-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 11/27/12 4:23 AM, Mark Thomas wrote: > On 27/11/2012 07:21, Mohan Kumar G wrote: >> >> We have found the malware installed on the tomcat version 6.0.29 >> on two of the servers.The both servers have a war file >> (Tomcatmanagxesaxsas.war) that installed several java script >> files to the Tomcat webserver that allow for remote access over >> the web. OD-VA-W-AG-87 had an additional war file (Jeroy.war) >> that appears to also be a java script remote file browser. > > Could you send copies of those WAR files to > secur...@tomcat.apache.org please. > >> Even though , we followed all the security settings needed for >> the tomcat container. > > You are running a 2 year old version of Tomcat 6.0.x with multiple > known security vulnerabilities. There are several vulnerabilities > that could have provided an attacker with the necessary foothold to > start an attack. +1 There are also plenty of ways that the attacker could have gotten access to the system through other means, and then installed the WAR file for an easier return. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1RuMACgkQ9CaO5/Lv0PDvGwCeMY+/GIdMNWP4JvUx0g7cRUkx 6PUAnAnGXMEiNYJudgm4JeewjgEAEtxh =31JE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
