• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JBoss 6.1 Being Hacked - Can't seem to secure

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I run JBoss 6.1 on my linux server and unfortunately it appears to be getting compromised. I am putting plans in place to move to the latest versions of Wildfly, but need a way to secure JBoss 6.1 whilst this work is completed.

I thought I had secured JBoss by following various guides, but still I am seeing unusual activity. The hacker appears able to save files in the system tmp directories, execute scripts and remove files. A specific user runs the JBoss service, so I know for sure JBoss is the area that is being exploited.

This is what I have done to try and make JBoss secure thus far:

- Removed jmx-console.war
- Removed jmx-console-activator-jboss-beans.xml
- Removed jbossws-console.war
- Removed jbossws-console-activator-jboss-beans.xml
- Enabled secuirty domain in jmx-jboss-beans.xml
- Updated jmx-console-users.properties
- Updated jmx-console-roles.properties

I'm clutching at straws as what to do next, but my next plan is to remove twiddle.sh, twiddle.jar and twiddle.bat from the bin directory.

Is there anything obvious I am not doing that is leaving JBoss unsecure?

I really appreciate any thoughts and advice given on this.

 
Sheriff
Posts: 22783
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't know about fixing the JBoss security issue, but every machine that has been compromised should be taken offline and completely wiped. You never know what is left behind.

You should of course try to salvage whatever you can, but don't trust any file on the entire file system any more. If you can replace files with files from a different location (like rebuilding your application from source), you should do that. All files that can't be replaced should be put in quarantine and carefully scanned before deploying them on any different machine.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic