BT

Worm Turns Unpatched JBoss Servers into Botnet

by Charles Humble on Oct 28, 2011 |

A new worm exploiting a JBoss vulnerability that was patched in April 2010 is targeting unsecured servers and adding them to a botnet, security researchers are reporting. The worm affects earlier versions of JBoss (4 and 5) - versions 6 and 7 are unaffected. Johannes Ullrich of the SANS Technology Institute describes how the older configuration of JBoss only authenticated GET and POST requests, but did not protect other HTTP request types or interfaces, so attackers could use other methods to execute arbitrary code without authentication.

Red Hat security response director Mark Cox writes in a blog that the worm

propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.

One user, who set up a honeypot on a deliberately unsecured JBoss server, reports that the payload

...contained Perl scripts to automatically connect the compromised host to an IRC Server and be part of a botnet, install and run a remote access tool using DynDNS (Flu.pl), and two Windows batch scripts, one is for exploring JBoss Services (wstools.bat) and a script to discover all UDP-based members running on a certain mcast addressJGroups called "JGroups Cluster Discovery Script for Win32" (probe.bat).  Also included is Perl script (Linda.pl) that helps in invoking the JMX console.

The worm has been circulating for a few days at least, and it's not clear right now how many servers have been compromised or what the origins of it are. If nothing else, it does highlight the need for users to keep their systems, both servers and PCs, up-to-date. The update that fixes the flaw can be downloaded here. Instructions for securing the JMX console can be found here.

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2013 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT