[nsp-sec] compromised JBOSS servers
Russell Fulton
r.fulton at auckland.ac.nz
Sun Oct 23 03:26:57 EDT 2011
These machines have scanned out network on port 80 and requested GET /zecmd/zecmd.jsp
A sure sign that they have been hit by the JBOSS worm (we got hit 3 days ago) -- vendor installed package with default JBOSS install :(
Src Sig name Total Events Proto
184.73.153.139 ec2-184-73-153-139.compute-1.amazonaws.com Compromised JBOSS server 9 6
202.10.79.88 None Compromised JBOSS server 7 6
202.153.194.28 202-153-194-28-static.unigate.net.tw Compromised JBOSS server 20 6
206.72.24.3 lmtt-05-003.dsl.netins.net Compromised JBOSS server 12 6
216.157.29.209 None Compromised JBOSS server 5 6
50.16.32.212 ec2-50-16-32-212.compute-1.amazonaws.com Compromised JBOSS server 14 6
50.17.238.221 ec2-50-17-238-221.compute-1.amazonaws.com Compromised JBOSS server 7 6
50.19.87.247 ec2-50-19-87-247.compute-1.amazonaws.com Compromised JBOSS server 7 6
58.22.63.249 None Compromised JBOSS server 7 6
62.149.9.103 macc.com.ua Compromised JBOSS server 7 6
69.128.95.214 h69-128-95-214.lnngmi.dedicated.static.tds.net Compromised JBOSS server 14 6
74.205.227.232 None Compromised JBOSS server 7 6
76.222.193.2 None Compromised JBOSS server 2 6
78.8.34.55 None Compromised JBOSS server 29 6
82.117.42.251 None Compromised JBOSS server 7 6
88.190.239.20 88-190-239-20.rev.dedibox.fr Compromised JBOSS server 7 6
91.194.137.7 None Compromised JBOSS server 7 6
Russell Fulton
Information Security Officer, The University of Auckland
New Zealand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20111023/03014c1b/attachment-0001.sig>
More information about the nsp-security
mailing list