Thanks for figuring this out and posting the info. I checked my server log and found that just this morning some computer in China tried to poke at the manager app on my server. So it seems that it wasn't an isolated incident, there's someone out there trying to exploit Tomcat's manager app. Caveat administrator! -- Len
On Sun, Aug 10, 2008 at 14:12, Mark Thomas <[EMAIL PROTECTED]> wrote: > Folks, > > Just a short note to let you know that Warren and I have been working this > off-list and have identified how this attack was launched. > > I'd like to take this opportunity to publicly thank Warren for taking the > time to work with me on this when he had a lot more important things to do > than answer my questions. > > The manager application was installed with a user name and password that the > attackers were able to brute force. Once they had access to the manager > application they were able to install their own web application that allowed > them wider access to the box. > > This isn't the first report of a rouge application that we have seen on the > Tomcat security list. Where we have had sufficient detail to trace how the > application was installed, it has always been via an existing management > tool. > > Therefore, I would like to take the opportunity to remind users to ensure > that any potentially user accessible administration interface is suitably > secured. The following isn't an exhaustive list but things to consider > include: > - don't use and standard user names for administrative users > - do use strong passwords, especially for administrative users > - uninstall web applications you don't need (admin, manager, host-manager, > examples, webdav, etc) > - use Remote Host/Address filters to limit access to administrative > applications > - enable access logging so if something does go wrong you have some > information to work with > - regularly review your access logs for evidence of potential attacks > - run Tomcat as a dedicated user with the minimum privileges possible > > Finally, a small advert. I am presenting a session on Tomcat security at > ApacheCon in November that will cover the above and a whole lot more. > > Mark > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
