malware found the tomcat 6.0.29

[Mohan Kumar G <g....@ymail.com>]

We have found the malware installed on the tomcat version
6.0.29 on two of the servers.The both servers have a war file
(Tomcatmanagxesaxsas.war) that installed several java script files to the
Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had
an additional war file (Jeroy.war) that appears to also be a java script remote
file browser. Even though , we followed all the security settings needed for
the tomcat container.

 

The below steps are followed to secure the tomcat container:

 

1) Removed the default examples under CATALINA_HOME/webapps
like jsp-examples, servlet-examples, tomcat-docs, webdav

2) Make sure the default servlet is configured not to server
index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml

<init-param>

    
<param-name>listings</param-name>

    
<param-value>false</param-value>  <!-- make sure this is false -->

   </init-param>

 

3) Context.xml :

HttpOnly configuration : Tomcat versions support the
HttpOnly [1] cookie option.

This is configured in the conf/context.xml file: 

<Context useHttpOnly="true">

 

4) server.xml :

In the server.xml for all the connector , we have added
secure="true"

 

5) Make sure all the 
sample user and role entries are commented out in the
CATALINA_HOME/conf/tomcat-users.xml file

 

 

Let us know if anything missing as part of security settings

 

Thanks,Mohan

Re: malware found the tomcat 6.0.29

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 11/27/12 4:23 AM, Mark Thomas wrote:
> On 27/11/2012 07:21, Mohan Kumar G wrote:
>> 
>> We have found the malware installed on the tomcat version 6.0.29
>> on two of the servers.The both servers have a war file 
>> (Tomcatmanagxesaxsas.war) that installed several java script
>> files to the Tomcat webserver that allow for remote access over
>> the web. OD-VA-W-AG-87 had an additional war file (Jeroy.war)
>> that appears to also be a java script remote file browser.
> 
> Could you send copies of those WAR files to
> security@tomcat.apache.org please.
> 
>> Even though , we followed all the security settings needed for 
>> the tomcat container.
> 
> You are running a 2 year old version of Tomcat 6.0.x with multiple
> known security vulnerabilities. There are several vulnerabilities
> that could have provided an attacker with the necessary foothold to
> start an attack.

+1

There are also plenty of ways that the attacker could have gotten
access to the system through other means, and then installed the WAR
file for an easier return.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC1RuMACgkQ9CaO5/Lv0PDvGwCeMY+/GIdMNWP4JvUx0g7cRUkx
6PUAnAnGXMEiNYJudgm4JeewjgEAEtxh
=31JE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: malware found the tomcat 6.0.29

[Mark Thomas <ma...@apache.org>]

On 27/11/2012 07:21, Mohan Kumar G wrote:
> 
> We have found the malware installed on the tomcat version
> 6.0.29 on two of the servers.The both servers have a war file
> (Tomcatmanagxesaxsas.war) that installed several java script files to the
> Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had
> an additional war file (Jeroy.war) that appears to also be a java script remote
> file browser.

Could you send copies of those WAR files to security@tomcat.apache.org
please.

> Even though , we followed all the security settings needed for
> the tomcat container.

You are running a 2 year old version of Tomcat 6.0.x with multiple known
security vulnerabilities. There are several vulnerabilities that could
have provided an attacker with the necessary foothold to start an attack.


> The below steps are followed to secure the tomcat container:
> 
> 1) Removed the default examples under CATALINA_HOME/webapps
> like jsp-examples, servlet-examples, tomcat-docs, webdav

What about the manager and host-manager applications (a favourite route
for attackers if not correctly secured)?

> 2) Make sure the default servlet is configured not to server
> index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml

That is pretty low on the list of things to do and only of use if you
have directories with thousands of files (to prevent a DoS generating
the listings).

> 3) Context.xml :
> 
> <Context useHttpOnly="true">

Good.

> 4) server.xml :
> 
> In the server.xml for all the connector , we have added
> secure="true"

Do you understand what that does? It does not magically make things more
secure.

> 5) Make sure all the 
> sample user and role entries are commented out in the
> CATALINA_HOME/conf/tomcat-users.xml file

They are by default.


> Let us know if anything missing as part of security settings

The following list is for 7.0.x but most applies to 6.0.x as well:
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

An upgrade to at least the latest 6.0.x release is highly recommended.

Also, check any functionality that allows a remote user to upload
content to the server. Make absolutely sure there is no way they can
upload files to the webapps directory.

Some additional questions:
- Anything interesting in the access log?
- Do you know how the attack was mounted?
- How did you detect the attack?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org