We just had a breach of one of our servers, where an intruder got access using the JBoss account and started running exploit scripts. The server has been taken offline and is being investigated, but I'm curious about how he got in.
Are there any know vulnerabilities in JBoss 4.x.x that would allow an intruder to run a shell script through that account?
There is this JBoss Application Server Remote Exploit (CVE-2010-0738) that was published recently.
The exploit works for JBoss running on both Linux and Windows platforms, when the exploit is successful it will return a command prompt or a shell to the attacker.
In addition to the vulnerability that Mark mentioned there's also some tools which are freely available which are designed to make taking over JBOSS servers easier, such as jboss-autopwn. If they successfully exploit the server they can deliver Metasploit payloads which includes the ability to get shell.
