[nsp-sec] JBoss worm
Rob Lowe
rlowe at redhat.com
Thu Oct 20 19:17:54 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
There is a recent worm targeting a patched vulnerability
(CVE-2010-0738) in JBoss Web Application Server. Red Hat's public
statement about this can be found here:
http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server
The worm uses the following dynamic DNS domains (as far as we know,
these haven't resolved, yet):
magicstick.dyndns-remote.com
bnet.doesntexist.org
DynDNS abuse@ has been notified, but if someone here can help ensure
they get stomped, I'd appreciate it.
You may wish to check any JBoss installations for attempted
resolutions of these domains or other noisy scan/sploit activity. It's
possible that vulnerable JBoss servers have been packaged in other 3rd
party applications, one that's been confirmed is ExLibris.
We'd welcome any additional intel or mitigation assistance. We have a
copy of the malware (but just not me, personally) and I can probably
provide to anyone who's interested.
The above URL can be shared freely, but I'd prefer the other details
be kept within the NSP-SEC membership, please.
Cheers,
Rob.
- --
Rob Lowe | Red Hat Asia-Pacific
Information Security Analyst | http://www.redhat.com
Phone: +61 (0)7 35148244 | rlowe at redhat.com
5272 504B 6A97 415C 2EB2 E7B9 EDE4 0A83 CD9F E7A4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOoKwcAAoJEO3kCoPNn+ekLxUP/j/dRBrJ5S/YsrMCt8vfYU9B
dPs6rUiqIbVfwCac5Q3l/1PpnaPDCHTokodhq093BGYs060ZkgReLYHrWgT98CVy
34HQexjgt6OoIIsJoZF2QoLH57w+3A/8dnneSemLScGqCW5ml8wdQX1xugInDQ1a
Wj4tmMXTSfqzBdZHv613VaBjD7XJiboGPIHHKxwSrHkJRtyoMtPPYg/yERdnOmyJ
881awumjMK5ashZLqZ2pKGpR0IhLm1FcEV1vCgE/dwO9iSlvsgn23QSMWHPT3WjC
9BwRnLIYDUbIZHBQMmSybLx2lVgzjxB6R1l5FtE74XInWIedkfXQhwiT0f6jyyKw
3DHjKvHWZbl0wTXXsG14gauzrhssnAoA5zwGdf2F36d0p+WibNA9iirhK0Hb2x39
CxRf1Iw8wiG4/Nfz1XDUeTnZxSE/XLmMTWHtbG5H5ox7OK3vOUgHTHR9idDdV1Ac
aOGjjF4h+xCTTfNdH2XSvoI4BAiivpZozMDH9PQGw7oNhNB2JmvjMS49kf8rDx4F
Cq6CLFivhWzEmNj89JH9SN2S+14NvoI61BDrqiDYGQ7dzxgR9Ub9lZ4Zd3XGCI7m
EQtKdMyaQZWe2XzuPnUU1maLIzOWbGW22vjqCBtMeYbydRQHE5owcN4G+bJ5C1ph
T3ytGHNeoRzQMrl41b+z
=je92
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list