[kjkoster]

Dear All,

It seems that there is malware out there that specifically targets the Tomcat manager application. It brute forces the admin password and uploads a malware package.

Tomcat is not vulnerable out of the box. You are only vulnerable if you enabled Tomcat's manager application.

Please find more information on this issue in this post by Mark Thomas on the Tomcat users list.

On that same list is a post by David Tyler, suggesting that "there are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell".

You can check for infection by inspecting the webapps folder to see if there are any webapps there that you did not install yourself. Most likely they are named something like "fex*.war".

I second Mark's advise to uninstall web applications you don't need (admin, manager, host-manager, examples, webdav, etc).

Kees Jan

[Kees de Kooter]

I would like to add a solution not mentioned in Mark Thomas' post.

Put apache + mod_proxy in front of tomcat, proxy only the apps you want to be publically accessible, close the port tomcat is running on (default is 8080) for the outside world.

This way you still use the management app behind the firewall and the attackers will not be able to reach it.

My 2c
Kees