0 Replies Latest reply on Apr 1, 2005 10:52 PM by Dale Seng

    Command Injection Vulnerability?

    Dale Seng Newbie

      Apparently someone from "The Computer Guy" IP range (or someone acting
      as someone from there) got rcp.exe to run on my machine, attempting to
      contact 216.30.236.32 port 514. I detected this with ZoneAlarm.


      The reason I'm posting here is because I've just installed JBoss and
      MySQL on my machine, and until this point, I have never had this type
      of attack before. It happened right around the time I accessed the
      JBoss JMX console for the first time from over the Internet (I accessed
      my home PC from work). I have a non-static IP, so I'm running the
      No-IP DUC I can find my machine on the Internet.


      Could someone wager a guess as to what happened at 8:42 this morning?
      What was attempted? How was it done? I password protected my JBoss
      JMX and Management consoles, but of course it's only with basic
      authentication, which is really nothing if someone wants to snoop. Is
      there something in one of the interfaces that get installed with JBoss
      that would allow for someone to start a remote copy?


      Thanks.


      --Dale--


      -----------DETAILS--------------


      Description TCP/IP Remote Copy Command requested permission to
      access the internet.
      Rating High
      Date / Time 2005/04/01 08:42:04-5:00 GMT
      Type New Program
      Program C:\WINDOWS\system32\rcp.exe
      Source IP
      Destination IP 216.30.236.36:514
      Direction Outgoing (connect)
      Action Taken Blocked (once)/Manual
      Count 1


      CustName: The Computer Guy
      Address: 5306 McCorkle Ave
      City: Charleston
      StateProv: WV
      PostalCode: 25302
      Country: US
      RegDate: 2004-06-23
      Updated: 2004-06-23


      NetRange: 216.30.236.32 - 216.30.236.39
      CIDR: 216.30.236.32/29
      NetName: CUST-THECOMPUTERGUY-216-NET1
      NetHandle: NET-216-30-236-32-1
      Parent: NET-216-30-192-0-1
      NetType: Reassigned
      Comment:
      RegDate: 2004-06-23
      Updated: 2004-06-23


      OrgTechHandle: FIA2-ARIN
      OrgTechName: FiberNet IP Administrator
      OrgTechPhone: +1-304-720-0200
      OrgTechEmail: ipadmin@wvfibernet.net