Others with more experience with the manager's inner workings can chime in, but I don't think it can execute commands on the system -- at least not with the default build from Apache. It's magic occurs entirely via java code.

Some other vectors of possible attack include the CGI library if it's enabled (see http://tomcat.apache.org/tomcat-5.5-doc/cgi-howto.html) and any place in the web app code that uses Runtime.exec() to access commands in the system. If the URL isn't adequately parsed in either method, arbitrary code execution might occur.

Anyone else have some thoughts on this?

--David

hv @ Fashion Content wrote:

I would assume a compromised password as well, but am I fair in assuming that the breakin was via a manager login.

The odd thing(in my mind at least) was that a shell was executed as a child process of tomcat and then the port scanner
under that... but I dont see any new web-apps being installed.


"David Smith" <[EMAIL PROTECTED]> skrev i en meddelelse news:[EMAIL PROTECTED]
It's possible (anything is possible), but not likely with a default install. I would look at all the services running on that server. If you focus on your tomcat server to the detriment of other services, you will miss critical forensic evidence. The tomcat user account may have just had a weeker password or been the victim of chance. Somethings to consider: Do you or any of your users use the tomcat credentials over the network (via fileshare, ftp, weblogin, etc., ...)? Is the connection used in such login encrypted? Also, what other services will accept the tomcat user account as a valid login?

Lastly, most servers can be configured not to accept certain account logins over the network. This may be a way to improve your security for the future. Tomcat by default does not use it's credentials over the network. It just uses those credentials to run itself and access files on the local system.

--David

hv @ Fashion Content wrote:

I had an incident on my server the other day where someone had succesfully broken into the server to execute a port scanner.

The port scanner was running under the tomcat process so I assume the breakin was done by getting through the Tomcat manager app.

At first I feared that I had made a blunder and left the standard tomcat user as manager, but that wasn't the case. Actually while the UserDatabase is defined in the setup it isn't used as I use a JNDIReam pointing to OpenLDAP where only one manager account is defined.

So did they just use brute force, or might there be another way they could have gotten in?

Henrik
http://www.blingon.com



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to