kjkoster
05-10-2008, 13:45
Dear All,
It seems that there is malware out there that specifically targets the Tomcat manager application. It brute forces the admin password and uploads a malware package.
Tomcat is not vulnerable out of the box. You are only vulnerable if you enabled Tomcat's manager application.
Please find more information on this issue in this post by Mark Thomas on the Tomcat users list (http://markmail.org/message/jrqw75yw3d3xh3p6).
On that same list is a post by David Tyler, suggesting that "there are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell".
You can check for infection by inspecting the webapps folder to see if there are any webapps there that you did not install yourself. Most likely they are named something like "fex*.war".
I second Mark's advise to uninstall web applications you don't need (admin, manager, host-manager, examples, webdav, etc).
Kees Jan
It seems that there is malware out there that specifically targets the Tomcat manager application. It brute forces the admin password and uploads a malware package.
Tomcat is not vulnerable out of the box. You are only vulnerable if you enabled Tomcat's manager application.
Please find more information on this issue in this post by Mark Thomas on the Tomcat users list (http://markmail.org/message/jrqw75yw3d3xh3p6).
On that same list is a post by David Tyler, suggesting that "there are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell".
You can check for infection by inspecting the webapps folder to see if there are any webapps there that you did not install yourself. Most likely they are named something like "fex*.war".
I second Mark's advise to uninstall web applications you don't need (admin, manager, host-manager, examples, webdav, etc).
Kees Jan