2 Replies Latest reply: Nov 7, 2011 8:38 PM by Stephen Coy RSS

[HELP!!]Jboss 5.1 hacked/ infected by 'daytona' (warning i give the files in attachfile)

Adrien Adrien Apprentice

Hi

<!-------------------------------------------------------------------------------->

WARNING : the attach file are suspects files from my host

DO NOT TRY TO EXECUTE OR  OPEN IT  IF YOU DON T KNOW

<!-------------------------------------------------------------------------------->

 


I m using jboss 5.1 and I m not sur but i suspect  my jboss 5.1 was used to 'infected' my server:

 

Runtime detection :

1-detect many (more than 100) perl script with top (high cpu 50)

 

2-ps -aef (not i have no  /usr/share/apache/ dir) :

6951     1  0 08:29 pts/1    00:00:00 /usr/local/bin/java

6985     1  0 08:29 pts/1    00:00:00 /usr/share/apache/bin/httpd

13224  6951  0 08:29 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 168.152.0.0/16 80 > /tmp/sess_0088025413980486928597bf168

13225 13224  0 08:29 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 168.152.0.0/16 80 > /tmp/sess_0088025413980486928597bf168

13236     1  0 08:29 pts/1    00:00:00 /usr/local/bin/java

13270     1  0 08:29 pts/1    00:00:00 /usr/share/apache/bin/httpd

19498 13236  0 08:30 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 19.148.0.0/16 80 > /tmp/sess_0088025413980486928597bf19

19499 19498  0 08:30 pts/1    00:00:00 sh -c ./pns -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6001 19.148.0.0/16 80 > /tmp/sess_0088025413980486928597bf19

20588     1  0 Nov05 ?        00:00:12 /usr/local/apache/bin/httpd -DSSL

20683     1  0 Nov02 ?        00:00:34 /usr/sbin/sshd

21450 32438  0 12:08 pts/1    00:00:00 grep --color=auto jboss

27269     1  0 Nov06 ?        00:00:04 /usr/local/apache/bin/httpd -DSSL

 

3- thousand and thousand of files in /tmp like :/tmp/sess_0088025413980486928597bf168

 

I give in attachement the Suspected files may be it could help if hacker used jboss to enter in server:    

In attachement

a)/dev/shm => a directory schm (see file shm.tgz in attachement) with many files named flood or contains 

 

"JBoss AS Remote Exploit\nby Kingcope\n\nusage: perl jboss.pl "


b)in /tmp/.a see tmp .a directory .tar

 

It is know as 'hack'?

I take any help....

Thanks

 

<!-------------------------------------------------------------------------------->

WARNING : the attach file are suspected files from my host

DO NOT TRY TO EXECUTE OR  OPEN IT  IF YOU DON T KNOW

<!-------------------------------------------------------------------------------->