RimuHosting Blog

Old tomcat 5.5 installs being exploited

We have noticed a couple of people running older tomcat 5.5 installs, and these are being exploited . The main thing we noticed were slowdowns on bandwidth as well as CPU along with a few odd other things running as tomcat user

eg
www-data 20654 0.0 0.6 38616 8004 ? S 21:26 0:00 \_ /usr/sbin/apache2 -k start
www-data 20655 0.0 0.5 38468 7488 ? S 21:26 0:00 \_ /usr/sbin/apache2 -k start
www-data 20696 0.0 0.5 38468 6952 ? S 21:43 0:00 \_ /usr/sbin/apache2 -k start
tomcat55 18323 66.6 0.1 349368 1432 ? Ssl 10:53 448:28 ./gg

doing an lsof -p pid shows

root@prod-web1:~# lsof -p 18323
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
gg 18323 tomcat55 cwd DIR 202,1 4096 492548 /var/lib/tomcat5.5/webapps
gg 18323 tomcat55 rtd DIR 202,1 4096 2 /
gg 18323 tomcat55 txt REG 202,1 1415201 498584 /var/lib/tomcat5.5/webapps/gg
gg 18323 tomcat55 mem REG 202,1 109152 311967 /lib/ld-2.7.so
gg 18323 tomcat55 mem REG 202,1 1274092 312131 /lib/libc-2.7.so
gg 18323 tomcat55 mem REG 202,1 38412 312185 /lib/libnss_files-2.7.so
gg 18323 tomcat55 mem REG 202,1 286 247821 /usr/lib/locale/en_US.utf8/LC_MONETARY
gg 18323 tomcat55 mem REG 202,1 52 247733 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
gg 18323 tomcat55 mem REG 202,1 34 247754 /usr/lib/locale/en_US.utf8/LC_PAPER
gg 18323 tomcat55 mem REG 202,1 77 247771 /usr/lib/locale/en_US.utf8/LC_NAME
gg 18323 tomcat55 mem REG 202,1 155 247823 /usr/lib/locale/en_US.utf8/LC_ADDRESS
gg 18323 tomcat55 mem REG 202,1 59 247824 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
gg 18323 tomcat55 mem REG 202,1 23 247825 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
gg 18323 tomcat55 mem REG 202,1 25700 219280 /usr/lib/gconv/gconv-modules.cache
gg 18323 tomcat55 mem REG 202,1 373 247826 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
gg 18323 tomcat55 0u CHR 1,3 309 /dev/null
gg 18323 tomcat55 1u CHR 1,3 309 /dev/null
gg 18323 tomcat55 2u CHR 1,3 309 /dev/null
gg 18323 tomcat55 3u IPv4 178006 TCP yourhost.com:46579->208.64.123.253:10993 (ESTABLISHED)

New files we found included
/var/lib/tomcat5.5# find ./ -mtime 0
./webapps
./webapps/fake.cfg
./webapps/gg
./webapps/1AS.war
./webapps/1AS
./webapps/1AS/WEB-INF
./webapps/1AS/META-INF
root@garvin:/var/lib/tomcat5.5#

Its safe to say, if you see this on your own server, you need to stop the processes and tomcat, and upgrade immediately. Check all applications carefully before re-deploying for extra files or backdoors.

Liz Quilty

7 responses to “Old tomcat 5.5 installs being exploited”

  1. I had a similar problem with a tomcat6 install on debian last few days.

    A file called SYN.WAR was uploaded and deployed to my webapps via an unknown mechanism. This contained a two file explorer jsp apps (index.jsp and a.jsp) and an interface to execute commands (8.jsp called JShell). All the text was in chinese (encoding=GBK).

    Using this interface they seemed to have download two files into my tmp folder:
    /tmp/p
    /tmp/fake.cfg

    And when /tmp/p was running it was transmitting large amounts of data to an IP address in china, probably some form of DOS.

  2. We also had the /tmp/p, fake.cfg, webapps/syn.war symptoms together with massive outgoing traffic today. It is possible that the vector was an easy-to-guess username/password on a tomcat6 manager application. One of our developers is having a look at the .war to further determine what it’s doing.

    This is on a Scientific Linux 5.3 machine running tomcat 6.

  3. had same attack on oracle linux 5.7 it took large amount of data. would be nice to have more details on the attack.

  5. Same issue here. Unknown .jsp files started appearing on server: inback.jsp, index.jsp and so on. Finally fake.cfg appeared in /temp and the server went down.

    do you know how can you solve this?

    • Best way to solve it is to upgrade to the latest tomcat and not use older unsupported software.