修复 JBoss 漏洞操作手册
中毒现象:
1. ps axf 看到多出了很多进程,尤其是有 pnscan 这个进程,它会对外扫描整个网络, 导致网络拥塞:
sh -c ./pnscan -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6400 61.223.0.0/16 8080 > /tmp/sess_008802541
2. crontab -l 看到多出了,有些中毒的则没有这个现象:
1 1 10 * * /root/.sysdbs 1 1 24 * * /root/.sysync.pl 1 1 10 * * /root/.sysdbs 1 1 24 * * /root/.sysync.pl
3. ${JBOSS_HOME}/bin/多出了好多文件, 这些文件的 owner 为未知 (比如为 1000): a.tar.gz bm.c bm.h bm.o flu.pl fly.pl install-sh ipsort kisses/ kisses.tar.gz kisses.tar.gz.1 linda.pl lindb.pl Makefile pnscan pnscan.c pnscan.o version.c version.o
修改:
1.清除 JBOSS 后门程序: all(default,minimal)这三个目录下都需要检查一下并做对应 ( 的处理。 ) # ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/ 将该目录下的 iesvc.war wstats.war zecmd.war zmeu.war 等删除。 只留下 console-mgr.sar
2. 修改 jboss 配置:
一、JMX 安全设置: (all(default,minimal)这三个目录下都需要检查一下并做对应的 处理。 )
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/web.xml
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. -->
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <!-<http-method>GET</http-method> <http-method>POST</http-method> --> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
把 GET 和 POST 两行注释掉,同时 security-constraint 整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/jbossweb.xml
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. --> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
把 security-domain 注释去掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/conf/props/jmx-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule admin=emsppassword123 修改 admin 密码
二、WEB-CONSOLE 安全设置: (all(default,minimal)这三个目录下都需要检查一下 并做对应的处理。 )
#vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web -console.war/WEB-INF/web.xml
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <!-<http-method>GET</http-method> <http-method>POST</http-method> --> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
把 GET 和 POST 两行注释掉,同时 security-constraint 整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web -console.war/WEB-INF/jboss-web.xml<!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. -->
<security-domain>java:/jaas/web-console</security-domain>
把 security-domain 注释去掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web -console.war/WEB-INF/classes/web-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule admin= emsppassword123 修改 admin 密码
最后启动 jboss 生效。