are high-trust. I've been using them for a long time and they’re regularly updated. Others came from here, but were posted by you, FateKid, and I doubt a staff member would do something like this. So in the end, only those two plugins were from random users.

 

[FateKid]

It wasn't a DDoS or bot attack. They were just constantly "trying" to connect by difrent ip and ports. So I believe there must be some hidden reason or intention behind it, maybe even something malicious. Based on the strange names, the only conclusion I can think of is that it's some sort of "pirate hunting" activity.

Post automatically merged: Apr 5, 2025

Speaking of plugins, most of them were from Spigot and are high-trust. I've been using them for a long time and they’re regularly updated. Others came from here, but were posted by you, FateKid, and I doubt a staff member would do something like this. So in the end, only those two plugins were from random users.

Unfortunately, the McLogs seemed to remove most of what could help me figure it out. Please send me it via a DM and I'll be able to review it further.
You're right to think that I wouldn't include malware in my own releases. This is interesting behavior indeed.