Resource icon

INJECTED FakeMessageFix 2021-04-30

No permission to download
Prevents abuse of bungeecord-support in unfirewalled spigot servers by validating recieved forwarded data.

How can it be abused?

Malicious users can use some simple tricks to let real-looking console messages appear, for example telling you download a plugin to fix some fake error. The linked plugin is sometimes actually a backdoor malware plugin.

How does this plugin prevent this?
If forwarded data is invalid, all forwarded data will be stripped and the user will be kicked by spigot with the message "If you wish to use IP forwarding, please enable it in your BungeeCord config as well!". If you enable the config option hideKickInConsoleButKickMessageIsMotdOrException it will futher reduce spam to your console, but as it says the kick message will be the server's motd or some exception on the malicious client's side.

This plugin is relevant to you if all these points apply to you:
  • You run a bungeecord network with ip-forwarding enabled (bungeecord: true in spigot.yml)
  • You are using a plugin (like IPWhitelist or OnlyProxyJoin) and not the system fireall to prevent direct access to the spigot servers.
  • You are running an older spigot (or fork of spigot) than 1.16.5 last updated 28th April 2021.

This plugin is not relevant to you if at least one point applies to you:
  • You have bungeecord: false in your spigot.yml
  • You have set up the system firewall to prevent access to spigots from ips other than your bungeecord's ip.
  • You have updated your spigot 1.16.5 server last time on 28th April 2021 or more recent.

Required plugin: ProtocolLib

Otherwise it is a simple drag&drop installation into the plugins directory of your spigot servers.

The option hideKickInConsoleButKickMessageIsMotdOrException can be unreliable and some messages might not get filtered and your console still spammed. If you see log spam again when enabling this option, please message me with Server & ProtocolLib version.
Code (YAML):
hideKickInConsoleButKickMessageIsMotdOrException: false
enabled: false
detailed: false
unique: false
extraFile: false
The extra log file will be at plugins/FakeMessageFix/log.txt
Unique logging is based on the invalid data sent and not on the source ip.

Command to reload the config: /fakemessagefixreload
Permission for that command: fakemessagefix.reload

Source code:
Plugin license: GPL v3
Build server job:
  • Like
Reactions: Blackhat
First release
Last update
0.00 star(s) 0 ratings

More resources from TecoMoment