You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mohan Kumar G <g....@ymail.com> on 2012/11/27 08:21:42 UTC
malware found the tomcat 6.0.29
We have found the malware installed on the tomcat version
6.0.29 on two of the servers.The both servers have a war file
(Tomcatmanagxesaxsas.war) that installed several java script files to the
Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had
an additional war file (Jeroy.war) that appears to also be a java script remote
file browser. Even though , we followed all the security settings needed for
the tomcat container.
The below steps are followed to secure the tomcat container:
1) Removed the default examples under CATALINA_HOME/webapps
like jsp-examples, servlet-examples, tomcat-docs, webdav
2) Make sure the default servlet is configured not to server
index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value> <!-- make sure this is false -->
</init-param>
3) Context.xml :
HttpOnly configuration : Tomcat versions support the
HttpOnly [1] cookie option.
This is configured in the conf/context.xml file:
<Context useHttpOnly="true">
4) server.xml :
In the server.xml for all the connector , we have added
secure="true"
5) Make sure all the
sample user and role entries are commented out in the
CATALINA_HOME/conf/tomcat-users.xml file
Let us know if anything missing as part of security settings
Thanks,Mohan
Re: malware found the tomcat 6.0.29
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 11/27/12 4:23 AM, Mark Thomas wrote:
> On 27/11/2012 07:21, Mohan Kumar G wrote:
>>
>> We have found the malware installed on the tomcat version 6.0.29
>> on two of the servers.The both servers have a war file
>> (Tomcatmanagxesaxsas.war) that installed several java script
>> files to the Tomcat webserver that allow for remote access over
>> the web. OD-VA-W-AG-87 had an additional war file (Jeroy.war)
>> that appears to also be a java script remote file browser.
>
> Could you send copies of those WAR files to
> security@tomcat.apache.org please.
>
>> Even though , we followed all the security settings needed for
>> the tomcat container.
>
> You are running a 2 year old version of Tomcat 6.0.x with multiple
> known security vulnerabilities. There are several vulnerabilities
> that could have provided an attacker with the necessary foothold to
> start an attack.
+1
There are also plenty of ways that the attacker could have gotten
access to the system through other means, and then installed the WAR
file for an easier return.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC1RuMACgkQ9CaO5/Lv0PDvGwCeMY+/GIdMNWP4JvUx0g7cRUkx
6PUAnAnGXMEiNYJudgm4JeewjgEAEtxh
=31JE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: malware found the tomcat 6.0.29
Posted by Mark Thomas <ma...@apache.org>.
On 27/11/2012 07:21, Mohan Kumar G wrote:
>
> We have found the malware installed on the tomcat version
> 6.0.29 on two of the servers.The both servers have a war file
> (Tomcatmanagxesaxsas.war) that installed several java script files to the
> Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had
> an additional war file (Jeroy.war) that appears to also be a java script remote
> file browser.
Could you send copies of those WAR files to security@tomcat.apache.org
please.
> Even though , we followed all the security settings needed for
> the tomcat container.
You are running a 2 year old version of Tomcat 6.0.x with multiple known
security vulnerabilities. There are several vulnerabilities that could
have provided an attacker with the necessary foothold to start an attack.
> The below steps are followed to secure the tomcat container:
>
> 1) Removed the default examples under CATALINA_HOME/webapps
> like jsp-examples, servlet-examples, tomcat-docs, webdav
What about the manager and host-manager applications (a favourite route
for attackers if not correctly secured)?
> 2) Make sure the default servlet is configured not to server
> index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml
That is pretty low on the list of things to do and only of use if you
have directories with thousands of files (to prevent a DoS generating
the listings).
> 3) Context.xml :
>
> <Context useHttpOnly="true">
Good.
> 4) server.xml :
>
> In the server.xml for all the connector , we have added
> secure="true"
Do you understand what that does? It does not magically make things more
secure.
> 5) Make sure all the
> sample user and role entries are commented out in the
> CATALINA_HOME/conf/tomcat-users.xml file
They are by default.
> Let us know if anything missing as part of security settings
The following list is for 7.0.x but most applies to 6.0.x as well:
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
An upgrade to at least the latest 6.0.x release is highly recommended.
Also, check any functionality that allows a remote user to upload
content to the server. Make absolutely sure there is no way they can
upload files to the webapps directory.
Some additional questions:
- Anything interesting in the access log?
- Do you know how the attack was mounted?
- How did you detect the attack?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org