tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED
Date Sun, 10 Aug 2008 18:12:03 GMT
Folks,

Just a short note to let you know that Warren and I have been working this 
off-list and have identified how this attack was launched.

I'd like to take this opportunity to publicly thank Warren for taking the 
time to work with me on this when he had a lot more important things to do 
than answer my questions.

The manager application was installed with a user name and password that 
the attackers were able to brute force. Once they had access to the manager 
application they were able to install their own web application that 
allowed them wider access to the box.

This isn't the first report of a rouge application that we have seen on the 
Tomcat security list. Where we have had sufficient detail to trace how the 
application was installed, it has always been via an existing management tool.

Therefore, I would like to take the opportunity to remind users to ensure 
that any potentially user accessible administration interface is suitably 
secured. The following isn't an exhaustive list but things to consider include:
- don't use and standard user names for administrative users
- do use strong passwords, especially for administrative users
- uninstall web applications you don't need (admin, manager, host-manager, 
examples, webdav, etc)
- use Remote Host/Address filters to limit access to administrative 
applications
- enable access logging so if something does go wrong you have some 
information to work with
- regularly review your access logs for evidence of potential attacks
- run Tomcat as a dedicated user with the minimum privileges possible

Finally, a small advert. I am presenting a session on Tomcat security at 
ApacheCon in November that will cover the above and a whole lot more.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message