tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom H <...@limepepper.co.uk>
Subject tomcat manager with weak password compromised. Any idea about the payload?
Date Thu, 12 Apr 2012 02:40:45 GMT
Hi,

An instance running tomcat 6.0.24 as root in our developer network was 
compromised today by a scanning bot which deployed a war file and then 
deleted the on disk file, before scanning for new hosts until the IDS 
detected it.

Obviously this is not a flaw in tomcat, but I was hoping someone could 
give me some pointers to where I might read a write-up of the payload, 
as I would be interested to know to what extent the bot took advantage 
of its root power.

The proc with all the connections was actually perl, and runnings 
strings on a core  dump of that process reveals many perl stuff. (and 
also the very weak password list)

However googling these facts does not seem to be helping that much, any 
suggestions?

Thanks
Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message