JBoss worm-in-the-wild
FYI...
JBoss worm-in-the-wild
- https://isc.sans.edu/diary.html?storyid=11860
Last Updated: 2011-10-21 02:06:15 UTC ...(Version: 2) - "A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat. The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there. If you do run JBoss, please make sure to read the instructions posted by RedHat here:
- http://community.jboss.org/blogs/mjc...ication-server
Analysis of the worm: http://pastebin.com/U7fPMxet "
___
- http://www.theregister.co.uk/2011/10/26/jboss_worm/
26 October 2011 - "... The malware behind the attack is significant both because it targets servers rather than PCs and for its reliance on exploiting a vulnerability that is over a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 – in order to attack new machines. The worm's payload includes a variety of Perl scripts, one of which builds a backdoor on compromised machines... exploits with a patch available for over a year accounted for 3.2 per cent of compromises..."
