Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 89094 invoked from network); 4 Oct 2008 13:57:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 4 Oct 2008 13:57:56 -0000 Received: (qmail 30418 invoked by uid 500); 4 Oct 2008 13:57:43 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 30390 invoked by uid 500); 4 Oct 2008 13:57:43 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 30379 invoked by uid 99); 4 Oct 2008 13:57:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Oct 2008 06:57:43 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [193.252.22.156] (HELO smtp3.freeserve.com) (193.252.22.156) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Oct 2008 13:56:41 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3214.me.freeserve.com (SMTP Server) with ESMTP id 1E0017000088 for ; Sat, 4 Oct 2008 15:57:04 +0200 (CEST) Received: from smtp.homeinbox.net (unknown [91.109.157.243]) by mwinf3214.me.freeserve.com (SMTP Server) with ESMTP id F00897000086 for ; Sat, 4 Oct 2008 15:57:03 +0200 (CEST) X-ME-UUID: 20081004135703983.F00897000086@mwinf3214.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id 65BC91A450C for ; Sat, 4 Oct 2008 14:57:09 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server01.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZLBp9i6WsTc for ; Sat, 4 Oct 2008 14:57:06 +0100 (BST) Received: from [192.168.0.4] (study01.dev.local [192.168.0.4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id 323561A44FD for ; Sat, 4 Oct 2008 14:57:06 +0100 (BST) Message-ID: <48E77629.5080809@apache.org> Date: Sat, 04 Oct 2008 14:56:57 +0100 From: Mark Thomas User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: fex* war malware References: <404796.80552.qm@web32604.mail.mud.yahoo.com> In-Reply-To: <404796.80552.qm@web32604.mail.mud.yahoo.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org David Tyler wrote: > I have encountered this in September 2008. Here is what I have found: > > 1) There are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell > > 2) It appears to be distributed using an automated scanner that looks for the manager app running on Tomcat port 8080 with the default password still intact: admin / admin > > 3) The code deploys a webapp to Tomcat that: > a) Checks if the OS is windows. If not it terminates. > b) If it is windows... then some variants immediately download and execute a binary from one of several possible servers. The binary presumably contains further malware. > c) Other variants apparently wait to be invoked again by an external host that will provide the URL of a binary to download and execute. > > THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP PASSWORD. Or you could delete the manager webapp. > > The manager username / password is set in: tomcat/conf/tomcat-users.xml David, To repeat what I wrote on the dev list: You appear to be mis-informed. There is no default Tomcat password. The Tomcat binary distributions are already constructed as you are suggesting and have been that way for as long as I can remember. With the zip/tar install, the user has to manually edit tomcat-users.xml. The user must also add the manager role to one of the users. In 6.0.x the user must also create a user as none are defined by default. None of the default users is named admin. With the Windows installer, an admin user is created but there is no default password. The user must specify their own. I am extremely interested to find out where you obtained your Tomcat installations from as it could not have been an official Apache distribution. Please let us know where you sourced them from so we can warn the Tomcat user community to avoid them. Kind regards, Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org