JBoss漏洞導致伺服器中毒

中毒現象：
1. ps axf看到多出了很多進程，尤其是有pnscan這個進程，它會對外掃描整個網路，導致網路擁塞：
sh -c ./pnscan -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6400 61.223.0.0/16 8080 > /tmp/sess_008802541
2. crontab -l看到多出了，有些中毒的則沒有這個現象：
1 1 10 * * /root/.sysdbs
1 1 24 * * /root/.sysync.pl
1 1 10 * * /root/.sysdbs
1 1 24 * * /root/.sysync.pl
3. ${JBOSS_HOME}/bin/多出了好多檔，這些檔的owner為未知（比如為1000)：
a.tar.gz
bm.c
bm.h
bm.o
flu.pl
fly.pl
install-sh
ipsort
kisses/
kisses.tar.gz
kisses.tar.gz.1
linda.pl
lindb.pl
Makefile
pnscan
pnscan.c
pnscan.o
version.c
version.o

找到解決辦法：
http://aws.amazon.com/security/security-bulletins/jboss-worm-spreading-via-unpatched-or-unsecured-jboss-application-server/

修改：
1. kill 掉多出來的進程，另外killall perl，kill -9 crond，service crond restart。
2. 刪除crontab 裏面多出來的條目。
3. 刪除${JBOSS_HOME}/bin/ 下面多出來的檔。
4. 刪除${JBOSS_HOME}/server/all(default,minimal)/deploy/management/iesvc.war和zecmd.war文件夾。
    原始的JBOSS應該只有console-mgr.sar 5. 修改jboss配置：

一、MX安全設置：

vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/web.xml

＜!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console.

 --＞
   ＜security-constraint＞
     ＜web-resource-collection＞
       ＜web-resource-name＞HtmlAdaptor＜/web-resource-name＞
       ＜description＞An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       ＜/description＞
       ＜url-pattern＞/*＜/url-pattern＞
＜!-- 
       ＜http-method＞GET＜/http-method＞
       ＜http-method＞POST＜/http-method＞
--＞
     ＜/web-resource-collection＞
     ＜auth-constraint＞
       ＜role-name＞JBossAdmin＜/role-name＞
     ＜/auth-constraint＞
   ＜/security-constraint＞

把GET和POST两行注释掉，同时security-constraint整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/jboss-web.xml
＜jboss-web＞
   ＜!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
   --＞
      ＜security-domain＞java:/jaas/jmx-console＜/security-domain＞
＜/jboss-web＞
把security-domain注釋去掉。

# vi ${JBOSS_HOME}/server/all(default,minimal)/conf/props/jmx-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
admin=xxxxx
修改admin密碼

二、WEB-CONSOLE安全設置：
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml

   ＜!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console.
   --＞
   ＜security-constraint＞
   ＜web-resource-collection＞
   ＜web-resource-name＞HtmlAdaptor＜/web-resource-name＞
   ＜description＞An example security config that only allows users with the
   role JBossAdmin to access the HTML JMX console web application
   ＜/description＞
   ＜url-pattern＞/*＜/url-pattern＞
  ＜!-- 
   GET
   POST
   --＞
   ＜/web-resource-collection＞
   ＜auth-constraint＞
   ＜role-name＞JBossAdmin＜/role-name＞
   ＜/auth-constraint＞
   ＜/security-constraint＞
把GET和POST两行注释掉，同时security-constraint整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
   ＜!-- Uncomment the security-domain to enable security. You will
   need to edit the htmladaptor login configuration to setup the
   login modules used to authentication users.
   --＞
   ＜security-domain＞java:/jaas/web-console＜/security-domain＞
把security-domain注釋去掉。

# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
admin=xxxxx
修改admin密碼


最後啟動jboss生效。

以上文章摘自http://adaishu.blog.163.com/blog/static/17583128620119313022152/

好吧,小弟不才,還是有不少主機陸續的中毒
我把檢查的指令逐一貼上來，好方便下回查找


###先跳轉到JBOSS 目錄
cd /usr/jboss-4.2.2.GA/server
cd /usr/local/jBoss/Base/server
#####1
grep security-constraint all/deploy/jmx-console.war/WEB-INF/web.xml;
grep security-constraint default/deploy/jmx-console.war/WEB-INF/web.xml;
grep security-constraint minimal/deploy/jmx-console.war/WEB-INF/web.xml;
#####若須要修改
#####找 security-constraint
vim all/deploy/jmx-console.war/WEB-INF/web.xml
vim default/deploy/jmx-console.war/WEB-INF/web.xml
vim minimal/deploy/jmx-console.war/WEB-INF/web.xml
security-constraint整个部分不要注释掉但，同时把GET和POST两行注释掉
           ＜-- ＜http-method＞GET＜/http-method＞
       ＜http-method＞POST＜/http-method＞  --＞


#####2
grep security-domain all/deploy/jmx-console.war/WEB-INF/jboss-web.xml;
grep security-domain default/deploy/jmx-console.war/WEB-INF/jboss-web.xml;
grep security-domain minimal/deploy/jmx-console.war/WEB-INF/jboss-web.xml;
#####若須要修改
#####找 security-domain
vim all/deploy/jmx-console.war/WEB-INF/jboss-web.xml
vim default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
vim minimal/deploy/jmx-console.war/WEB-INF/jboss-web.xml

#####3
grep admin all/conf/props/jmx-console-users.properties;
grep admin default/conf/props/jmx-console-users.properties;
grep admin minimal/conf/props/jmx-console-users.properties;
#####若須要修改
#####設定密碼 admin=xxxx
vim all/conf/props/jmx-console-users.properties
vim default/conf/props/jmx-console-users.properties
vim minimal/conf/props/jmx-console-users.properties


#####4
grep security-constraint all/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml;
grep security-constraint default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml;
grep security-constraint minimal/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml;
#####若須要修改
#####找 security-constraint
vim all/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
vim default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
vim minimal/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml

security-constraint整个部分不要注释掉但，同时把GET和POST两行注释掉
           ＜-- ＜http-method＞GET＜/http-method＞
       ＜http-method＞POST＜/http-method＞  --＞


#####5
grep security-domain all/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml;
grep security-domain default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml;
grep security-domain minimal/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml;
#####若須要修改
#####找 security-domain
vim all/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
vim default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
vim minimal/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml


#####6
grep admin all/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties;
grep admin default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties;
grep admin minimal/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties;
#####若須要修改
#####設定密碼 admin=xxxx
vim all/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
vim default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
vim minimal/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties

#####7

find . -type f -name "*.o";
find . -type f -name "*.pl";
find /root -type f -name "*.o";
find /tmp -type f -name "*.o";
find /root -type f -name "*.pl";
find /tmp -type f -name "*.pl";
ls default/deploy/management/
####除了console-mgr.sar 是系統預設的，其餘的看有沒有認識的，不認識的基本上都可以砍
chmod 644 /usr/local/jBoss/Base/server/default/log/*
crontab -l;#看看有沒有不應該出現的排程，比如
#1 1 10 * * ~/.sysdbs
#1 1 24 * * perl ~/.sysync.pl