Ahhh, they shut it down already. It was a page with links to login to their JBOSS admin pages and such. You needed passwords, of course, but still, not the sort of thing you want clients to randomly stumble across.

Bloody hell, that is an instant, trust destroying, security cock-up. You can set JBoss to bind to a separate IP address (i.e. one not publicly accessible etc.) for all management functions, it is a simple configuration change.