What the Chinese deploy into your Tomcat server if you don't secure it

27 points

12 years ago

I was going through the subfolders of one of the (public back then; currently shut down) Tomcat servers of a customer and noticed a strange deployment in the "webapps/"-folder. The deployable's filename was "8888.war" and the only file that it contained was "index.jsp".

Here's the content (anonymized two variables, just in case): https://gist.github.com/anonymous/93154503b5763961af9f (Please let me know if this goes against any HN rule, I'll delete the Gist right away.)

Looking at the source code you see what it does - uploading files and stuff, no rocket science.

Of course the deployment was made using the Tomcat manager console and the IP addresses that show up in the log file trace back to China/Shanghai, e.g. 112.65.211.246. (So that explains why the filename was "8888": http://en.wikipedia.org/wiki/Numbers_in_Chinese_culture#Eight)

The "tomcat-users.xml" contained the default user names and passwords and the entire section was commented out. Someone was testing remote deployments and didn't bother changing the passwords first... well that's how you get ants.

I don't see what damage was actually done, except for a few attempted multipart/form uploads that timed out. Other than that the server was shut down about 2 weeks after the incident... which was more than enough time to have some fun.

I couldn't find any rootkits or anything else suspicious-looking, using the known tools (chkrootkit etc.).

Anyone else experienced this before?

6 comments