ransomware, blackmail
Image by Kaptnali from Thinkstock.com

About 3.2 million servers running unpatched versions the open source JBoss application server are at risk of hosting and delivering ransomware, according to researchers at Cisco Systems. But the company also warns that a group of them are at very high risk.

“We found just over 2,100 backdoors installed across nearly 1,600 ip addresses,” the company said in a blog posting on Friday. Specifically, a number of these systems had Follett Corp.’s Destiny library management system for tracking school library assets.

Follett quickly created a system that not only patches all systems from version 9.0-13.5, but also captures any non-Destiny files that were present on a server to help remove any existing backdoors. “It is imperative, given the wide reach of this threat, that all Destiny users ensure that they’ve taken advantage of this patch,” says Cisco.

JBoss is a Java EE-based server, originally developed by JBoss LLC but since 2006 owned by Red Hat Inc. Cisco warned at the end of March that attackers had found a vulnerability in it to upload a webshell for remote control of the server. Often attackers use JexBoss, an open source hacking tool for testing and exploiting JBoss application servers, to find servers they can leverage. Once inside the network the SamSam ransomware is uploaded, which then spreads to Windows PCs.

The discovery of the JBoss problem came after a “customer engagement,” Cisco said, which led it to scan the Internet for vulnerable servers.

“In this process we’ve learned that there is normally more than one web shell on compromised JBoss servers and that it is important to review the contents of the jobs status page. We’ve seen several different backdoors including “mela”, “shellinvoker”, “jbossinvoker”, “zecmd”, “cmd”, “genesis”, “sh3ll” and possibly “Inovkermngrt” and “jbot”. This implies that that many of these systems have been compromised several times by different actors.”

As this advisory from US-CERT states, web shells can be delivered through a number of web application exploits or configuration weaknesses including cross-site scripting, SQL injection, vulnerabilities in applications/services, file processing vulnerabilities and exposed admin interfaces.

Because they can be easily modified web shells can be difficult to detect. US-CERT says admins should be suspicious of abnormal periods of high site usage (due to potential uploading and downloading activity), files with an unusual timestamp (e.g., more recent than the last update of the web applications installed); suspicious files in Internet-accessible locations (web root); files containing references to suspicious keywords such as cmd.exe or eval; unexpected connections in logs. (For example a file type generating unexpected or anomalous network traffic; and any evidence of suspicious shell commands, such as directory traversal, by the web server process.

If you find evidence of a web shell, disconnect the server immediately from the network.

And to ensure your system isn’t available for any exploit, patch and update all systems as soon as practical.