Others with more experience with the manager's inner workings can chime
in, but I don't think it can execute commands on the system -- at least
not with the default build from Apache. It's magic occurs entirely via
java code.
Some other vectors of possible attack include the CGI library if it's
enabled (see http://tomcat.apache.org/tomcat-5.5-doc/cgi-howto.html) and
any place in the web app code that uses Runtime.exec() to access
commands in the system. If the URL isn't adequately parsed in either
method, arbitrary code execution might occur.
Anyone else have some thoughts on this?
--David
hv @ Fashion Content wrote:
I would assume a compromised password as well, but am I fair in assuming
that the breakin was via a manager login.
The odd thing(in my mind at least) was that a shell was executed as a child
process of tomcat and then the port scanner
under that... but I dont see any new web-apps being installed.
"David Smith" <[EMAIL PROTECTED]> skrev i en meddelelse
news:[EMAIL PROTECTED]
It's possible (anything is possible), but not likely with a default
install. I would look at all the services running on that server. If you
focus on your tomcat server to the detriment of other services, you will
miss critical forensic evidence. The tomcat user account may have just
had a weeker password or been the victim of chance.
Somethings to consider: Do you or any of your users use the tomcat
credentials over the network (via fileshare, ftp, weblogin, etc., ...)?
Is the connection used in such login encrypted?
Also, what other services will accept the tomcat user account as a valid
login?
Lastly, most servers can be configured not to accept certain account
logins over the network. This may be a way to improve your security for
the future. Tomcat by default does not use it's credentials over the
network. It just uses those credentials to run itself and access files on
the local system.
--David
hv @ Fashion Content wrote:
I had an incident on my server the other day where someone had succesfully
broken into the server to execute a port scanner.
The port scanner was running under the tomcat process so I assume the
breakin was done by getting through the Tomcat manager app.
At first I feared that I had made a blunder and left the standard tomcat
user as manager, but that wasn't the case. Actually while the UserDatabase
is defined in the setup it isn't used as I use a JNDIReam pointing to
OpenLDAP where only one manager account is defined.
So did they just use brute force, or might there be another way they could
have gotten in?
Henrik
http://www.blingon.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]