Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Message-ID;
  b=3NGNA6iiPQud23KGUA206yh/C0ihZwym+ooKff1AQR/LzKTVjZZODXL4qZsGeZEOC8vTAAF+2iIDiy61MAuo7OK54LN+9W0sOZKzwiNns5sfnFFkpqqyzzxKXHWmOd4avZj7VBNcgfb+Cbm3QsdjL8dEBjvv6jNzI7Qbaj+232o=;
Date: Sun, 10 Aug 2008 19:10:59 -0700 (PDT)
From: Sameer Acharya <acharya_sam@yahoo.com>
Reply-To: acharya_sam@yahoo.com
Subject: Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED
To: Tomcat Users List <users@tomcat.apache.org>
In-Reply-To: <489F2F73.80602@apache.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <63788.81203.qm@web52408.mail.re2.yahoo.com>

Just a couple of questions on this.

1. I read your mail exchange and it seems that the OP has mentioned no Manager app was installed, but your analysis indicates that the rogue app was uploaded through manager app ?.
2. Normally firewalls keep a log of port activity so was this activity not detected by the firewall ?

-Sameer


--- On Sun, 8/10/08, Mark Thomas <markt@apache.org> wrote:

> From: Mark Thomas <markt@apache.org>
> Subject: Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Date: Sunday, August 10, 2008, 11:42 PM
> Folks,
> 
> Just a short note to let you know that Warren and I have
> been working this 
> off-list and have identified how this attack was launched.
> 
> I'd like to take this opportunity to publicly thank
> Warren for taking the 
> time to work with me on this when he had a lot more
> important things to do 
> than answer my questions.
> 
> The manager application was installed with a user name and
> password that 
> the attackers were able to brute force. Once they had
> access to the manager 
> application they were able to install their own web
> application that 
> allowed them wider access to the box.
> 
> This isn't the first report of a rouge application that
> we have seen on the 
> Tomcat security list. Where we have had sufficient detail
> to trace how the 
> application was installed, it has always been via an
> existing management tool.
> 
> Therefore, I would like to take the opportunity to remind
> users to ensure 
> that any potentially user accessible administration
> interface is suitably 
> secured. The following isn't an exhaustive list but
> things to consider include:
> - don't use and standard user names for administrative
> users
> - do use strong passwords, especially for administrative
> users
> - uninstall web applications you don't need (admin,
> manager, host-manager, 
> examples, webdav, etc)
> - use Remote Host/Address filters to limit access to
> administrative 
> applications
> - enable access logging so if something does go wrong you
> have some 
> information to work with
> - regularly review your access logs for evidence of
> potential attacks
> - run Tomcat as a dedicated user with the minimum
> privileges possible
> 
> Finally, a small advert. I am presenting a session on
> Tomcat security at 
> ApacheCon in November that will cover the above and a whole
> lot more.
> 
> Mark
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail:
> users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org