tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: fex* war malware
Date Sat, 04 Oct 2008 13:56:57 GMT
David Tyler wrote:
> I have encountered this in September 2008.  Here is what I have found:
> 
> 1)  There are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell
OR fexception OR fexshell OR fexsshell
> 
> 2)  It appears to be distributed using an automated scanner that looks for the manager
app running on Tomcat port 8080 with the default password still intact: admin / admin
> 
> 3)  The code deploys a webapp to Tomcat that:
> a)  Checks if the OS is windows.  If not it terminates.
> b)  If it is windows... then some variants immediately download and execute a binary
from one of several possible servers.  The binary presumably contains further malware.
> c)  Other variants apparently wait to be invoked again by an external host that will
provide the URL of a binary to download and execute.
> 
> THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP PASSWORD.  Or
you could delete the manager webapp.
> 
> The manager username / password is set in: tomcat/conf/tomcat-users.xml

David,

To repeat what I wrote on the dev list:

You appear to be mis-informed. There is no default Tomcat password.

The Tomcat binary distributions are already constructed as you are
suggesting and have been that way for as long as I can remember.

With the zip/tar install, the user has to manually edit tomcat-users.xml.
The user must also add the manager role to one of the users. In 6.0.x  the
user must also create a user as none are defined by default. None of the
default users is named admin.

With the Windows installer, an admin user is created but there is no
default password. The user must specify their own.

I am extremely interested to find out where you obtained your Tomcat
installations from as it could not have been an official Apache
distribution. Please let us know where you sourced them from so we can warn
the Tomcat user community to avoid them.

Kind regards,

Mark



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message