[JBoss-user] [Security & JAAS/JBoss] - Command Injection Vulnerability?

Fri, 01 Apr 2005 19:53:17 -0800 

Apparently someone from "The Computer Guy" IP range (or someone acting 
as someone from there) got rcp.exe to run on my machine, attempting to 
contact 216.30.236.32 port 514.  I detected this with ZoneAlarm. 


The reason I'm posting here is because I've just installed JBoss and 
MySQL on my machine, and until this point, I have never had this type 
of attack before.  It happened right around the time I accessed the 
JBoss JMX console for the first time from over the Internet (I accessed 
my home PC from work).  I have a non-static IP, so I'm running the 
No-IP DUC I can find my machine on the Internet. 


Could someone wager a guess as to what happened at 8:42 this morning? 
What was attempted?  How was it done?  I password protected my JBoss 
JMX and Management consoles, but of course it's only with basic 
authentication, which is really nothing if someone wants to snoop.  Is 
there something in one of the interfaces that get installed with JBoss 
that would allow for someone to start a remote copy? 


Thanks. 


--Dale-- 


-----------DETAILS------------Â-- 


Description      TCP/IP Remote Copy Command requested permission to 
access the internet. 
Rating           High 
Date / Time      2005/04/01 08:42:04-5:00 GMT 
Type             New Program 
Program          C:\WINDOWS\system32\rcp.exe 
Source IP 
Destination IP   216.30.236.36:514 
Direction        Outgoing (connect) 
Action Taken     Blocked (once)/Manual 
Count            1 


CustName:   The Computer Guy 
Address:    5306 McCorkle Ave 
City:       Charleston 
StateProv:  WV 
PostalCode: 25302 
Country:    US 
RegDate:    2004-06-23 
Updated:    2004-06-23 


NetRange:   216.30.236.32 - 216.30.236.39 
CIDR:       216.30.236.32/29 
NetName:    CUST-THECOMPUTERGUY-216-NET1 
NetHandle:  NET-216-30-236-32-1 
Parent:     NET-216-30-192-0-1 
NetType:    Reassigned 
Comment: 
RegDate:    2004-06-23 
Updated:    2004-06-23 


OrgTechHandle: FIA2-ARIN 
OrgTechName:   FiberNet IP Administrator 
OrgTechPhone:  +1-304-720-0200 
OrgTechEmail:  [EMAIL PROTECTED] 




View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3872431#3872431

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3872431


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to