...
1. Locate the <security-constraint> element (around line 101) in the file
jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
...
To determine if your JBoss instance has been compromised, look in directory
jboss-5.1.0.GA/server/default/deploy/management/
If you see the directory
iesvc.war
then your instance has been infected.
The blog entry below has worm removal and detection information:
http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server
...
3. Lastly, change the JMX console password. In the Bedework quickstart configuration the userid and password are found in the file jboss-5.1.0.GA/server/default/conf/props/jmx-console-users.properties
If you followed the instructions to secure Bedework during your initial installation (see https://wiki.jasig.org/display/BWK37/BW+3.7+Securing+Bedework ), you may have already changed the JMX console password.
...
4. Note that it is not good practice to run any web service as a privileged user (e.g. "root"). Therefore, to minimizie your risk overall, you should run JBoss under an unprivileged account.