JBoss漏洞导致服务器中毒
中毒现象:
1. ps axf看到多出了很多进程,尤其是有pnscan这个进程,它会对外扫描整个网络,导致网络拥塞:
sh -c ./pnscan -r JBoss -w “HEAD / HTTP/1.0\r\n\r\n” -t 6400 61.223.0.0/16 8080 > /tmp/sess_008802541
2. crontab -l看到多出了,有些中毒的则没有这个现象:
1 1 10 * * /root/.sysdbs
1 1 24 * * /root/.sysync.pl
1 1 10 * * /root/.sysdbs
1 1 24 * * /root/.sysync.pl
3. ${JBOSS_HOME}/bin/多出了好多文件,这些文件的owner为未知(比如为1000):
a.tar.gz
bm.c
bm.h
bm.o
flu.pl
fly.pl
install-sh
ipsort
kisses/
kisses.tar.gz
kisses.tar.gz.1
linda.pl
lindb.pl
Makefile
pnscan
pnscan.c
pnscan.o
version.c
version.o
修改:
1. kill 掉多出来的进程,另外killall perl,kill -9 crond,service crond restart。
2. 删除crontab 里面多出来的条目。
3. 删除${JBOSS_HOME}/bin/ 下面多出来的文件。
4. 删除${JBOSS_HOME}/server/all(default,minimal)/deploy/management/iesvc.war和zecmd.war文件夹。
5. 修改jboss配置:
一、JMX安全设置:
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/web.xml
<!– A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
–>
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<!–
<http-method>GET</http-method>
<http-method>POST</http-method>
–>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
把GET和POST两行注释掉,同时security-constraint整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/jboss-web.xml
<jboss-web>
<!– Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.
<–>
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
把security-domain注释去掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/conf/props/jmx-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
admin=xxxxx
修改admin密码
二、WEB-CONSOLE安全设置:
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
<!– A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
–>
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<!–
<http-method>GET</http-method>
<http-method>POST</http-method>
–>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
把GET和POST两行注释掉,同时security-constraint整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
<!– Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.
–>
<security-domain>java:/jaas/web-console</security-domain>
把security-domain注释去掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
admin=xxxxx
修改admin密码
最后启动jboss生效。