>From my 2 minutes of googling, I found lots of people asking the exact same thing.
http://www.google.com/search?hl=en&q=fexcep+war|tomcat&btnG=Search I would say it definitely looks nefarious, not just coincidental. Someone has run something specifically to place that there, and has found that your Tomcat server agreed to store it. I would say it is likely that there is some sort of exploit in Tomcat that is capable of being remotely used to install a war file. Instant remediations: Can you run the webapps out of a directory in which the application server does not have write permissions? I am not sure, it seems that some webapps needs to store things in local XML files, but maybe you can configure the entire webapps directory to prevent writing by the app server. Short-term research remediations: Can you see if this only affects certain versions of Tomcat? If so, you may be able to downgrade, upgrade, patch, etc. Long-term research: What is the exact security hole that allows this war file to be placed on your machine. Is it really tomcat, or do you have other exploitable applications in place. (Not likely) Can you isolate one of the machines, or in other words, move all your valid traffic to the other ones? Then, you can know that you don't have any traffic there except the "bad guy" traffic, and start logging everything with some tcp packet capturing? It might be interesting to see what "Fexcep" is, I think it is a "file exception" routine in Tomcat which is capable of being exploited to run something bad when there is a file exception or something, (although I really don't know.) Is there anything useful in the war file? (most likely nothing to shows -how- it was installed, but you really want to know -what- their servlet is providing to the web...) DK Ann Richmond wrote: > Hi, its Ann Richmond. > A few weeks ago we found some applications had been installed under > tomcat on a few servers. The war file was there as well as the expanded > apps. > here are the names, tho we think they are all the same: > fexsshel > fexcep > fexcepshell > fexception > fexcepspshell > > They were on 3 different servers, not all 3 had all 5 apps installed. > The servers are running red hat , 2 with tomcat 4 and RHEL ES 3, and 1 > with tomcat 5 and RHEL 5. > > The servers are physically at 3 different locations in different parts > of the country and have totally different IPs > > we removed the apps and changed all the tomcat user names and passwords. > > Today we found fexsshel back on one of the systems. > > We can't find anything on google, wondering if anyone had come across this. > > thanks > Ann Richmond > > > _______________________________________________ > LinuxUsers mailing list > [email protected] > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >
