Tuesday, December 04, 2012

JSP RAT by Jeroy

I found some strange looking web apps in our Tomcat folder on an old machine that we no longer use. It looks like they had been deployed by dropping a war file into the webapps folder. Here are the war file names:

fLfTPWqT.war, HjnZlFSg.war, sRLNRtow.war

I believe the entry point was an unsecured copy of xampp. If you browsed to the IP address of the server, you would be presented with an xampp login dialog. The xampp username and password had not been changed since the original install, so I am assuming this is how the war files were installed.

I removed the web apps and fixed the vulnerability in the xampp install. I didn't notice anything else wrong with the server, but I guess time will tell.

I was curious what the installed web app's functionality was, so I installed it on a testing machine at the office. It's actually a pretty cool app, but of course, quite dangerous to have running on a production machine somewhere. It's pretty much a file manipulation app - browse files/directories, download/upload, delete, copy, rename, move and launch external programs.

Here is a screenshot:

JSP RAT screenshot
If you encounter problems by having had this app on your systems, please provide any help you can here for others.

Additional relevant information can be found here: http://grokbase.com/t/tomcat/users/12bv3sbkpy/malware-found-the-tomcat-6-0-29