BT

InfoQ Homepage News Worm Turns Unpatched JBoss Servers into Botnet

Worm Turns Unpatched JBoss Servers into Botnet

This item in japanese

Bookmarks

A new worm exploiting a JBoss vulnerability that was patched in April 2010 is targeting unsecured servers and adding them to a botnet, security researchers are reporting. The worm affects earlier versions of JBoss (4 and 5) - versions 6 and 7 are unaffected. Johannes Ullrich of the SANS Technology Institute describes how the older configuration of JBoss only authenticated GET and POST requests, but did not protect other HTTP request types or interfaces, so attackers could use other methods to execute arbitrary code without authentication.

Red Hat security response director Mark Cox writes in a blog that the worm

propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.

One user, who set up a honeypot on a deliberately unsecured JBoss server, reports that the payload

...contained Perl scripts to automatically connect the compromised host to an IRC Server and be part of a botnet, install and run a remote access tool using DynDNS (Flu.pl), and two Windows batch scripts, one is for exploring JBoss Services (wstools.bat) and a script to discover all UDP-based members running on a certain mcast addressJGroups called "JGroups Cluster Discovery Script for Win32" (probe.bat).  Also included is Perl script (Linda.pl) that helps in invoking the JMX console.

The worm has been circulating for a few days at least, and it's not clear right now how many servers have been compromised or what the origins of it are. If nothing else, it does highlight the need for users to keep their systems, both servers and PCs, up-to-date. The update that fixes the flaw can be downloaded here. Instructions for securing the JMX console can be found here.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.