Long story short, he was running an instance of JBoss that had a vulnerability that allows an attacker to execute commands as the Jboss user and ended up Bitcoin mining on his VPS. Isn't Jboss one of these bloated “enterprisey” JVM container frameworks? I would think something like Play/vert.x would suit the likes of a small VPS better.
Well, his choice of runtime was well over 5 years old (JBoss 4), and apparently not being kept up to date. I bet there are plenty of frameworks with security holes when not updated for five years. It also sounds like he may have been exposing the entire app server via his frontend proxy.
Both mistakes are amazingly easy to fall into, unfortunately.
JBoss is the least bloated of the container frameworks, since it allows you to rip out all of the bits of the J2EE environment you aren't actually using (profile thinning).
Using software released in 2004 without patching up vulnerabilities is probably a more significant problem.
Back when it was J2EE, development was bloated with interfaces, implementations and XML files you had to create for each EJB. JavaEE is POJO based and is actually very light-weight. JBoss itself is a micro-kernel with a bunch of services plugged in, so you can actually configure a very small server instance that is still compliant with the API specifications.
I was ready to give up on JavaEE around version 1.4, but it's so much fun to program JavaEE now. A lot more like TurboGears or RoR (lots of meta-programming and default "scaffolding").
Choice of framework is not that important. The real problem was (and, judging from the article it's still not fixed) that his server has write access to directories it can execute code from.
I mean, this is a classic example of badly configured filesystem permissions.
This is one of the things that scares me about deploying PHP apps. I'm being asked to take over hosting a couple of Joomla & Wordpress sites at work, and find it terrifying that they both ask for permission to install php scripts. I much prefer having a clear separation, but it seems that that isn't really an option.
Yes, PHP has weaker security but fast implementation because it allows direct database access from the front pages. There are a lot of discuss about it. I always disable PHP on the HTTPD to avoid potential issues.
You deploy Play apps inside an application container (like JBoss, Tomcat, Jetty, etc...)
Vert.x is based on Netty and thus it is not running on an application container.
I'd say that Vert.x or Netty based apps are more safer - from this point of view, but there may be some other kind of vulnerabilities for them..
Also, it's important to note that the owner of the VPS instance didn't took proper precautions: "I overlooked the deployment of the web console and HTTP Invoker and I paid for that". If you go by the book and do everything right JBoss and other application containers are safe to use.
