I run JBoss 6.1 on my linux server and unfortunately it appears to be getting compromised. I am putting plans in place to move to the latest versions of Wildfly, but need a way to secure JBoss 6.1 whilst this work is completed.
I thought I had secured JBoss by following various guides, but still I am seeing unusual activity. The hacker appears able to save files in the system tmp directories, execute scripts and remove files. A specific user runs the JBoss service, so I know for sure JBoss is the area that is being exploited.
This is what I have done to try and make JBoss secure thus far:
I don't know about fixing the JBoss security issue, but every machine that has been compromised should be taken offline and completely wiped. You never know what is left behind.
You should of course try to salvage whatever you can, but don't trust any file on the entire file system any more. If you can replace files with files from a different location (like rebuilding your application from source), you should do that. All files that can't be replaced should be put in quarantine and carefully scanned before deploying them on any different machine.