On 27/11/2012 07:21, Mohan Kumar G wrote: > > We have found the malware installed on the tomcat version > 6.0.29 on two of the servers.The both servers have a war file > (Tomcatmanagxesaxsas.war) that installed several java script files to the > Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had > an additional war file (Jeroy.war) that appears to also be a java script > remote > file browser.
Could you send copies of those WAR files to secur...@tomcat.apache.org please. > Even though , we followed all the security settings needed for > the tomcat container. You are running a 2 year old version of Tomcat 6.0.x with multiple known security vulnerabilities. There are several vulnerabilities that could have provided an attacker with the necessary foothold to start an attack. > The below steps are followed to secure the tomcat container: > > 1) Removed the default examples under CATALINA_HOME/webapps > like jsp-examples, servlet-examples, tomcat-docs, webdav What about the manager and host-manager applications (a favourite route for attackers if not correctly secured)? > 2) Make sure the default servlet is configured not to server > index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml That is pretty low on the list of things to do and only of use if you have directories with thousands of files (to prevent a DoS generating the listings). > 3) Context.xml : > > <Context useHttpOnly="true"> Good. > 4) server.xml : > > In the server.xml for all the connector , we have added > secure="true" Do you understand what that does? It does not magically make things more secure. > 5) Make sure all the > sample user and role entries are commented out in the > CATALINA_HOME/conf/tomcat-users.xml file They are by default. > Let us know if anything missing as part of security settings The following list is for 7.0.x but most applies to 6.0.x as well: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html An upgrade to at least the latest 6.0.x release is highly recommended. Also, check any functionality that allows a remote user to upload content to the server. Make absolutely sure there is no way they can upload files to the webapps directory. Some additional questions: - Anything interesting in the access log? - Do you know how the attack was mounted? - How did you detect the attack? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org