-
1. Re: Extra Files in JBOSS FOLDER (Maybe Malware)
Google for each file name and you will get a list of trojans
I would double check security guide to see if you have webservices exposed: JBoss AS 6.0 Security Guide Check if there are JBoss security patches/issues.
More likely vector of attack are applications running on this JBoss. Search for security bulletins for application frameworks/libraries that you use.
Check access and error logs to see what hit you.
-
2. Re: Extra Files in JBOSS FOLDER (Maybe Malware)
Thank you so very much for your quick reply.
Please see that our IT team has scanned the server and found some vulnerabilities as follows.
Web Server
Alert: group Cross site scripting
Severity: High
Description:
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts into a legitimate website or web application. XSS occurs when a web
application makes use of unvalidated or unencoded user input within the output it generates.
Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page
Web Server
Alert group JBoss HttpAdaptor JMXInvokerServlet
Severity High
Description
JBoss allows for using adaptors for accessing MBean services over any supported protocols. For
HTTP, the JBoss AS provides the HttpAdaptor. In a default installation, the HttpAdaptor is not
activated. However, the HttpAdaptor's JMX Invoker is running and publicly available at the URL
http://localhost:8080/invoker/JMXInvokerServlet.
This Invoker accepts HTTP POST requests which contain a serialized JMX invocation in the data
section (the objects belong to the JBoss AS Java class MarshalledInvocation). After
deserialization the object is forwarded to the target MBean. Using this functionality an attacker
can invoke the BSHDeployer MBean to create a local file and later call MainDeployer to deploy
the locally created file.
Recommendations Restrict access to the HttpAdaptor JMXInvokerServlet.
Web Server
Alert group JBoss JMX management console
Severity High
Description
In the default configuration, after JBoss is installed, the JMX console is available at
http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump
the list of threads, redeploy an application or even shutdown the application server. By default, the
console is not secured and can be used by remote attackers. Check References for detailed
information.
Recommendations Restrict access to JMX Management Console.
Web Server
Alert group JBoss Server MBean
Severity High
Description
In the default configuration, after JBoss is installed, the JMX console is available at
http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump
the list of threads, redeploy an application or even shutdown the application server. By default, the
console is not secured and can be used by remote attackers. Check References for detailed
information.
It's possible to access the Server MBean that will disclose sensitive information. This information
could be useful for an attacker.
Recommendations Restrict access to JMX Management Console.
Web Server
Alert group JBoss ServerInfo MBean
Severity High
Description
In the default configuration, after JBoss is installed, the JMX console is available at
http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump
the list of threads, redeploy an application or even shutdown the application server. By default, the
console is not secured and can be used by remote attackers. Check References for detailed
information.
It's possible to access the ServerInfo MBean that will disclose sensitive information. This
information could be useful for an attacker.
Recommendations Restrict access to JMX Management Console.
Thanks
Adeel Imtiaz