Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


JBoss Worm

Published: 2011-10-21,
Last Updated: 2011-10-21 02:06:15 UTC
by Johannes Ullrich (Version: 2)

2 comment(s)

A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat. 

The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there.

If you do run JBoss, please make sure to read the instructions posted by RedHat here:

http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server

Analysis of the worm:

http://pastebin.com/U7fPMxet 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: jboss
2 comment(s)
Top of page

Top of page

Comments

From what I can see, the two hosts listed in the perl code do not actually resolve to an address so cannot be connected to at his point.
Maybe they will become active in time.
posted by LCV, Mon Oct 24 2011, 00:55
LCV> I'm pretty sure that due to the disclosure of the source code you'll find new variations of worm and new (script kiddie) domains.
posted by Vadim, Tue Oct 25 2011, 13:51

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Announcement!

IPv6 Support Added

Our iptables client now supports submitting IPv6 firewall logs.

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

e-netprotections.su ? - by: Daniel Wesemann (2013-05-17)

SSL: Another reason not to ignore IPv6 - by: Johannes Ullrich (2013-05-17)

Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability - by: Joel Esler (2013-05-16)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute