tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Tyler <ic...@yahoo.com>
Subject fex* war malware
Date Sat, 04 Oct 2008 12:04:48 GMT
I have encountered this in September 2008.  Here is what I have found:

1)  There are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell
OR fexception OR fexshell OR fexsshell

2)  It appears to be distributed using an automated scanner that looks for the manager app
running on Tomcat port 8080 with the default password still intact: admin / admin

3)  The code deploys a webapp to Tomcat that:
a)  Checks if the OS is windows.  If not it terminates.
b)  If it is windows... then some variants immediately download and execute a binary from
one of several possible servers.  The binary presumably contains further malware.
c)  Other variants apparently wait to be invoked again by an external host that will provide
the URL of a binary to download and execute.

THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP PASSWORD.  Or you could
delete the manager webapp.

The manager username / password is set in: tomcat/conf/tomcat-users.xml


      

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message