Tomcat under attack, manager password exploited, trojan deployed

There's an Apache Tomcat I'm managing that's in the wild (internet).

Saturday evening it was under attack.

I use Tomcat's manager console to drop applications from time to time and I had it's password pretty simple. Within this console a new java web application may be installed.
What's even worse is that that Tomcat instance was running with pretty high privileges.

It was a test machine, only a few guys knew the address.

So using this console a trojan was inserted. The admin password was changed. This trojan might have succeeded if it weren't for the antivirus that got the trojan on time (yes, it was a windows machine).
The trojan is called TROJ_DELF.BDG and it was deployed in webapps/fexshell/init.exe

Now the tomcat is running with pretty low privileges, the port is not so obvious, and the manager password is changed.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.