Poisoning
1. network congestion increases access latency. 2. An exception occurs in the system scheduled task table. 3. An abnormal process occurs. 4. A large number of abnormal files appear in the $ JBOSS_HOME/bin or/root directory.
Symptom AnalysisThis is a worm virus that has recently become popular on the Internet. It uses Jboss middleware's jxm-console and web-console default account vulnerabilities to attack linux servers and become zombie proxies. 1. The cause of network congestion is that the worm uses the pnscan tool to continuously perform port scanning. A large number of request packets are sent, occupying network bandwidth. Www.2cto. com2. you can view the following abnormal scheduled task in the system scheduled task table (sometimes only two of them ). Crontab-l
Both. sysync. pl and. sysdbs are hidden files, which can be viewed in the ls-la list.
3. view the process and check the following abnormal processes.
Some servers can also see some abnormal javas processes. check whether these javas processes are java called by the application. 4. There are a large number of abnormal files in the $ JBOSS_HOME/bin or/root directory:
Among them, kisses.tar.gz is the virus source code installation package. After installation, the above files are generated.
Solution
Step 1: scan and kill the virus www.2cto.comKillall-9 kernel Killall-9 pnsKillall-9 perl cd/root or cd $ JBOSS_HOME/binrm-rf bm * rm-rf *. plrm-rf treat. shrm-rf install-shrm-rf version * rm-rf kisses * rm-rf pns * rm-rf Makefilerm-rf ipsortrm-rf kisses * rm-rf. sysdbsrm-rf. sysync. pl crontab-e1 1 10 **~ /. Sysdbs1 1 24 ** perl ~ /. Sysync. pl1 1 24 ** perl ~ /. Sysync. pl1 1 10 **~ /. Sysdbs Delete these lines of service crond stop
Step 2: Reinforce Jboss security and modify the default password of jmx-console and web-console
JMX Security Configuration:Comment out the GET and POST lines. Do not comment out the entire security-constraint part at the same time.
Remove the security-domain Annotation
Change admin Password
WEB-CONSOLE security reinforcement
The modification method is the same as that of JMX security reinforcement.
Step 3: TestAfter Jboss security reinforcement is completed, perform an http access test to check whether the verification window is displayed normally and whether the user name and password set can be accessed normally. Http://xxx.xxx.xxx.xxx/web-console
Http://xxx.xxx.xxx.xxx/jmx-conslole
For
Jboss
Vulnerability attack suggestionsVirus attacks are generally mainly prevented. Once a server is found to have been poisoned, the problem may be solved. To effectively prevent such virus attacks, the following suggestions are provided: 1. The Jboss application should run under a non-root user to prevent viruses from obtaining superuser permissions, modifying the root password, and controlling the server. 2. enable verification for the Jboss console and modify the default password. The password must be complex. If not, you can even close the Management port and related statistics to delete the Jboss home directory and file. 3. Upgrade Jboss to the latest version. In particular, the boss Jboss has many vulnerabilities and the new version has high security. 4. Separation of WEB applications and receivers. For example, it can be achieved through the integration of Apache and Jboss. This is safer and more suitable for access with high concurrent traffic.
From Qingfeng's BLOG