If your like me, you use Tomcat to develop applications along with apache, php, and some other open source tech stuff. If you are, please take this advice and apply the following advice right now!
“Stop TomCat and edit the tomcat-users.xml file in tomcat’s ./conf directory by deleting any users you don’t use and change the admin user name and password.”
Simple to install and get running on my laptop, I never intend to use my development machine for any production… just testing. Of course I needed to open some ports to test from outside the firewall.. oops.. bad Idea.
Since about July, someone from a Chinese located IP has been exploiting the tomcat manager application. This morning I was hit at 8:12am. Apparently, this is an automated tool, which scans for port 8080 activity and then attempts to log into manager and deposit a nice little war file called fexshell.war and of course tomcat opens the application straight away. In looking around, others are starting to take note: see David Tylers post. Then there is these articles about Chinese hackers:
http://www.cnn.com/2008/TECH/03/07/china.hackers/index.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078778
Why is it okay for these guys to be able to continue getting access to our Internet?
Another article from 4x Security Team.. http://4xsecurityteam.blogspot.com/2008/08/exploit-code-published-for-apache.html
Apparently, there is a need to upgrade from tomcat5.5 to 6.x
After some more research, I found an interesting site.. you can find the link on your own.. darkmindz.com
they provide articles about serious exploits and examples of the exploit. Even though the site does link to known “bad sites” the site is safe… as much as I can tell.
good luck. and be careful out there.
Post a Comment