We have found the malware installed on the tomcat version 6.0.29 on two of the servers.The both servers have a war file (Tomcatmanagxesaxsas.war) that installed several java script files to the Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had an additional war file (Jeroy.war) that appears to also be a java script remote file browser. Even though , we followed all the security settings needed for the tomcat container.
The below steps are followed to secure the tomcat container: 1) Removed the default examples under CATALINA_HOME/webapps like jsp-examples, servlet-examples, tomcat-docs, webdav 2) Make sure the default servlet is configured not to server index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml <init-param> <param-name>listings</param-name> <param-value>false</param-value> <!-- make sure this is false --> </init-param> 3) Context.xml : HttpOnly configuration : Tomcat versions support the HttpOnly [1] cookie option. This is configured in the conf/context.xml file: <Context useHttpOnly="true"> 4) server.xml : In the server.xml for all the connector , we have added secure="true" 5) Make sure all the sample user and role entries are commented out in the CATALINA_HOME/conf/tomcat-users.xml file Let us know if anything missing as part of security settings Thanks,Mohan
