Hi Ann, You didn't specify which version of Tomcat you are running. According to this page: http://www.securityfocus.com/bid/30633 there is a UTF8 path vulnerability that was fixed at 6.0.18 - i would have thought that vulnerability would have required access to a "LOCAL" path, but it's possible that the vulnerability allows Tomcat to reference something from a remote path and install it.
Also, if you are running the default Tomcat "Manager" and "admin" apps. Stop them, well, don't stop them altogether, because then you can't start them over the web. But... you need to look at your web.xml or server.xml or whatever config files exist in modern Tomcat systems, and restrict access to the Manager and Admin apps only to trusted IP #'s. (only localhost maybe to start, if you can tunnel your web traffic through a VPN or ssh or something onto the server.) DK Ann Richmond wrote: > Hi, its Ann Richmond. > A few weeks ago we found some applications had been installed under > tomcat on a few servers. The war file was there as well as the expanded > apps. > here are the names, tho we think they are all the same: > fexsshel > fexcep > fexcepshell > fexception > fexcepspshell > > They were on 3 different servers, not all 3 had all 5 apps installed. > The servers are running red hat , 2 with tomcat 4 and RHEL ES 3, and 1 > with tomcat 5 and RHEL 5. > > The servers are physically at 3 different locations in different parts > of the country and have totally different IPs > > we removed the apps and changed all the tomcat user names and passwords. > > Today we found fexsshel back on one of the systems. > > We can't find anything on google, wondering if anyone had come across this. > > thanks > Ann Richmond > > > _______________________________________________ > LinuxUsers mailing list > [email protected] > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >
