tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Possible hack tool kit on tomcat 6.0.16
Date Sat, 04 Oct 2008 16:21:53 GMT
ic547 wrote:
> I have encountered this in September 2008.  Here is what I have found:
> 
> 1)  There are several variants such as: fexcep OR fexcepkillshell OR
> fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell
> 
> 2)  It appears to be distributed using an automated scanner that looks for
> the manager app running on Tomcat port 8080 with the default password still
> intact: admin / admin
> 
> 3)  The code deploys a webapp to Tomcat that:
> a)  Checks if the OS is windows.  If not it terminates.
> b)  If it is windows... then some variants immediately download and execute
> a binary from one of several possible servers.  The binary presumably
> contains further malware.
> c)  Other variants apparently wait to be invoked again by an external host
> that will provide the URL of a binary to download and execute.
> 
> THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP
> PASSWORD.  Or you could delete the manager webapp.

To be clear:
- there is no default manager app password
- the manager app is disabled by default.

My previous advice on this topic still stands:
http://markmail.org/message/jrqw75yw3d3xh3p6

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message