I am going to guess that it is one of these two known vulnerabilities:
CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981)
The JSONDeserializer of Flexjson allows the instantiation of arbitrary
classes and the invocation of arbitrary setter methods.
CST-7205: Unauthenticated Remote code execution via JSONWS
(LPS-97029/CVE-2020-7961)
The JSONWebServiceActionParametersMap of Liferay Portal allows the
instantiation of arbitrary classes and invocation of arbitrary setter
methods.
Found the signature in the logs and it's pretty clear that that is what
we are up against. However, if something else comes to mind, feel free
to post back. I did come across a couple of other posts where the OP
said there was nothing but Tomcat and they also ended up with the miner.
I have some updating to do....
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek IBM_i_Geek
On 6/17/2020 2:21 PM, Pete Helgren wrote:
I have a situation where I have had "Kinsing" crypto-mining software
get installed twice on a VM that runs Liferay and Tomcat. Based on
what I have read about this cryto-miner, it seems to target Linux VM's
running Docker images and/or an open redis port. I have none of that
on this VM.
The VM is running CentOS 8.  The tomcat version I am running is
8.0.32, java openjdk version "1.8.0_252" OpenJDK Runtime Environment
(build 1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09,
mixed mode). It is hosting Liferay 7.0.4 GA5.
The VM running Tomcat/Liferay is served through reverse proxy
listening on port 443 and passes traffic back to the Tomcat instance
listening on 7080. The VM has ONLY ports 7080, 7009, and 7005 open
(firewalld)Â I am trying to sort out how the crypto miner has
installed itself. Originally, I had a CentOS 7 VM but after the
first episode, I started from scratch, locked down the VM and
re-installed the Liferay bundle with Tomcat 8.0.32. After about 2
weeks, the miner was back. I can't figure out how it is installing
itself. I read through the CVE's on this version of Tomcat and
nothing jumped out at me. We don't use JMX or AJP. It's just Tomcat
with Liferay.
I am starting here since it's only the TC port that is open and yes,
it's possible that Liferay may have a vulnerability. I just need
ideas on where to start looking. I am going to try to jump to the
latest Liferay/Tomcat bundle but it isn't an easy upgrade and may take
a bit....
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
