tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Tyler <>
Subject Active malware exploits of tomcat manager app
Date Sat, 04 Oct 2008 11:47:43 GMT
There are increasing reports starting in July of 2008 and rising through August and September
of an active exploit involving the default credentials for the tomcat manager app (not version

I am writing to suggest the the tomcat devs take some simple steps to help prevent novice
users from becoming targets.  More below...

I have encountered the malware in late September 2008.  Here is what I have found:

1)  There are several variants such as: fexcep.war OR fexcepkillshell.war OR fexcepshell.war
OR fexcepspshell.war OR fexception.war OR fexshell.war OR fexsshell.war

2)  It appears to be distributed using an automated scanner that looks for the manager app
running on Tomcat port 8080 with the default password still intact: admin / admin.  We were
exploited on multiple live servers across different subnets, indicating active scanning for
vulnerable hosts is occurring.

3)  The code uploads and deploys a webapp to Tomcat through the manager app that:
a)  Checks if the OS is windows.  If not it terminates.
b)  If it is windows... then some variants immediately download and execute a binary from
one of several possible servers.  The binary presumably contains further malware.
c)  Other variants apparently wait to be invoked again by an external host that will provide
the URL of a binary to download and execute.

I have found posts on several mailing lists of user who are infected by this and are unaware
of how it was installed. 

Given the widespread and increasing nature of this exploit, I think it would be prudent of
the tomcat devs to alter the default installation to disable the tomcat manager by default
or otherwise somehow require a non-default password to be set.  True, this is not a bug of
Tomcat, but it would help protect users if the default behavior prevented the inadvertent
opening of this backdoor entry point.

Best Regards.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message