Java-Monitor Forum > News and Announcements > Java Security Advisories » Best not use Tomcat's manager application
Thread Tools Search this Thread Display Modes
Old 05-10-2008, 13:45
kjkoster kjkoster is offline
Forum Operator
Join Date: Jul 2008
Posts: 1,195
Default Best not use Tomcat's manager application

Dear All,

It seems that there is malware out there that specifically targets the Tomcat manager application. It brute forces the admin password and uploads a malware package.

Tomcat is not vulnerable out of the box. You are only vulnerable if you enabled Tomcat's manager application.

Please find more information on this issue in this post by Mark Thomas on the Tomcat users list.

On that same list is a post by David Tyler, suggesting that "there are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell".

You can check for infection by inspecting the webapps folder to see if there are any webapps there that you did not install yourself. Most likely they are named something like "fex*.war".

I second Mark's advise to uninstall web applications you don't need (admin, manager, host-manager, examples, webdav, etc).

Kees Jan
Reply With Quote
Old 05-10-2008, 20:40
Kees de Kooter Kees de Kooter is offline
Join Date: Jul 2008
Location: Rotterdam
Posts: 219

I would like to add a solution not mentioned in Mark Thomas' post.

Put apache + mod_proxy in front of tomcat, proxy only the apps you want to be publically accessible, close the port tomcat is running on (default is 8080) for the outside world.

This way you still use the management app behind the firewall and the attackers will not be able to reach it.

My 2c
Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump