Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 47669 invoked from network); 8 Aug 2008 20:37:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Aug 2008 20:37:52 -0000 Received: (qmail 88290 invoked by uid 500); 8 Aug 2008 20:37:40 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 88272 invoked by uid 500); 8 Aug 2008 20:37:40 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 88261 invoked by uid 99); 8 Aug 2008 20:37:40 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2008 13:37:40 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [193.252.22.152] (HELO smtp5.freeserve.com) (193.252.22.152) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2008 20:36:43 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3426.me.freeserve.com (SMTP Server) with ESMTP id 298C61C00088 for ; Fri, 8 Aug 2008 22:37:10 +0200 (CEST) Received: from smtp.homeinbox.net (unknown [91.109.134.218]) by mwinf3426.me.freeserve.com (SMTP Server) with ESMTP id 1438E1C00086 for ; Fri, 8 Aug 2008 22:37:08 +0200 (CEST) X-ME-UUID: 20080808203708829.1438E1C00086@mwinf3426.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id 2F3741121F3 for ; Fri, 8 Aug 2008 21:29:32 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server02.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NmzpbCdYZzpE for ; Fri, 8 Aug 2008 21:29:28 +0100 (BST) Received: from [192.168.0.4] (study01.dev.local [192.168.0.4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id 28E871121EA for ; Fri, 8 Aug 2008 21:29:28 +0100 (BST) Message-ID: <489CAE6A.7090107@apache.org> Date: Fri, 08 Aug 2008 21:36:58 +0100 From: Mark Thomas User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Possible virus uploaded to Tomcat 5.5.3 References: <489C8DCF.5020901@clarksnutrition.com> <489C98F2.7040707@apache.org> <489CA74D.9010202@clarksnutrition.com> <489CAB34.9040202@apache.org> <489CAC7E.1080600@clarksnutrition.com> In-Reply-To: <489CAC7E.1080600@clarksnutrition.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Warren Bell wrote: > Mark Thomas wrote: >> Warren Bell wrote: >>> Mark Thomas wrote: >>>> - What other webapps are installed on the Tomcat instance? >>> >>> Several, they are all intranet apps that do not have any >>> download/upload capabilities and there is no possible sql injection >>> vulnerabilities either. And none of the apps execute any programs >>> local to the server. >> >> Hmm. No real idea yet but a few more questions. >> >> Is either the manager or the admin app installed? > > No OK, that rules out a few possibilities. >> From your comments you aren't using WebDAV at all. Is this correct? > > What is WebDA, some kind of anti-virus? It is a servlet that allows read/write of files on the server. >> Are all the apps on Tomcat accessible to the kiosks? > > Yes > >> >> Do you have any access logs from around the time the rogue pages were >> installed? > > Maybe, the server is down, I am traveling to it right now to see if and > how much damage this may have caused. Another thought occurs to me. If this server is only accessible via the firewall and the firewall is locked down to just port 8080 how did you get the source for the JSP you posted originally? And from my other e-mail, are you using the invoker servlet at all? Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org