2 Replies Latest reply on Jan 4, 2015 11:02 PM by tcunning

    MINERD.EXE keeps showing up in JBOSS-4.2.3.GA on production server

    kingpoop

      Hello All,

      I am hoping someone can shed some light on the following issue.  I am using a third party software package from KnoahSoft company.

       

      As part of their deployment, they use JBOSS and their current approved build is JBOSS-4.2.3-GA

      http://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.3.GA/

       

      The problem is that the production CPU is constantly pegging at 100% and it's due to this MINERD.exe being installed intermittently from a war file that mysteriously shows up under the jboss-4.2.3.GA\server\default\tmp\deploy folder as can be see from the attached picture.

       

      Even if I delete the .exe and restart JBOSS the file eventually shows up again and starts using all the CPU resources.

       

      If I edit the index.jsp file I notice a reference to JSP RAT and that appears to confirm others findings that it's probably malicious.

       

      JSP RAT

      http://bri-blog.blogspot.com/2012/12/jsp-rat-by-jeroy.html

      http://nickhumphreyit.blogspot.com/2013/07/jsp-rat-by-jeroy-hacked-jboss-422-server.html

      http://grokbase.com/t/tomcat/users/12bv3sbkpy/malware-found-the-tomcat-6-0-29

      http://nickhumphreyit.blogspot.no/2013/07/jboss-422-files-that-need-execute.html

      http://breenmachine.blogspot.no/2013/09/jboss-jmxinvokerservlet-exploit.html

      http://nickhumphreyit.blogspot.com/2013/07/jsp-rat-by-jeroy-hacked-jboss-422-server.html

       

      MINERD.jpg