Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server running SPARC 64 bit and Solaris 10. One of my client's security team found this issue :
Code:
HTTP_JRun_Double_Slash
Description :
Macromedia JRun could allow a remote attacker to bypass authentication and gain access to the Web administration interface. A remote attacker could send a specially-crafted URL request to the Web
Administration interface appended with an extra forward-slash character to bypass authentication and gain unauthorized access to administrative functions
How to remove this vulnerability
Apply the appropriate patch for your system, as listed in Macromedia Product Security Bulletin MPSB02-06. See References.
I don't understand what does that mean. Does it means I should patch the Jrun in my Solaris box? I looked for jrun in my servers and found no 'jrun' to be patched.
Yes it is very old one that none of my friends know about it. The problem for me is that we don't use JRun in our server at all. What should I patch if there are no JRun in the server?
If I checked the suspected hacking attempt URLs. it were like these lines :
Code:
http://www.[mywebsite].com//www.[mywebsite].comhttp//www.[mywebsite].comhttp//imcservices.adultfriendfinder.com/p/imc/imc_data.cgi
http://www.[mywebsite].com//www.[mywebsite].comhttp//imcservices.adultfriendfinder.com/p/imc/imc_data.cgi
http://www.[mywebsite].com//imcservices.adultfriendfinder.com/p/imc/imc_data.cgi
note: replace mywebsite with a valid URL of course.
My analysis is that the user's work station was infected by some kind of trojan or virus so that he accessed that [mywebsite] URLs constantly in every 5 minutes interval. Does that possible?
If that's the case then perhaps the firewall alert was only false alarm because I really don't see any hacking attempt in the URLs.
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Rep:
I'm not familiar with JRun but I would expect some files with JRun in their names to show up. Why not asking your client's security team what made him think JRun was installed ?
I already mention why did the JRun issue showed up in 3rd post.
Their firewall detect the false URL as hacking attempts while the URLs were looked like a trojan-caused to me.
I also found that if you have Jrun installed, you will have the JRUN's variable in your environment.
I checked them all and pretty sure now that the server don't have any Jrun in it.
So I guess I'm just gonna close the thread.
Thanks a lot for you help Sir.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.