2 Replies Latest reply: Nov 7, 2011 8:38 PM by Stephen Coy RSS

    [HELP!!]Jboss 5.1 hacked/ infected by 'daytona' (warning i give the files in attachfile)

    Adrien Adrien Apprentice

      Hi

      <!-------------------------------------------------------------------------------->

      WARNING : the attach file are suspects files from my host

      DO NOT TRY TO EXECUTE OR  OPEN IT  IF YOU DON T KNOW

      <!-------------------------------------------------------------------------------->

       


      I m using jboss 5.1 and I m not sur but i suspect  my jboss 5.1 was used to 'infected' my server:

       

      Runtime detection :

      1-detect many (more than 100) perl script with top (high cpu 50)

       

      2-ps -aef (not i have no  /usr/share/apache/ dir) :

      6951     1  0 08:29 pts/1    00:00:00 /usr/local/bin/java

      6985     1  0 08:29 pts/1    00:00:00 /usr/share/apache/bin/httpd

      13224  6951  0 08:29 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 168.152.0.0/16 80 > /tmp/sess_0088025413980486928597bf168

      13225 13224  0 08:29 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 168.152.0.0/16 80 > /tmp/sess_0088025413980486928597bf168

      13236     1  0 08:29 pts/1    00:00:00 /usr/local/bin/java

      13270     1  0 08:29 pts/1    00:00:00 /usr/share/apache/bin/httpd

      19498 13236  0 08:30 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 19.148.0.0/16 80 > /tmp/sess_0088025413980486928597bf19

      19499 19498  0 08:30 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 19.148.0.0/16 80 > /tmp/sess_0088025413980486928597bf19

      20588     1  0 Nov05 ?        00:00:12 /usr/local/apache/bin/httpd -DSSL

      20683     1  0 Nov02 ?        00:00:34 /usr/sbin/sshd

      21450 32438  0 12:08 pts/1    00:00:00 grep --color=auto jboss

      27269     1  0 Nov06 ?        00:00:04 /usr/local/apache/bin/httpd -DSSL

       

      3- thousand and thousand of files in /tmp like :/tmp/sess_0088025413980486928597bf168

       

      I give in attachement the Suspected files may be it could help if hacker used jboss to enter in server:    

      In attachement

      a)/dev/shm => a directory schm (see file shm.tgz in attachement) with many files named flood or contains 

       

      "JBoss AS Remote Exploit\nby Kingcope\n\nusage: perl jboss.pl "


      b)in /tmp/.a see tmp .a directory .tar

       

      It is know as 'hack'?

      I take any help....

      Thanks

       

      <!-------------------------------------------------------------------------------->

      WARNING : the attach file are suspected files from my host

      DO NOT TRY TO EXECUTE OR  OPEN IT  IF YOU DON T KNOW

      <!-------------------------------------------------------------------------------->