ic547 wrote: > I have encountered this in September 2008. Here is what I have found: > > 1) There are several variants such as: fexcep OR fexcepkillshell OR > fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell > > 2) It appears to be distributed using an automated scanner that looks for > the manager app running on Tomcat port 8080 with the default password still > intact: admin / admin > > 3) The code deploys a webapp to Tomcat that: > a) Checks if the OS is windows. If not it terminates. > b) If it is windows... then some variants immediately download and execute > a binary from one of several possible servers. The binary presumably > contains further malware. > c) Other variants apparently wait to be invoked again by an external host > that will provide the URL of a binary to download and execute. > > THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP > PASSWORD. Or you could delete the manager webapp.
To be clear: - there is no default manager app password - the manager app is disabled by default. My previous advice on this topic still stands: http://markmail.org/message/jrqw75yw3d3xh3p6 Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
