The cause of the incident is that the recent ransomware event a large number of diffusion caused by Cisco security researchers noted that, after its security researchers survey analysis found that, among a large number of cases because the attacker uses the JBoss Java application platform vulnerabilities, intrusion Enterprise Server, and the ransomware to spread to all with the server connection on the client. Cause: the SamSam ransomware rampant proliferation SamSam ransomware, also known as Samas, the ransomware in the year 3 mid-month by Microsoft found that. And in the discovery, the FBI also to all businesses issued a warning about the ransomware can be the use of JBoss on the vulnerabilities of corporate IT infrastructure for infection, remind the enterprise user attention detection and protection. Subsequently, Intel and Cisco, also both published reports and technical analysis, the analysis of the ransomware author, the realization of ideas, and this is clearly confirmed by Microsoft and the FBI had found reliability. According to the analysis, SamSam ransomware manipulator is the use of public and private institutions, run on the server an older version of the JBoss platform vulnerabilities to intrusion. In-depth investigation and analysis, found more infected servers After the above preliminary investigations, the Cisco on the JBoss platform vulnerability rate in-depth research investigation. And from Cisco's research shows that currently there are about 3 2 0 millionthe Web serveris running does not update the JBoss version. The use of the acquired part of the use of the back door after leaving the file, the Cisco can also be scanned out of which 3 2 0 million servers whether there is a back door. Based on this search, confirm by 2 1 0 0 station has been invaded by a server, these servers are running in 1 6 0 0 a different IP. In General, if in the not found case, the server can only wait for the blackmailer to pass a ransomware payload, for its implementation of the infection. From the compromised Server, these servers most belonging to the schools, the government, Airlines and other industry units. Other backdoors have been found In addition to the file is the previous SamSam ransomware infection using Backdoor, the researchers said they also found other“well-known”back-door programs, such as the”mela,” “shellinvoker,” “jbossinvoker,” “zecmd,” “cmd,” “genesis,” “sh3ll” and possibly “Inovkermngrt” and“jbot”. The following is a portion of the suspicious Backdoor files list, available for study reference. jbossass. jsp jbossass_jsp.class shellinvoker. jsp shellinvoker_jsp.class mela. jsp mela_jsp.class zecmd. jsp zecmd_jsp.class cmd. jsp cmd_jsp.class wstats. jsp wstats_jsp.class idssvc. jsp idssvc_jsp.class iesvc. jsp iesvc_jsp.class These back door there is suggests that SamSam ransomware behind the operator not only to know and use the JBoss platform vulnerability the attacker. In the discovery of these threats, Cisco began notifying affected parties. In many of the infection cases, the portion of the affected home to the school Server deployed by a company called Fellot company developed the library management system that is named“Destiny”, the destiny, The for library assets management, and JBoss as the application platform for support. In this survey analysis process, the Cisco got Fellot company's strong support, and with one of the perfect solution. Allegedly, Fellot running one of the most impressive repair system that can fix them from version 9 to version 1 3. 5 all system versions for their users to upgrade, avoid JBoss vulnerability to be exploited, even in the user server on the scan with the“Destiny”system-independent file, effectively Discover and clear the user server environment, a suspicious back door. Backdoor detection and the use of tools In order for the system file for testing, to examine whether the presence of the back door. Cisco by a named JexBoss open source penetration testing tools for the back door code for tracking. Tool download address is: GitHub. ! Then, with their discovery, the United States computer security Emergency Response Center, US-CERT issued a global Advisory recommendations all of the applications system administrator to promptly check its own application server, see if there is a webshell in.