tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Warren Bell <war...@clarksnutrition.com>
Subject Re: Possible virus uploaded to Tomcat 5.5.3
Date Sat, 09 Aug 2008 02:52:34 GMT
Peter Crowther wrote:
>> From: Warren Bell [mailto:warren@clarksnutrition.com]
>>     
> [details of attack elided]
>   
>> The network that the server is on has a Lynksys RV082 small business
>> router with the firewall completely locked down except for port 8080
>> available only to the networks with the kiosks. The kiosks are on a
>> basic Linksys home router.
>>     
>
> That's a nice little JSP - once it's on the system, the attacker can do anything they
like that's allowed by the outbound firewall, with the privilege of the user running Tomcat.
 I assume the server can connect freely to other URLs, such as wherever it pulled init.exe
from?  So the problem reduces to how someone managed to drop that JSP into 5.5.3 such that
it could be invoked once?
>
>                 - Peter
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>   
That is the question, how in the hell did it get there. I am the only 
one who has access to the server along with init.exe. :-)

-- 
Thanks,

Warren Bell
909-645-8864
warren@clarksnutrition.com


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message