How We Detected and Eliminated a Struts2 Mining Malware Attack

1. Origin

Recently mining malware became popular, and we also encountered a Struts2 vulnerability. Here we share the situation.

2. Process

View services:

View service hardware:

Shows a VMware virtual machine.

Check processes:

There were many processes, so we trimmed some, keeping only useful ones.

Check network listeners:

Except for zabbix_agentd, nagios nrpe, mfsmount, and sshd, all other ports are listened by Java business processes.

Check suspicious processes:

Service login records:

Service login records (duplicate):

sshd online status:

3. Eliminate the hacker

Terminate suspicious processes to interrupt hacker activity.

Time taken to investigate hacker files:

4. Problem analysis

The vulnerability lies in Struts2; certain versions execute code from the HTTP request header's Content‑Type.

Attackers can exploit this to modify commands on the server, create backdoors, turn the server into a DDoS bot or mining tool, and potentially cause data leakage.

Solution

Based on the malware characteristics, write scripts to scan every minute and terminate malicious processes, ensuring no execution environment.

According to the intrusion location, periodically delete executable files in the relevant directories.

Reduce JBoss process privileges by running it as a non‑root user to prevent post‑compromise tampering.

Follow Apache and security site recommendations to modify Struts2's handling of Content‑Type, rejecting illegal content execution.

Upgrade Struts2 to a fixed version.

Attachment

Struts2 detection script