Tuesday, December 04, 2012

JSP RAT by Jeroy

I found some strange looking web apps in our Tomcat folder on an old machine that we no longer use. It looks like they had been deployed by dropping a war file into the webapps folder. Here are the war file names:

fLfTPWqT.war, HjnZlFSg.war, sRLNRtow.war

I believe the entry point was an unsecured copy of xampp. If you browsed to the IP address of the server, you would be presented with an xampp login dialog. The xampp username and password had not been changed since the original install, so I am assuming this is how the war files were installed.

I removed the web apps and fixed the vulnerability in the xampp install. I didn't notice anything else wrong with the server, but I guess time will tell.

I was curious what the installed web app's functionality was, so I installed it on a testing machine at the office. It's actually a pretty cool app, but of course, quite dangerous to have running on a production machine somewhere. It's pretty much a file manipulation app - browse files/directories, download/upload, delete, copy, rename, move and launch external programs.

Here is a screenshot:

JSP RAT screenshot
If you encounter problems by having had this app on your systems, please provide any help you can here for others.

Additional relevant information can be found here: http://grokbase.com/t/tomcat/users/12bv3sbkpy/malware-found-the-tomcat-6-0-29


Saturday, June 23, 2012

Jersey, REST, MyBatis

I am new to REST and Jersey. Have been going through some online tutorials I googled and reading some books. I created a project and got everything setup. I created the database layer using MyBatis, which I have used in many other projects. I followed the tutorial exactly and got it working. As soon as I used MyBatis to create and populate the bean/pojo object, I would get this exception message:

SEVERE: A message body writer for Java class com.myproject.dto.Person$$EnhancerByCGLIB$$3806666a, and Java type class com.myproject.dto.Person, and MIME media type text/xml was not found

Not knowing much about how Jersey worked, with all the annotations, I initially thought it was a problem with one of the data types of the Person class, but soon discovered that was not it. I created two Person objects, one through MyBatis and one using the Java new operator. I noticed the one created with the Java new operator had member variables named CGLIB$BOUND set to true and CGLIB$CALLBACK_0 set with a value, but the Person object created by MyBatis did not. I googled "cglib$bound in mybatis" and found an entry that took me to the MyBatis source code with some error text that said "Cannot enable lazy loading because CGLIB is not available. Add CGLIB to your classpath."

So I decided to disable lazy loading in my MyBatis config file

<setting name="lazyLoadingEnabled" value="false"/>

and this fixed the problem!

Is this documented somewhere? Did I really have to spend 3 hours trying to track this down?