tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <Peter.Crowt...@melandra.com>
Subject RE: Possible virus uploaded to Tomcat 5.5.3
Date Sat, 09 Aug 2008 01:26:41 GMT
> From: Warren Bell [mailto:warren@clarksnutrition.com]
[details of attack elided]
> The network that the server is on has a Lynksys RV082 small business
> router with the firewall completely locked down except for port 8080
> available only to the networks with the kiosks. The kiosks are on a
> basic Linksys home router.

That's a nice little JSP - once it's on the system, the attacker can do anything they like
that's allowed by the outbound firewall, with the privilege of the user running Tomcat.  I
assume the server can connect freely to other URLs, such as wherever it pulled init.exe from?
 So the problem reduces to how someone managed to drop that JSP into 5.5.3 such that it could
be invoked once?

                - Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message