• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

JBoss 6.1 Being Hacked - Can't seem to secure  RSS feed

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I run JBoss 6.1 on my linux server and unfortunately it appears to be getting compromised. I am putting plans in place to move to the latest versions of Wildfly, but need a way to secure JBoss 6.1 whilst this work is completed.

I thought I had secured JBoss by following various guides, but still I am seeing unusual activity. The hacker appears able to save files in the system tmp directories, execute scripts and remove files. A specific user runs the JBoss service, so I know for sure JBoss is the area that is being exploited.

This is what I have done to try and make JBoss secure thus far:

- Removed jmx-console.war
- Removed jmx-console-activator-jboss-beans.xml
- Removed jbossws-console.war
- Removed jbossws-console-activator-jboss-beans.xml
- Enabled secuirty domain in jmx-jboss-beans.xml
- Updated jmx-console-users.properties
- Updated jmx-console-roles.properties

I'm clutching at straws as what to do next, but my next plan is to remove twiddle.sh, twiddle.jar and twiddle.bat from the bin directory.

Is there anything obvious I am not doing that is leaving JBoss unsecure?

I really appreciate any thoughts and advice given on this.

 
Sheriff
Posts: 21743
102
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know about fixing the JBoss security issue, but every machine that has been compromised should be taken offline and completely wiped. You never know what is left behind.

You should of course try to salvage whatever you can, but don't trust any file on the entire file system any more. If you can replace files with files from a different location (like rebuilding your application from source), you should do that. All files that can't be replaced should be put in quarantine and carefully scanned before deploying them on any different machine.
 
Your buns are mine! But you can have this tiny ad:
ScroogeXHTML - small and flexible RTF to HTML converter library
https://coderanch.com/t/710903/ScroogeXHTML-RTF-HTML-XHTML-converter
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!