Security researchers at Cisco's Talos group have discovered a large number of vulnerable internet-connected systems running out-of-date JBoss installations, with thousands of servers already compromised.
JBoss is a Java-based application server, delivered by enterprise Linux vendor Red Hat.
The Talos researchers said they found just over 2100 backdoors installed in around1600 IP addresses when they scanned for vulnerable systems.
The systems were running webshells for unauthorised remote access and control of the compromised server. Many of the vulnerable systems had been compromised more than once, and were running multiple different backdoors.
In total, the researchers estimate that around 3.2 million machines are at risk from being abused. Several JBoss servers were being exploited with the JexBoss (JBoss verify and EXploitation Tool) open source software as part of a global ransomware delivery campaign in March this year.
Attackers have been targeting educational software developer Follet's Destiny library management system, which is sold worldwide including in Australia.
Follett is aware of the vulnerability and will work with Talos to analyse webshells on compromised servers. The company is urging customers to patch their Destiny systems.