There are increasing reports starting in July of 2008 and rising through August
and September of an active exploit involving the default credentials for the
tomcat manager app (not version specific).
I am writing to suggest the the tomcat devs take some simple steps to help
prevent novice users from becoming targets. More below...
I have encountered the malware in late September 2008. Here is what I have
found:
1) There are several variants such as: fexcep.war OR fexcepkillshell.war OR
fexcepshell.war OR fexcepspshell.war OR fexception.war OR fexshell.war OR
fexsshell.war
2) It appears to be distributed using an automated scanner that looks for the
manager app running on Tomcat port 8080 with the default password still intact:
admin / admin. We were exploited on multiple live servers across different
subnets, indicating active scanning for vulnerable hosts is occurring.
3) The code uploads and deploys a webapp to Tomcat through the manager app
that:
a) Checks if the OS is windows. If not it terminates.
b) If it is windows... then some variants immediately download and execute a
binary from one of several possible servers. The binary presumably contains
further malware.
c) Other variants apparently wait to be invoked again by an external host that
will provide the URL of a binary to download and execute.
I have found posts on several mailing lists of user who are infected by this
and are unaware of how it was installed.
Given the widespread and increasing nature of this exploit, I think it would be
prudent of the tomcat devs to alter the default installation to disable the
tomcat manager by default or otherwise somehow require a non-default password
to be set. True, this is not a bug of Tomcat, but it would help protect users
if the default behavior prevented the inadvertent opening of this backdoor
entry point.
Best Regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
