tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Possible virus uploaded to Tomcat 5.5.3
Date Fri, 08 Aug 2008 19:05:22 GMT
Warren Bell wrote:
> I have found a war file on my server that appeared around July 14. I am 
> the only one that has access to this machine and I did not put it there. 
> It consists of a jsp that downloads a program named init.exe and then 
> executes it. This server is on a private network. Though there are three 
> pc kiosks in grocery stores that are available to the public that access 
> this server but they are on a different subnet and only have access to 
> the server thru port 8080. I am pretty sure it came from one of these 
> stores. The url used for this program is .../fexcep/index.jsp?url=... I 
> am running Tomcat 5.5.3 on Windows XP.
> How did somebody get this war file onto my server ?

Difficult to tell. A couple of questions that might help narrow this down:
- From your description am I right in thinking there are two subnets, both 
private with neither connected to the internet?
- What other webapps are installed on the Tomcat instance?
- What is providing the firewall between your Tomcat box and the kiosks?
- How locked down are the kiosks?
- Could anyone have connected one of the kiosks to the internet?

I have a heap of other questions but lets start with these and see where we go.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message