Occasionally, Minecraft servers can become infected with malware. This is almost always the result of a malicious plugin or mod that was downloaded from an untrusted source. The good news is that server malware is usually easy to recover from, and we are here to help you through it.
This guide explains how to spot an infection, what to do if you think your server has been compromised, and how to prevent it from happening again.
If you think your server is infected, please contact us immediately. We can investigate, help clean things up, and verify your server is safe before you let players back in. The steps in this guide are things you can do yourself, but we always recommend letting us take a look as well.
What Is Server Malware?
Malware on a Minecraft server is malicious code hidden inside a plugin, mod, or script that does things you did not ask for. Common types include:
- Backdoors - Hidden commands that secretly grant operator (OP) status to the attacker
- Crypto miners - Plugins that secretly use your server's CPU to mine cryptocurrency, causing lag
- Token stealers - Code that tries to steal Minecraft accounts, Discord tokens, or other credentials
- Self-spreading infectors - Malware that modifies every
.jarfile on your server to keep itself running - Sabotage payloads - Code that wipes worlds, bans players, or destroys data
How Does Malware Get on a Server?
By far the most common cause is downloading cracked, leaked, or "nulled" premium plugins from untrusted sites. Attackers repackage popular paid plugins with malicious code added, then distribute them for free on sketchy forums and download sites. People download them to save money, and the malware comes along for the ride.
Other common sources include:
- Plugins shared by people you do not fully trust
- Fake "free versions" of paid plugins on YouTube tutorials or random websites
- Custom plugins from developers you cannot verify
- Compromised plugin author accounts pushing infected updates (rare but has happened)
Signs Your Server May Be Infected
Watch for any of these:
- Players suddenly gaining OP status who should not have it
- Staff losing their OP status
- Unknown plugins appearing in your
pluginsfolder that you did not install - Unexpected commands being run in your console that nobody typed
- Changes to
ops.json,whitelist.json, orserver.propertiesthat you did not make - Unusual high CPU usage or lag when there are few players online
- Suspicious Skript files in
plugins/Skript/scripts/that you did not add - Strange errors in the console referencing unknown network addresses
If you see any of these, assume your server may be compromised and take action.
What to Do If Your Server Is Infected
Step 1: Stop Your Server Immediately
Stop your server from the Game Panel right away. A running infected server can continue to cause damage and may be able to reinfect files you try to clean.
Step 2: Contact Us
Before doing anything else, reach out to us through a support ticket. We can investigate the infection, identify what got in, help clean it up, and verify that your server is safe before you restart it. You do not have to deal with this alone.
- Support Ticket
- Discord Server - use the
/supportcommand - Email: [email protected]
Step 3: Do Not Download Server Files to Your Computer
This is important. Do not download suspect plugin jars, infected server files, or unknown executables to your own computer. Plugin .jar files are executable Java code. If you download an infected jar and accidentally run it (or let certain tools open it), the malware can spread to your personal computer and steal your own passwords, Discord tokens, and browser data.
If you need to send us a suspect file for investigation, ask us first and we will arrange a safe way to do it.
Step 4: Restore from a Snapshot or Backup
The easiest and safest way to recover is to restore your server from a snapshot or backup taken before the infection happened.
- If you know when the infection started, restore to a snapshot or backup from just before that
- If you are not sure, restore to the oldest clean one you have
For help with this, see:
Snapshots are particularly useful here because they restore not just your files but also your startup configuration.
Step 5: If You Cannot Restore, Manual Cleanup
If you do not have a clean backup or snapshot to restore from, you will need to clean up manually. Again, we strongly recommend letting us help with this, but here is what you can do:
- Delete every
.jarin yourpluginsfolder. It is safer to wipe and reinstall everything than to try and figure out which ones are infected. - Re-download each plugin from its official source - SpigotMC, Modrinth, Hangar, or the plugin author's own website. Consider using the Game Panel's built-in Plugin Installer for trusted sources.
- Check for unknown
.jarfiles at the root of your server and delete anything suspicious. Only the server software's main jar (Paper, Purpur, etc.) should be there. - Wipe
plugins/Skript/scripts/if you use Skript, and only re-add scripts you wrote or trust. - Open
ops.jsonandwhitelist.jsonand remove any player entries you do not recognise. - Check
server.propertiesfor any settings that look different - particularly the whitelist, RCON password, and query settings. - Review any plugin configuration files for suspicious webhook URLs, command lists, or other unusual entries.
Step 6: Change Your Passwords
Once the server is cleaned up, change your passwords as a precaution:
- Your Billing Account password (this automatically updates your Game Panel and SFTP passwords)
- Any in-game admin passwords for plugins like AuthMe
- The RCON password in
server.properties - Any Discord bot tokens if you use DiscordSRV or similar
Step 7: Warn Your Players
If there is any chance a token stealer was involved, warn your players so they can change their Minecraft and Discord passwords and sign out of other sessions.
Preventing Malware
The good news is that preventing malware is mostly about being careful with what you install.
Download From Official Sources Only
Stick to these sources for plugins:
- SpigotMC
- Modrinth
- Hangar
- BuiltByBit (for paid plugins)
- The plugin author's official website or GitHub
The Game Panel's Plugin Installer pulls from verified sources, so using it is one of the safest ways to install plugins.
Never Use Cracked or Leaked Plugins
Any site advertising "free version of [paid plugin]", "nulled", "leaked", or "cracked" plugins should be treated as hostile. This is the number one source of server infections. If you cannot afford a paid plugin, find a free alternative.
Be Careful with Shared Plugins
Do not install plugins that random people send you in Discord, email, or forums. If you hire a developer to make a custom plugin, ask for the source code so you (or we) can review it before running it.
Audit Skript Files Before Adding Them
Skript files are plain text and easy to read. Before adding one, open it and look for hidden commands - especially anything that runs op, deop, or execute console command against usernames you do not recognise.
Take Regular Snapshots
The most important prevention step is making sure you always have a recent clean restore point. Take snapshots before installing new plugins or making major changes so you always have somewhere safe to fall back to. See Using the Snapshot System for details.
Limit Who Has OP
The more people you give OP to, the bigger the target on your server. Use LuckPerms ranks instead of handing out OP wherever possible. A backdoor that tries to OP someone is much less useful if nobody on your server actually uses OP. See Setting Up Permissions with LuckPerms for help.
We Are Here to Help
Dealing with a compromised server can feel stressful, but you do not have to handle it alone. If you think your server is infected, or you just want a second opinion on a plugin you are unsure about, please reach out to us. We can investigate, clean things up, and verify everything is safe before you let your players back in.
- Support Ticket
- Discord Server - use the
/supportcommand - Email: [email protected]