Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

Sameer Acharya wrote: Just a couple of questions on this. 1. I read your mail exchange and it seems that the OP has mentioned no Manager app was installed, but your analysis indicates that the rogue app was uploaded through manager app ?. There were quite a few e-mails exchanged off list, main

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

detected by the firewall ? -Sameer --- On Sun, 8/10/08, Mark Thomas <[EMAIL PROTECTED]> wrote: > From: Mark Thomas <[EMAIL PROTECTED]> > Subject: Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED > To: "Tomcat Users List" > Date: Sunday, August 10, 2008, 1

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

On Sun, Aug 10, 2008 at 2:21 PM, Len Popp <[EMAIL PROTECTED]> wrote: > I checked my server log and found that just this morning some computer > in China tried to poke at the manager app on my server. So it seems > that it wasn't an isolated incident, there's someone out there trying > to exploit T

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

Thanks for figuring this out and posting the info. I checked my server log and found that just this morning some computer in China tried to poke at the manager app on my server. So it seems that it wasn't an isolated incident, there's someone out there trying to exploit Tomcat's manager app. Cavea

Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED

Folks, Just a short note to let you know that Warren and I have been working this off-list and have identified how this attack was launched. I'd like to take this opportunity to publicly thank Warren for taking the time to work with me on this when he had a lot more important things to do th

Re: Possible virus uploaded to Tomcat 5.5.3

Warren Bell wrote: Mark Thomas wrote: Another thought occurs to me. If this server is only accessible via the firewall and the firewall is locked down to just port 8080 how did you get the source for the JSP you posted originally? Through a VPN connection No questions here - just checking m

Re: Possible virus uploaded to Tomcat 5.5.3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, Peter Crowther wrote: | That's a nice little JSP - once it's on the system, the attacker can | do anything they like that's allowed by the outbound firewall, with | the privilege of the user running Tomcat. Yeah, pretty much. This is one of

Re: Possible virus uploaded to Tomcat 5.5.3

Peter Crowther wrote: From: Warren Bell [mailto:[EMAIL PROTECTED] [details of attack elided] The network that the server is on has a Lynksys RV082 small business router with the firewall completely locked down except for port 8080 available only to the networks with the kiosks. The kios

RE: Possible virus uploaded to Tomcat 5.5.3

> From: Warren Bell [mailto:[EMAIL PROTECTED] [details of attack elided] > The network that the server is on has a Lynksys RV082 small business > router with the firewall completely locked down except for port 8080 > available only to the networks with the kiosks. The kiosks are on a > basic Linksy

Re: Possible virus uploaded to Tomcat 5.5.3

Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection vulnerabil

Re: Possible virus uploaded to Tomcat 5.5.3

Warren Bell wrote: Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection vulnerabilities either. And no

Re: Possible virus uploaded to Tomcat 5.5.3

Mark Thomas wrote: Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection vulnerabilities either. And none of the apps execu

Re: Possible virus uploaded to Tomcat 5.5.3

And a follow up question - are you using the invoker servlet at all? Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

Re: Possible virus uploaded to Tomcat 5.5.3

Warren Bell wrote: Mark Thomas wrote: - What other webapps are installed on the Tomcat instance? Several, they are all intranet apps that do not have any download/upload capabilities and there is no possible sql injection vulnerabilities either. And none of the apps execute any programs loca

Re: Possible virus uploaded to Tomcat 5.5.3

Mark Thomas wrote: Warren Bell wrote: I have found a war file on my server that appeared around July 14. I am the only one that has access to this machine and I did not put it there. It consists of a jsp that downloads a program named init.exe and then executes it. This server is on a private

Re: Possible virus uploaded to Tomcat 5.5.3

Warren Bell wrote: I have found a war file on my server that appeared around July 14. I am the only one that has access to this machine and I did not put it there. It consists of a jsp that downloads a program named init.exe and then executes it. This server is on a private network. Though ther

Possible virus uploaded to Tomcat 5.5.3

I have found a war file on my server that appeared around July 14. I am the only one that has access to this machine and I did not put it there. It consists of a jsp that downloads a program named init.exe and then executes it. This server is on a private network. Though there are three pc kios