Old tomcat 5.5 installs being exploited

We have noticed a couple of people running older tomcat 5.5 installs, and these are being exploited . The main thing we noticed were slowdowns on bandwidth as well as CPU along with a few odd other things running as tomcat user

eg
www-data 20654 0.0 0.6 38616 8004 ? S 21:26 0:00 \_ /usr/sbin/apache2 -k start
www-data 20655 0.0 0.5 38468 7488 ? S 21:26 0:00 \_ /usr/sbin/apache2 -k start
www-data 20696 0.0 0.5 38468 6952 ? S 21:43 0:00 \_ /usr/sbin/apache2 -k start
tomcat55 18323 66.6 0.1 349368 1432 ? Ssl 10:53 448:28 ./gg

doing an lsof -p pid shows

root@prod-web1:~# lsof -p 18323
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
gg 18323 tomcat55 cwd DIR 202,1 4096 492548 /var/lib/tomcat5.5/webapps
gg 18323 tomcat55 rtd DIR 202,1 4096 2 /
gg 18323 tomcat55 txt REG 202,1 1415201 498584 /var/lib/tomcat5.5/webapps/gg
gg 18323 tomcat55 mem REG 202,1 109152 311967 /lib/ld-2.7.so
gg 18323 tomcat55 mem REG 202,1 1274092 312131 /lib/libc-2.7.so
gg 18323 tomcat55 mem REG 202,1 38412 312185 /lib/libnss_files-2.7.so
gg 18323 tomcat55 mem REG 202,1 286 247821 /usr/lib/locale/en_US.utf8/LC_MONETARY
gg 18323 tomcat55 mem REG 202,1 52 247733 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
gg 18323 tomcat55 mem REG 202,1 34 247754 /usr/lib/locale/en_US.utf8/LC_PAPER
gg 18323 tomcat55 mem REG 202,1 77 247771 /usr/lib/locale/en_US.utf8/LC_NAME
gg 18323 tomcat55 mem REG 202,1 155 247823 /usr/lib/locale/en_US.utf8/LC_ADDRESS
gg 18323 tomcat55 mem REG 202,1 59 247824 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
gg 18323 tomcat55 mem REG 202,1 23 247825 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
gg 18323 tomcat55 mem REG 202,1 25700 219280 /usr/lib/gconv/gconv-modules.cache
gg 18323 tomcat55 mem REG 202,1 373 247826 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
gg 18323 tomcat55 0u CHR 1,3 309 /dev/null
gg 18323 tomcat55 1u CHR 1,3 309 /dev/null
gg 18323 tomcat55 2u CHR 1,3 309 /dev/null
gg 18323 tomcat55 3u IPv4 178006 TCP yourhost.com:46579->208.64.123.253:10993 (ESTABLISHED)

New files we found included
/var/lib/tomcat5.5# find ./ -mtime 0
./webapps
./webapps/fake.cfg
./webapps/gg
./webapps/1AS.war
./webapps/1AS
./webapps/1AS/WEB-INF
./webapps/1AS/META-INF
root@garvin:/var/lib/tomcat5.5#

Its safe to say, if you see this on your own server, you need to stop the processes and tomcat, and upgrade immediately. Check all applications carefully before re-deploying for extra files or backdoors.

This entry was posted in Rimuhosting. Bookmark the permalink.

7 Responses to Old tomcat 5.5 installs being exploited

  1. - says:

    I had a similar problem with a tomcat6 install on debian last few days.

    A file called SYN.WAR was uploaded and deployed to my webapps via an unknown mechanism. This contained a two file explorer jsp apps (index.jsp and a.jsp) and an interface to execute commands (8.jsp called JShell). All the text was in chinese (encoding=GBK).

    Using this interface they seemed to have download two files into my tmp folder:
    /tmp/p
    /tmp/fake.cfg

    And when /tmp/p was running it was transmitting large amounts of data to an IP address in china, probably some form of DOS.

  2. Tim Kanuka says:

    We also had the /tmp/p, fake.cfg, webapps/syn.war symptoms together with massive outgoing traffic today. It is possible that the vector was an easy-to-guess username/password on a tomcat6 manager application. One of our developers is having a look at the .war to further determine what it's doing.

    This is on a Scientific Linux 5.3 machine running tomcat 6.

  3. goranD says:

    had same attack on oracle linux 5.7 it took large amount of data. would be nice to have more details on the attack.

  4. tapczan says:

    Same for me, it happened with tomcat 6.0.35 on debian wheezy.
    It was not manager application - I have it disabled.
    Mine IPS reported that vulnerability
    http://www.securityfocus.com/bid/36954/info
    was trying to be used in the same time when syn.war was uploaded.

  5. peter saurus says:

    Same issue here. Unknown .jsp files started appearing on server: inback.jsp, index.jsp and so on. Finally fake.cfg appeared in /temp and the server went down.

    do you know how can you solve this?