You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Pete Helgren <pe...@valadd.com> on 2020/06/17 19:21:30 UTC

Cryptominer malware and Tomcat

I have a situation where I have had "Kinsing" crypto-mining software get 
installed twice on a VM that runs Liferay and Tomcat.  Based on what I 
have read about this cryto-miner, it seems to target Linux VM's running 
Docker images and/or an open redis port.  I have none of that on this VM.

The VM is running CentOS 8.   The tomcat version I am running is 8.0.32, 
java openjdk version "1.8.0_252" OpenJDK Runtime Environment (build 
1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode).  
It is hosting  Liferay 7.0.4 GA5.

The VM running Tomcat/Liferay is served through reverse proxy listening 
on port 443 and passes traffic back to the Tomcat instance listening on 
7080.  The VM has ONLY ports 7080, 7009, and 7005 open (firewalld)  I am 
trying to sort out how the crypto miner has installed itself.  
Originally, I had a CentOS 7 VM but after the first episode, I started 
from scratch, locked down the VM and re-installed the Liferay bundle 
with Tomcat 8.0.32.  After about 2 weeks, the miner was back.  I can't 
figure out how it is installing itself.  I read through the CVE's on 
this version of Tomcat and nothing jumped out at me.  We don't use JMX 
or AJP. It's just Tomcat with Liferay.

I am starting here since it's only the TC port that is open and yes, 
it's possible that Liferay may have a vulnerability.  I just need ideas 
on where to start looking.  I am going to try to jump to the latest 
Liferay/Tomcat bundle but it isn't an easy upgrade and may take a bit....

-- 
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek  IBM_i_Geek


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Cryptominer malware and Tomcat

Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Pete,

On 6/17/20 17:44, Pete Helgren wrote:
> I am going to guess that it is one of these two known
> vulnerabilities:
>
> CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981) The
> JSONDeserializer of Flexjson allows the instantiation of arbitrary
> classes and the invocation of arbitrary setter methods.
>
> CST-7205: Unauthenticated Remote code execution via JSONWS
> (LPS-97029/CVE-2020-7961) The JSONWebServiceActionParametersMap of
> Liferay Portal allows the instantiation of arbitrary classes and
> invocation of arbitrary setter methods.
>
> Found the signature in the logs and it's pretty clear that that is
> what we are up against.  However, if something else comes to mind,
> feel free to post back.  I  did come across a couple of other posts
> where the OP said there was nothing but Tomcat and they also ended
> up with the miner.
>
> I have some updating to do....

Definitely update Liferay if these are known vulns.

You ought to upgrade Tomcat as well, since 8.0 is no longer supported.
8.0.32 is more than 4 years out of date. Latest 8.0.x release was
8.0.53 before support was dropped in favor of Tomcat 8.5.

> The VM running Tomcat/Liferay is served through reverse proxy
> listening on port 443 and passes traffic back to the Tomcat
> instance listening on 7080.  The VM has ONLY ports 7080, 7009, and
> 7005 open (firewalld)

What is the proxy protocol in use? Are those ports on the Tomcat end
only allowing connections from the reverse proxy? What are ports 7009
and 7005 open for? How do you make remote-connections to the server?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7srPYACgkQHPApP6U8
pFhmbg//Xq/MsdQ0D13iAp3naezwQv59Qmbii2Eboe+0vZp4VHjPX0Il3bT3JRkU
9AvJGwvaN7aPQgOUQjWqaHxTrnIPiQbEMdOuZ7wcWc67Z8cOp5lha/qdgMSvXgMR
q/O3o+d6TSQ8sEz4FnabUZPvnebJ6/+azAF3SZUnKXtbLK797CX57m3cefZ4kcEQ
UPFcjyXFC81yLBEbUdHTHcH6QOPLeRMzsISd4B4QajZdxOAOaQMqB8hUn/tAfoYu
O8nIl6qfQUC3p7JeOVpaacjH2R2mv1pTaFzpedNB0sTRwYkDsXtkmpsz/z02Aej0
/zIdLmIClEjd+IEaqGWGG9uF40EFRAcq+3GJupF7/tHpx72seY8uk/FBlYQQxaBH
Q0AXIZmgDcZ0JWnFhnn+N9fcbUVUnqF+sW7wW3JFvLm5mQSLsHYacX0ypLPLvxHX
3Ed44GmIXL+24E/gRqFdq/GnJRAALomM4b8NlFdQPjGZl1MwR41sJIVFi8RcdKA1
wfJ6DK9OcZzVA3a5l3WDtIpnltZbDTZN2rDeTt2m13DuEaZ65vx2Tz4EsjxLLPA2
+wSgCmFVsTmfAvNnFbRQkB1i2GKKxNwTMf74Yee2aAxfwextZp3Iku/ULafLqIWV
ZOh7jLiBN+6hm31tdhVRU85sMMEF27EmtInBnEgO3s1z/ZcDYs8=
=9Ihv
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Cryptominer malware and Tomcat

