JBoss AS version? I looked at 6.0.0 and 5.1.0, there is no deploy/management forlder in 6.0.0, so I assume you are running 5.1.0 or earlier. There is no e.war in that directory on the 5.1.0 I have.
If I would have found a suspicous/unknowm war file in my deploy directory the first thing I would have done is looked inside it to see what it is about. And if I did not recognize anything about it I would ahve undeployed it. Then I would have tried to find out how it got deployed in the firts place and close that security hole.
What version of AS? I can tell you that for 5.1.0 there is no e.war. In the management directory you'll see console-mgr.sar which includes the web-console.war. No e.war.
Might be worth opening that WAR up and seeing if there is anything inside that looks suspicious, or simply checking out the web.xml and other configuration files.
Either way, to me that sounds like a hack, but someone else may have some more information about the e.war file.
It is 5.1.0 and it is a hack no doubt about it. I checked it's content right now and it's purpose was to print the content of the files at the server.
I just undeployed it and of course right now I'm really curious as to know how it went there.
Can you guys provide some links about administration and security at JBoss? As fas as I can see there's a lot more things about JBoss I should be concerned with.
This should help: http://community.jboss.org/wiki/SecureJBoss
(I hope it is up to date)
Gee, I wonder if there is a book about configuring the JBoss AS 5.1.0 app server and if it would cover security???
Is it running on Linux? Is it running via a service account user? Root? Then who has that password? This will hopefully help you determine who/how that WAR was planted there. Also if it's linux do a `ls -l` in deploy/management to find the date it was last modified. That might also help in determining who was using that box when it was modified.
Red Hat JBoss security guide
Red Hat JBoss admin/configuration guide
Also there are lots of great articles on the wiki, here is one of the top of my head
Hope that helps.
Thanks a lot guys for your tips.
I definitely have homework to do and those link you provided me are going to lead my way in order to check some of the security failures.
Once they can upload a file (or execute a command for e.g. wget:ing the file), it's pretty much game over. After that they can pretty much do everything the user account has access to (and perhaps escalate privileges using other OS holes once they know what the host runs).
Someone could put out a honeypot with hash-checks on all files and see where it comes in and what it changes, should it strike.