FAQ
We have found the malware installed on the tomcat version
6.0.29 on two of the servers.The both servers have a war file
(Tomcatmanagxesaxsas.war) that installed several java script files to the
Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had
an additional war file (Jeroy.war) that appears to also be a java script remote
file browser. Even though , we followed all the security settings needed for
the tomcat container.



The below steps are followed to secure the tomcat container:



1) Removed the default examples under CATALINA_HOME/webapps
like jsp-examples, servlet-examples, tomcat-docs, webdav

2) Make sure the default servlet is configured not to server
index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml

<init-param>


<param-name>listings</param-name>


<param-value>false</param-value>  <!-- make sure this is false -->

</init-param>



3) Context.xml :

HttpOnly configuration : Tomcat versions support the
HttpOnly [1] cookie option.

This is configured in the conf/context.xml file:

<Context useHttpOnly="true">



4) server.xml :

In the server.xml for all the connector , we have added
secure="true"



5) Make sure all the
sample user and role entries are commented out in the
CATALINA_HOME/conf/tomcat-users.xml file





Let us know if anything missing as part of security settings



Thanks,Mohan

Search Discussions

  • Mark Thomas at Nov 27, 2012 at 9:23 am

    On 27/11/2012 07:21, Mohan Kumar G wrote:

    We have found the malware installed on the tomcat version
    6.0.29 on two of the servers.The both servers have a war file
    (Tomcatmanagxesaxsas.war) that installed several java script files to the
    Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had
    an additional war file (Jeroy.war) that appears to also be a java script remote
    file browser.
    Could you send copies of those WAR files to security@tomcat.apache.org
    please.
    Even though , we followed all the security settings needed for
    the tomcat container.
    You are running a 2 year old version of Tomcat 6.0.x with multiple known
    security vulnerabilities. There are several vulnerabilities that could
    have provided an attacker with the necessary foothold to start an attack.

    The below steps are followed to secure the tomcat container:

    1) Removed the default examples under CATALINA_HOME/webapps
    like jsp-examples, servlet-examples, tomcat-docs, webdav
    What about the manager and host-manager applications (a favourite route
    for attackers if not correctly secured)?
    2) Make sure the default servlet is configured not to server
    index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml
    That is pretty low on the list of things to do and only of use if you
    have directories with thousands of files (to prevent a DoS generating
    the listings).
    3) Context.xml :

    <Context useHttpOnly="true"> Good.
    4) server.xml :

    In the server.xml for all the connector , we have added
    secure="true"
    Do you understand what that does? It does not magically make things more
    secure.
    5) Make sure all the
    sample user and role entries are commented out in the
    CATALINA_HOME/conf/tomcat-users.xml file
    They are by default.

    Let us know if anything missing as part of security settings
    The following list is for 7.0.x but most applies to 6.0.x as well:
    http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

    An upgrade to at least the latest 6.0.x release is highly recommended.

    Also, check any functionality that allows a remote user to upload
    content to the server. Make absolutely sure there is no way they can
    upload files to the webapps directory.

    Some additional questions:
    - Anything interesting in the access log?
    - Do you know how the attack was mounted?
    - How did you detect the attack?

    Mark

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Nov 27, 2012 at 11:04 pm
    Mark,
    On 11/27/12 4:23 AM, Mark Thomas wrote:
    On 27/11/2012 07:21, Mohan Kumar G wrote:

    We have found the malware installed on the tomcat version 6.0.29
    on two of the servers.The both servers have a war file
    (Tomcatmanagxesaxsas.war) that installed several java script
    files to the Tomcat webserver that allow for remote access over
    the web. OD-VA-W-AG-87 had an additional war file (Jeroy.war)
    that appears to also be a java script remote file browser.
    Could you send copies of those WAR files to
    security@tomcat.apache.org please.
    Even though , we followed all the security settings needed for
    the tomcat container.
    You are running a 2 year old version of Tomcat 6.0.x with multiple
    known security vulnerabilities. There are several vulnerabilities
    that could have provided an attacker with the necessary foothold to
    start an attack.
    +1

    There are also plenty of ways that the attacker could have gotten
    access to the system through other means, and then installed the WAR
    file for an easier return.

    - -chris


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriestomcat
postedNov 27, '12 at 7:22a
activeNov 27, '12 at 11:04p
posts3
users3
websitetomcat.apache.org
irc#tomcat

People

Translate

site design / logo © 2018 Grokbase