Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

2008-08-11 Thread Mark Thomas
Sameer Acharya wrote: Just a couple of questions on this. 1. I read your mail exchange and it seems that the OP has mentioned no Manager app was installed, but your analysis indicates that the rogue app was uploaded through manager app ?. There were quite a few e-mails exchanged off list,

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

2008-08-10 Thread Mark Thomas
Folks, Just a short note to let you know that Warren and I have been working this off-list and have identified how this attack was launched. I'd like to take this opportunity to publicly thank Warren for taking the time to work with me on this when he had a lot more important things to do

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

2008-08-10 Thread Len Popp
Thanks for figuring this out and posting the info. I checked my server log and found that just this morning some computer in China tried to poke at the manager app on my server. So it seems that it wasn't an isolated incident, there's someone out there trying to exploit Tomcat's manager app.

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

2008-08-10 Thread Hassan Schroeder
On Sun, Aug 10, 2008 at 2:21 PM, Len Popp [EMAIL PROTECTED] wrote: I checked my server log and found that just this morning some computer in China tried to poke at the manager app on my server. So it seems that it wasn't an isolated incident, there's someone out there trying to exploit

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

2008-08-10 Thread Sameer Acharya
not detected by the firewall ? -Sameer --- On Sun, 8/10/08, Mark Thomas [EMAIL PROTECTED] wrote: From: Mark Thomas [EMAIL PROTECTED] Subject: Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED To: Tomcat Users List users@tomcat.apache.org Date: Sunday, August 10, 2008, 11:42 PM Folks, Just

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-09 Thread Mark Thomas
Warren Bell wrote: Mark Thomas wrote: Another thought occurs to me. If this server is only accessible via the firewall and the firewall is locked down to just port 8080 how did you get the source for the JSP you posted originally? Through a VPN connection No questions here - just checking

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Mark Thomas
Warren Bell wrote: I have found a war file on my server that appeared around July 14. I am the only one that has access to this machine and I did not put it there. It consists of a jsp that downloads a program named init.exe and then executes it. This server is on a private network. Though

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Warren Bell
Mark Thomas wrote: Warren Bell wrote: I have found a war file on my server that appeared around July 14. I am the only one that has access to this machine and I did not put it there. It consists of a jsp that downloads a program named init.exe and then executes it. This server is on a private

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Mark Thomas
Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection vulnerabilities either. And none of the apps execute any programs

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Mark Thomas
And a follow up question - are you using the invoker servlet at all? Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Warren Bell
Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection vulnerabilities either. And none of the apps

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Mark Thomas
Warren Bell wrote: Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection vulnerabilities either. And

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Warren Bell
Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection

RE: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Peter Crowther
From: Warren Bell [mailto:[EMAIL PROTECTED] [details of attack elided] The network that the server is on has a Lynksys RV082 small business router with the firewall completely locked down except for port 8080 available only to the networks with the kiosks. The kiosks are on a basic Linksys

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Warren Bell
Peter Crowther wrote: From: Warren Bell [mailto:[EMAIL PROTECTED] [details of attack elided] The network that the server is on has a Lynksys RV082 small business router with the firewall completely locked down except for port 8080 available only to the networks with the kiosks. The

Re: Possible virus uploaded to Tomcat 5.5.3

2008-08-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, Peter Crowther wrote: | That's a nice little JSP - once it's on the system, the attacker can | do anything they like that's allowed by the outbound firewall, with | the privilege of the user running Tomcat. Yeah, pretty much. This is one of