I am running a Glassfish server, and I recently noticed an application was deployed that I did not remember having deployed. The name of the application was completely unhelpful as being "Sarketsdr".
On closer inspection, the offending application contained a Java/JSP/JavaScript files, specifically to disclose the filesystem and grant shell access to persons unknown.
I've since removed the application and turned off the remote administration console. I plan on changing application servers, and keeping them properly updated.
I should also get some Intrusion Detection Systems going.
I've uploaded the files as gists.
File structure of Sarketsdr
| File/Directory | Comments |
|---|---|
| aff.jsp | https://gist.github.com/maartenl/ddd99b927fc535a271b171a350fbe512 |
| cj.jsp | https://gist.github.com/maartenl/dbfd8e11fb0767b06ee0f2d8c9d544bd |
| emu.jsp | https://gist.github.com/maartenl/549dc20a5229560e34cebf0c38e422b8 |
| index.jsp | https://gist.github.com/maartenl/cc96faa3feb78fdeeaeff8cc12e0700b |
| mob.jsp | https://gist.github.com/maartenl/6deb7a1f277a6843ee34fe709b7ca5ec |
| META-INF | |
| context.xml | |
| MANIFEST.MF | |
| WEB-INF | |
| web.xml | |
I am working on securing my Glassfish installation in the mean time.
References
- Frage /etc/rc.d/init.d/wipefs startet das CPU-Problem
- http://webirectory.com/questions/19967/etc-rc-d-init-d-wipefs-startet-das-cpu-problem
- FortiGuard Labs - JSP.File.Browser
- https://fortiguard.com/appcontrol/42719
- vonloesch.de - Jsp File Browser
- http://www.vonloesch.de/filebrowser.html
No comments:
Post a Comment