Sameer Acharya wrote:
Just a couple of questions on this.
1. I read your mail exchange and it seems that the OP has mentioned no Manager
app was installed, but your analysis indicates that the rogue app was uploaded
through manager app ?.
There were quite a few e-mails exchanged off list,
Folks,
Just a short note to let you know that Warren and I have been working this
off-list and have identified how this attack was launched.
I'd like to take this opportunity to publicly thank Warren for taking the
time to work with me on this when he had a lot more important things to do
Thanks for figuring this out and posting the info.
I checked my server log and found that just this morning some computer
in China tried to poke at the manager app on my server. So it seems
that it wasn't an isolated incident, there's someone out there trying
to exploit Tomcat's manager app.
On Sun, Aug 10, 2008 at 2:21 PM, Len Popp [EMAIL PROTECTED] wrote:
I checked my server log and found that just this morning some computer
in China tried to poke at the manager app on my server. So it seems
that it wasn't an isolated incident, there's someone out there trying
to exploit
not
detected by the firewall ?
-Sameer
--- On Sun, 8/10/08, Mark Thomas [EMAIL PROTECTED] wrote:
From: Mark Thomas [EMAIL PROTECTED]
Subject: Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED
To: Tomcat Users List users@tomcat.apache.org
Date: Sunday, August 10, 2008, 11:42 PM
Folks,
Just
Warren Bell wrote:
Mark Thomas wrote:
Another thought occurs to me. If this server is only accessible via
the firewall and the firewall is locked down to just port 8080 how did
you get the source for the JSP you posted originally?
Through a VPN connection
No questions here - just checking
Warren Bell wrote:
I have found a war file on my server that appeared around July 14. I am
the only one that has access to this machine and I did not put it there.
It consists of a jsp that downloads a program named init.exe and then
executes it. This server is on a private network. Though
Mark Thomas wrote:
Warren Bell wrote:
I have found a war file on my server that appeared around July 14. I
am the only one that has access to this machine and I did not put it
there. It consists of a jsp that downloads a program named init.exe
and then executes it. This server is on a private
Warren Bell wrote:
Mark Thomas wrote:
- What other webapps are installed on the Tomcat instance?
Several, they are all intranet apps that do not have any download/upload
capabilities and there is no possible sql injection vulnerabilities
either. And none of the apps execute any programs
And a follow up question - are you using the invoker servlet at all?
Mark
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Mark Thomas wrote:
Warren Bell wrote:
Mark Thomas wrote:
- What other webapps are installed on the Tomcat instance?
Several, they are all intranet apps that do not have any
download/upload capabilities and there is no possible sql injection
vulnerabilities either. And none of the apps
Warren Bell wrote:
Mark Thomas wrote:
Warren Bell wrote:
Mark Thomas wrote:
- What other webapps are installed on the Tomcat instance?
Several, they are all intranet apps that do not have any
download/upload capabilities and there is no possible sql injection
vulnerabilities either. And
Mark Thomas wrote:
Warren Bell wrote:
Mark Thomas wrote:
Warren Bell wrote:
Mark Thomas wrote:
- What other webapps are installed on the Tomcat instance?
Several, they are all intranet apps that do not have any
download/upload capabilities and there is no possible sql injection
From: Warren Bell [mailto:[EMAIL PROTECTED]
[details of attack elided]
The network that the server is on has a Lynksys RV082 small business
router with the firewall completely locked down except for port 8080
available only to the networks with the kiosks. The kiosks are on a
basic Linksys
Peter Crowther wrote:
From: Warren Bell [mailto:[EMAIL PROTECTED]
[details of attack elided]
The network that the server is on has a Lynksys RV082 small business
router with the firewall completely locked down except for port 8080
available only to the networks with the kiosks. The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter,
Peter Crowther wrote:
| That's a nice little JSP - once it's on the system, the attacker can
| do anything they like that's allowed by the outbound firewall, with
| the privilege of the user running Tomcat.
Yeah, pretty much.
This is one of
16 matches
Mail list logo