Posted by Olaf Kock <to...@olafkock.de>.
Hi Pete,

On 17.06.20 23:44, Pete Helgren wrote:
> I am going to guess that it is one of these two known vulnerabilities:
>
> CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981)
> The JSONDeserializer of Flexjson allows the instantiation of arbitrary
> classes and the invocation of arbitrary setter methods.
>
> CST-7205: Unauthenticated Remote code execution via JSONWS
> (LPS-97029/CVE-2020-7961)
> The JSONWebServiceActionParametersMap of Liferay Portal allows the
> instantiation of arbitrary classes and invocation of arbitrary setter
> methods.
>
> Found the signature in the logs and it's pretty clear that that is
> what we are up against.  However, if something else comes to mind,
> feel free to post back.  I  did come across a couple of other posts
> where the OP said there was nothing but Tomcat and they also ended up
> with the miner.
>
> I have some updating to do....
>
Correct analysis.

What you need is this update
https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1

And while you're at it: There has been another patch published this
month
https://liferay.dev/blogs/-/blogs/june-2020-security-patches-for-liferay-portal-7-1-and-7-2

Best,

Olaf


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Cryptominer malware and Tomcat

Posted by Pete Helgren <pe...@valadd.com>.
I am going to guess that it is one of these two known vulnerabilities:

CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981)
The JSONDeserializer of Flexjson allows the instantiation of arbitrary 
classes and the invocation of arbitrary setter methods.

CST-7205: Unauthenticated Remote code execution via JSONWS 
(LPS-97029/CVE-2020-7961)
The JSONWebServiceActionParametersMap of Liferay Portal allows the 
instantiation of arbitrary classes and invocation of arbitrary setter 
methods.

Found the signature in the logs and it's pretty clear that that is what 
we are up against.  However, if something else comes to mind, feel free 
to post back.  I  did come across a couple of other posts where the OP 
said there was nothing but Tomcat and they also ended up with the miner.

I have some updating to do....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek  IBM_i_Geek

On 6/17/2020 2:21 PM, Pete Helgren wrote:
> I have a situation where I have had "Kinsing" crypto-mining software 
> get installed twice on a VM that runs Liferay and Tomcat.  Based on 
> what I have read about this cryto-miner, it seems to target Linux VM's 
> running Docker images and/or an open redis port.  I have none of that 
> on this VM.
>
> The VM is running CentOS 8.   The tomcat version I am running is 
> 8.0.32, java openjdk version "1.8.0_252" OpenJDK Runtime Environment 
> (build 1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09, 
> mixed mode).  It is hosting  Liferay 7.0.4 GA5.
>
> The VM running Tomcat/Liferay is served through reverse proxy 
> listening on port 443 and passes traffic back to the Tomcat instance 
> listening on 7080.  The VM has ONLY ports 7080, 7009, and 7005 open 
> (firewalld)  I am trying to sort out how the crypto miner has 
> installed itself.  Originally, I had a CentOS 7 VM but after the 
> first episode, I started from scratch, locked down the VM and 
> re-installed the Liferay bundle with Tomcat 8.0.32.  After about 2 
> weeks, the miner was back.  I can't figure out how it is installing 
> itself.  I read through the CVE's on this version of Tomcat and 
> nothing jumped out at me.  We don't use JMX or AJP. It's just Tomcat 
> with Liferay.
>
> I am starting here since it's only the TC port that is open and yes, 
> it's possible that Liferay may have a vulnerability.  I just need 
> ideas on where to start looking.  I am going to try to jump to the 
> latest Liferay/Tomcat bundle but it isn't an easy upgrade and may take 
> a bit....
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org