Tomdep harnesses strength of servers to wage powerful denial-of-service attacks.
Read the whole story
Read the whole story
New backdoor worm found attacking websites running Apache Tomcat
- Thread starter JournalBot
- Start date
You've got to hand it to Symantec, who reassures us in their blog that all their anti-virus products are able to detect the worm, but provides no other details for Tomcat admins who happen not to use Symantec products. Now I know that my management port isn't publicly accessible and I have a non-default password set, but some basic "check for foo.war in your webapps/" directory is usually basic information that vendors provide in these situations.
Upvote
26
(27
/
-1)
Of course this is a big deal for Symantec because their Endpoint Protection product uses a Tomcat server to host its web admin console.
I've always been rather puzzled why a security company relies so heavily on Java and Java plugins.
I've always been rather puzzled why a security company relies so heavily on Java and Java plugins.
Upvote
-10
(9
/
-19)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25724389#p25724389:22peklgj said:
Because the servers themselves are actually quite secure. By default a fresh Tomcat server no admin user/password and for all intensive purposed is disabled. In order for the server to be infected someone had to manually go into the config file and set a weak sauce username and password.
One of the reasons I suspect the infection rate is so low is because very few people use the UI for production servers. You only need to set up an admin user if you want to use the UI to administer the server. You don't need to use the admin user to deploy a Java app. Just copy the WAR or EAR file into the webapp directory from the command prompt. Anything that can be managed in the UI can be managed in the config files from the command prompt too. The rare times I have seen the UI used in prod it was restricted behind a firewall or on a port on accessible internally.
Generally speaking Java in an application server context is light years more secure than Java the browser plug-in.
Upvote
34
(36
/
-2)
So, this isn't a Tomcat vulnerability, so much as a warning to change the default passwords.
Edit:
http://tomcat.apache.org/tomcat-7.0-doc ... ion_Access
The manager app is disabled by default, and the config example shows it restricted to localhost.
Upvote
11
(11
/
0)
If I understand this correctly, the newsworthy thing about this is that backdoor is self replicating? Not that there is any security holes in Tomcat? And the only attack vector is using poor password set by administrator? Tomcat by default doesn't even have administrator account.
Upvote
17
(17
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25724555#p25724555:2oxhe9xi said:
I Investigated this alert and realized our deployment garbage cleanup would actually be an effective anti-virus in this case, because the installed code would appear as an app that doesn't jive with our payload manifest. It'd treat it as a remnant of a faulted undeploy.
Upvote
1
(1
/
0)
for all intents and purposes[url=http://meincmagazine.com/civis/viewtopic.php?p=25724555#p25724555:2p4x523z said:
Upvote
21
(22
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25725177#p25725177:20i8u7go said:
Beat me to it, fellow logomachist.
Upvote
2
(3
/
-1)
Upvote
-15
(0
/
-15)
This is not a Java issue, read the article.[url=http://meincmagazine.com/civis/viewtopic.php?p=25726899#p25726899:ydv7ddya said:
Upvote
14
(14
/
0)
I understand this is primarily a weak username/password combination problem which is a not a specific software problem. This is a user problem but I do not know if it is stupidity, laziness, or something else.
Upvote
2
(2
/
0)
So to be clear here, the exploit vector is weak passwords? This isnt some new vulnerability in tomcat? Can the author perhaps state that explicitly in the article?
Upvote
3
(3
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25728617#p25728617:24f4o57m said:
I wouldn't hold your breath. Dan's articles relating to programming languages and the infrastructure around them tend to be high on headlines and short on details and context. I think most of it comes from lack of knowledge. Which isn't unusual. A lot of security folks know networking and OS really well, but are totally in the dark about application servers and the execution environment/VM.
Upvote
2
(3
/
-1)
Is there a game afoot at Ars Technica for every article writer to get a picture of their cat into a story? I noticed it before with their GF/SO's as well.
Upvote
0
(0
/
0)
So wait, this has nothing to do with a vulnerability, just very poorly run Tomcat servers with the worst possible passwords.
This could be done to basically ANY server.
This could be done to basically ANY server.
Upvote
3
(3
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25728617#p25728617:bhsmv398 said:
There's nothing in the original research -- or in my article, for that matter -- that indicates there's a vulnerability in Tomcat or any other software running on infected machines. We also know that the self-replication method relies on weak passwords. That said the absence of evidence isn't evidence of absence. It often takes months for researchers to fully unravel how a newly discovered piece malware works. (Researchers still aren't sure how Darkleech spreads, for instance.) That being the case, I'm not prepared to state categorically there's no software vulnerability involved here.
I've updated the story to make explicit there's no evidence of a software vulnerability.
Upvote
0
(1
/
-1)
- Status