Hi,
An instance running tomcat 6.0.24 as root in our developer network was
compromised today by a scanning bot which deployed a war file and then
deleted the on disk file, before scanning for new hosts until the IDS
detected it.
Obviously this is not a flaw in tomcat, but I was hoping someone could
give me some pointers to where I might read a write-up of the payload,
as I would be interested to know to what extent the bot took advantage
of its root power.
The proc with all the connections was actually perl, and runnings
strings on a core dump of that process reveals many perl stuff. (and
also the very weak password list)
However googling these facts does not seem to be helping that much, any
suggestions?
Thanks
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
