2 Replies Latest reply on Jan 25, 2018 12:35 AM by Malik Adeel Imtiaz

    Extra Files in JBOSS FOLDER (Maybe Malware)

    Malik Adeel Imtiaz Newbie

      Dear Gurus,

      We have observed that in our JBOSS Web Server, every time when we start the JBOSS server some unknown files will be added in the folder.

      F:\jboss610\bin.

       

      • F:\jboss610\bin\systemdx32.exe
      • F:\jboss610\bin\zeros.exe
      • F:\jboss610\bin\master.exe

       

      Why these files created.

       

      We have done following precaution measures in JBOSS WebServer.

       

      • The system should be thoroughly scanned and cleaned for viruses.
      • Microsoft Security patches should be applied and updated.
      • Antivirus software should be kept updated all the times.
      • All Windows updates should be installed by monthly schedule.
      • Internet access should be blocked on the server.
      • All the data should be copied after scanning with updated antivirus software.

       

      Your urgent reply will be highly appreciated.

       

      Thanks

      Malik Adeel Imtiaz

        • 1. Re: Extra Files in JBOSS FOLDER (Maybe Malware)
          lukaszracon Newbie

          Google for each file name and you will get a list of trojans

          I would double check security guide to see if you have webservices exposed: JBoss AS 6.0 Security Guide Check if there are JBoss security patches/issues.

          More likely vector of attack are applications running on this JBoss. Search for security bulletins for application frameworks/libraries that you use.

          Check access and error logs to see what hit you.

          • 2. Re: Extra Files in JBOSS FOLDER (Maybe Malware)
            Malik Adeel Imtiaz Newbie

            Thank you so very much for your quick reply.

             

            Please see that our IT team has scanned the server and found some vulnerabilities as follows.

             

            Web Server

            Alert: group Cross site scripting

            Severity: High

            Description:

            Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can

            execute malicious scripts into a legitimate website or web application. XSS occurs when a web

            application makes use of unvalidated or unencoded user input within the output it generates.

            Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page

             

            Web Server

            Alert group JBoss HttpAdaptor JMXInvokerServlet

            Severity High

            Description

            JBoss allows for using adaptors for accessing MBean services over any supported protocols. For

            HTTP, the JBoss AS provides the HttpAdaptor. In a default installation, the HttpAdaptor is not

            activated. However, the HttpAdaptor's JMX Invoker is running and publicly available at the URL

            http://localhost:8080/invoker/JMXInvokerServlet.

            This Invoker accepts HTTP POST requests which contain a serialized JMX invocation in the data

            section (the objects belong to the JBoss AS Java class MarshalledInvocation). After

            deserialization the object is forwarded to the target MBean. Using this functionality an attacker

            can invoke the BSHDeployer MBean to create a local file and later call MainDeployer to deploy

            the locally created file.

            Recommendations Restrict access to the HttpAdaptor JMXInvokerServlet.

             

             

            Web Server

            Alert group JBoss JMX management console

            Severity High

            Description

            In the default configuration, after JBoss is installed, the JMX console is available at

            http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump

            the list of threads, redeploy an application or even shutdown the application server. By default, the

            console is not secured and can be used by remote attackers. Check References for detailed

            information.

            Recommendations Restrict access to JMX Management Console.

             

             

            Web Server

            Alert group JBoss Server MBean

            Severity High

            Description

            In the default configuration, after JBoss is installed, the JMX console is available at

            http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump

            the list of threads, redeploy an application or even shutdown the application server. By default, the

            console is not secured and can be used by remote attackers. Check References for detailed

            information.

            It's possible to access the Server MBean that will disclose sensitive information. This information

            could be useful for an attacker.

            Recommendations Restrict access to JMX Management Console.

             

             

            Web Server

            Alert group JBoss ServerInfo MBean

            Severity High

            Description

            In the default configuration, after JBoss is installed, the JMX console is available at

            http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump

            the list of threads, redeploy an application or even shutdown the application server. By default, the

            console is not secured and can be used by remote attackers. Check References for detailed

            information.

            It's possible to access the ServerInfo MBean that will disclose sensitive information. This

            information could be useful for an attacker.

            Recommendations Restrict access to JMX Management Console.

             

             

            Thanks

            Adeel Imtiaz