Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 44854 invoked from network); 8 Aug 2008 20:29:31 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Aug 2008 20:29:31 -0000 Received: (qmail 75369 invoked by uid 500); 8 Aug 2008 20:29:18 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 75348 invoked by uid 500); 8 Aug 2008 20:29:18 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 75337 invoked by uid 99); 8 Aug 2008 20:29:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2008 13:29:18 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of warren@clarksnutrition.com designates 66.160.183.118 as permitted sender) Received: from [66.160.183.118] (HELO mail.clarksnutrition.com) (66.160.183.118) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2008 20:28:22 +0000 Received: from warren-bells-macbook-pro-2.local (pool-71-110-196-105.lsanca.dsl-w.verizon.net [71.110.196.105]) (authenticated bits=0) by www7.fc.aoindustries.com (8.13.4/8.13.4) with ESMTP id m78KTAo7017769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 8 Aug 2008 15:29:13 -0500 Message-ID: <489CAC7E.1080600@clarksnutrition.com> Date: Fri, 08 Aug 2008 13:28:46 -0700 From: Warren Bell User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Possible virus uploaded to Tomcat 5.5.3 References: <489C8DCF.5020901@clarksnutrition.com> <489C98F2.7040707@apache.org> <489CA74D.9010202@clarksnutrition.com> <489CAB34.9040202@apache.org> In-Reply-To: <489CAB34.9040202@apache.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Mark Thomas wrote: > Warren Bell wrote: >> Mark Thomas wrote: >>> - What other webapps are installed on the Tomcat instance? >> >> Several, they are all intranet apps that do not have any >> download/upload capabilities and there is no possible sql injection >> vulnerabilities either. And none of the apps execute any programs >> local to the server. > > Hmm. No real idea yet but a few more questions. > > Is either the manager or the admin app installed? No > > If yes, how strong is the password and what realm are you using? > > From your comments you aren't using WebDAV at all. Is this correct? What is WebDA, some kind of anti-virus? > > Are all the apps on Tomcat accessible to the kiosks? Yes > > Do you have any access logs from around the time the rogue pages were > installed? Maybe, the server is down, I am traveling to it right now to see if and how much damage this may have caused. > > Cheers, > > Mark > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org -- Thanks, Warren Bell 909-645-8864 warren@clarksnutrition.com --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org