资源描述
修复JBoss漏洞操作手册
中毒现象:
1. ps axf看到多出了很多进程,尤其是有pnscan这个进程,它会对外扫描整个网络,导致网络拥塞:
sh -c ./pnscan -r JBoss -w "HEAD / HTTP/1.0\r\n\r\n" -t 6400 61.223.0.0/16 8080 > /tmp/sess_008802541
2. crontab -l看到多出了,有些中毒的则没有这个现象:
1 1 10 * * /root/.sysdbs
1 1 24 * * /root/.sysync.pl
1 1 10 * * /root/.sysdbs
1 1 24 * * /root/.sysync.pl
3. ${JBOSS_HOME}/bin/多出了好多文件,这些文件的owner为未知(比如为1000):
a.tar.gz
bm.c
bm.h
bm.o
flu.pl
fly.pl
install-sh
ipsort
kisses/
kisses.tar.gz
kisses.tar.gz.1
linda.pl
lindb.pl
Makefile
pnscan
pnscan.c
pnscan.o
version.c
version.o
修改:
1.清除JBOSS后门程序:(all(default,minimal)这三个目录下都需要检查一下并做对应的处理。)
#
${JBOSS_HOME}/server/all(default,minimal)/deploy/management/
将该目录下的 iesvc.war wstats.war zecmd.war zmeu.war 等删除。
只留下console-mgr.sar
2. 修改jboss配置:
一、JMX安全设置:(all(default,minimal)这三个目录下都需要检查一下并做对应的处理。)
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/web.xml
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<!--
<http-method>GET</http-method>
<http-method>POST</http-method>
-->
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
把GET和POST两行注释掉,同时security-constraint整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/jmx-console.war/WEB-INF/jboss-web.xml
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.
<-->
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
把security-domain注释去掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/conf/props/jmx-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
admin=emsppassword123
修改admin密码
二、WEB-CONSOLE安全设置:(all(default,minimal)这三个目录下都需要检查一下并做对应的处理。)
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<!--
<http-method>GET</http-method>
<http-method>POST</http-method>
-->
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
把GET和POST两行注释掉,同时security-constraint整个部分不要注释掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.
-->
<security-domain>java:/jaas/web-console</security-domain>
把security-domain注释去掉。
# vi ${JBOSS_HOME}/server/all(default,minimal)/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
admin= emsppassword123
修改admin密码
最后启动jboss生效。
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
