This blog post is authored by Tazz.

Talos has continued to observe ongoing attacks leveraging the use of JBoss exploits. Through our research efforts, we have identified an additional 600 or so compromised hosts which contain webshells due to adversaries compromising unpatched JBoss environments. In response to this, Talos has been working to notify victims of these compromised hosts so that appropriate remediation may take place.This blog post outlines the notification process and provides additional indicators which you can use to review your own JBoss environments, such as a list of the 500 most common webshells we have observed in the wild.

If your organization hasn't reviewed its contact information on file with your Internet Registrar lately, now would be a great time to do that. If you're not sure who your registrar is, you can find them here

  • AFRINIC - Africa Region
  • APNIC - Asia/Pacific Region
  • ARIN - Canada, USA, and some Caribbean Islands
  • LACNIC - Latin America and some Caribbean Islands
  • RIPE NCC - Europe, the Middle East, and Central Asia

We do understand that at times organizations are not able to share information. If this is the case, then if at all possible, we would greatly appreciate it if you can close the loop with us and let us know when a host has been remediated by sending an email to and include the IP address(es).

For more information on what to do for/with the compromised host, please see the Recommended Remediation section of our previous blog post on JBoss Backdoor:

Here is a list of over 500 webshells we have detected. The format if you want to check for one of the webshells on your host is http://<ip_address>/<webshell>