We have been in the process of recovering from a hack. This has been involved in migrating to Sponge and updating all plugins from 1.7.10 to their equivalents. In which, we have been monitoring logs looking for malicious actions.
Today, a user logged in, immediately triggered a bunch of file write options from the looks of this, and disconnected.
It seems that this was not triggered by a plugin or by a malformed client due to the mods they are connecting with. Would I be safe to assume that either Sponge or the restricted environment I have placed the server in would cause this output due to the user sending malicious packets to the server? We has a similar issue where someone took advantage of a mod by sending false packets that were interpreted by another mod.