tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Possible virus uploaded to Tomcat 5.5.3
Date Fri, 08 Aug 2008 20:36:58 GMT
Warren Bell wrote:
> Mark Thomas wrote:
>> Warren Bell wrote:
>>> Mark Thomas wrote:
>>>> - What other webapps are installed on the Tomcat instance?
>>>
>>> Several, they are all intranet apps that do not have any 
>>> download/upload capabilities and there is no possible sql injection 
>>> vulnerabilities either. And none of the apps execute any programs 
>>> local to the server. 
>>
>> Hmm. No real idea yet but a few more questions.
>>
>> Is either the manager or the admin app installed?
> 
> No

OK, that rules out a few possibilities.

>> From your comments you aren't using WebDAV at all. Is this correct?
> 
> What is WebDA, some kind of anti-virus?

It is a servlet that allows read/write of files on the server.

>> Are all the apps on Tomcat accessible to the kiosks?
> 
> Yes
> 
>>
>> Do you have any access logs from around the time the rogue pages were 
>> installed?
> 
> Maybe, the server is down, I am traveling to it right now to see if and 
> how much damage this may have caused.

Another thought occurs to me. If this server is only accessible via the 
firewall and the firewall is locked down to just port 8080 how did you get 
the source for the JSP you posted originally?

And from my other e-mail, are you using the invoker servlet at all?

Mark



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message