I have encountered this in September 2008. Here is what I have found:
1) There are several variants such as: fexcep OR fexcepkillshell OR
fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell
2) It appears to be distributed using an automated scanner that looks for the
manager app running on Tomcat port 8080 with the default password still intact:
admin / admin
3) The code deploys a webapp to Tomcat that:
a) Checks if the OS is windows. If not it terminates.
b) If it is windows... then some variants immediately download and execute a
binary from one of several possible servers. The binary presumably contains
further malware.
c) Other variants apparently wait to be invoked again by an external host that
will provide the URL of a binary to download and execute.
THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP
PASSWORD. Or you could delete the manager webapp.
The manager username / password is set in: tomcat/conf/tomcat-users.xml
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
