Re: [OT] Symantic has a first tomcat worm ;-)

Tue, 26 Nov 2013 02:53:46 -0800 

Ognjen Blagojevic wrote:

Chris,

On 25.11.2013 20:56, Christopher Schultz wrote:

<role rolename="manager-gui"/> <user username="tomcat"
password="s3cret" roles="manager-gui"/> ----

What most users do is to copy the XML example, and paste it into
tomcat-users.xml.


If that were the case, I would have expected to see "tomcat:s2cret"
listed in the worm's "obvious creds" list. Since it's not there, I
suppose that either it's not used very often in the wild or the
authors are not very smart.
This worm maybe does not, but I found references to that username/password in wordlists[1], blogs[2,3] and books[4]. For me, that is a sign that Tomcat should avoid using that particular example password. 

-Ognjen
[1] https://github.com/lattera/metasploit/blob/master/data/wordlists/tomcat_mgr_default_userpass.txt [2] http://www.socialseer.com/2013/07/14/watching-the-hackers-try-to-break-into-tomcat/ [3] http://x9090.blogspot.com/2012/09/a-case-study-of-tomcat-web-server.html [4] http://www.amazon.com/Hacking-Exposed-Network-Security-Solutions/dp/0071780289
My company has been distributing an (external) software package for 30 years. In the standard distributive, there are 3 users defined with 3 standard passwords, to use for the initial demo and user training. The documentation has a prominent section in capitals and red color that says that the passwords of these users should be changed, or these users deleted as soon as the initial testing phase is over. When I go visit customers however, about 50% of them still have these users enabled with the original passwords, even at some very security-conscious places. 

Users are like that.
So yes, by any means, have the Manager disabled by default, even when subsequently enabled restrict it by default to localhost, and in the documentation and examples, use some password that is guaranteed NOT to work and MUST be changed. "******" may be a good way to suggest that it has to be changed, though I am sure that there will be users trying it literally. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to