I have just deployed a jboss server 4.2.2 in location /usr/local/src/jboss-4.2.2-GA and ran that using ./run.sh -b 0.0.0.0 &
As the installation was with default settings so we could view the jboss web console via http://ip:8080.
Now the application team started building their application and after around 2 months they knocked my saying some one was constantly trying to access in the server . The reason for that was security team was running vulnerability check on that ip block.
NOW MY QUESTION IS HOW DID THEY COME TO KNOW OF THIS? IS THERE ANYTHING ON JBOSS WHICH CAN FIND OUT ABOUT THIS?
As they are normal user account so thats not possible for them to know who tried or failed to access to system but they knew. As root only I can view the /var/log/secure and know who tried and failed or succed but how come they know that.
Thanks a lot.
Also one more thing, to my surprise I found that the jboss log is showing its been shutdown but I can see the server running using 'ps afx' command. How come this is possible?
Also FYI, I had given full permission to the application users on the Jboss directory. So did they change anything?