tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Warren Bell <>
Subject Re: Possible virus uploaded to Tomcat 5.5.3
Date Fri, 08 Aug 2008 20:06:37 GMT
Mark Thomas wrote:
> Warren Bell wrote:
>> I have found a war file on my server that appeared around July 14. I 
>> am the only one that has access to this machine and I did not put it 
>> there. It consists of a jsp that downloads a program named init.exe 
>> and then executes it. This server is on a private network. Though 
>> there are three pc kiosks in grocery stores that are available to the 
>> public that access this server but they are on a different subnet and 
>> only have access to the server thru port 8080. I am pretty sure it 
>> came from one of these stores. The url used for this program is 
>> .../fexcep/index.jsp?url=... I am running Tomcat 5.5.3 on Windows XP.
>> How did somebody get this war file onto my server ?
> Difficult to tell. A couple of questions that might help narrow this 
> down:
> - From your description am I right in thinking there are two subnets, 
> both private with neither connected to the internet?

both networks are connected to the internet.

> - What other webapps are installed on the Tomcat instance?

Several, they are all intranet apps that do not have any download/upload 
capabilities and there is no possible sql injection vulnerabilities 
either. And none of the apps execute any programs local to the server. 
And none of the apps are available to the Internet except to the kiosks 
through the Internet via

> - What is providing the firewall between your Tomcat box and the kiosks?

The network that the server is on has a Lynksys RV082 small business 
router with the firewall completely locked down except for port 8080 
available only to the networks with the kiosks. The kiosks are on a 
basic Linksys home router.

> - How locked down are the kiosks?

Not very, each one of the kiosks is on its own network. The only access 
they have to the server is thru port 8080.

> - Could anyone have connected one of the kiosks to the internet?

Yes, We have isolated it to one kiosk. We use a web proxy, but they just 
went around it.

> I have a heap of other questions but lets start with these and see 
> where we go.
> Mark
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:


Warren Bell

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message