Hello All,

I am hoping someone can shed some light on the following issue.  I am using a third party software package from KnoahSoft company.

As part of their deployment, they use JBOSS and their current approved build is JBOSS-4.2.3-GA

http://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.3.GA/

The problem is that the production CPU is constantly pegging at 100% and it's due to this MINERD.exe being installed intermittently from a war file that mysteriously shows up under the jboss-4.2.3.GA\server\default\tmp\deploy folder as can be see from the attached picture.

Even if I delete the .exe and restart JBOSS the file eventually shows up again and starts using all the CPU resources.

If I edit the index.jsp file I notice a reference to JSP RAT and that appears to confirm others findings that it's probably malicious.

JSP RAT

http://bri-blog.blogspot.com/2012/12/jsp-rat-by-jeroy.html

http://nickhumphreyit.blogspot.com/2013/07/jsp-rat-by-jeroy-hacked-jboss-422-server.html

http://grokbase.com/t/tomcat/users/12bv3sbkpy/malware-found-the-tomcat-6-0-29

http://nickhumphreyit.blogspot.no/2013/07/jboss-422-files-that-need-execute.html

http://breenmachine.blogspot.no/2013/09/jboss-jmxinvokerservlet-exploit.html

http://nickhumphreyit.blogspot.com/2013/07/jsp-rat-by-jeroy-hacked-jboss-422-server.html