Tuesday, December 04, 2012

JSP RAT by Jeroy

I found some strange looking web apps in our Tomcat folder on an old machine that we no longer use. It looks like they had been deployed by dropping a war file into the webapps folder. Here are the war file names:

fLfTPWqT.war, HjnZlFSg.war, sRLNRtow.war

I believe the entry point was an unsecured copy of xampp. If you browsed to the IP address of the server, you would be presented with an xampp login dialog. The xampp username and password had not been changed since the original install, so I am assuming this is how the war files were installed.

I removed the web apps and fixed the vulnerability in the xampp install. I didn't notice anything else wrong with the server, but I guess time will tell.

I was curious what the installed web app's functionality was, so I installed it on a testing machine at the office. It's actually a pretty cool app, but of course, quite dangerous to have running on a production machine somewhere. It's pretty much a file manipulation app - browse files/directories, download/upload, delete, copy, rename, move and launch external programs.

Here is a screenshot:

JSP RAT screenshot
If you encounter problems by having had this app on your systems, please provide any help you can here for others.

Additional relevant information can be found here: http://grokbase.com/t/tomcat/users/12bv3sbkpy/malware-found-the-tomcat-6-0-29


7 comments:

Nickleus said...

dealt with this bastard today at work, regarding our jboss server.

found his crap here:
/path/to/jboss/server/myapp/work/jboss.web/localhost/temporary/

/path/to/jboss/server/myapp/work/jboss.web/localhost/tmp/

/path/to/jboss/server/myapp/work/jboss.web/localhost/updates/



Markus said...

same problem here on Jboss 4.2.3GA. JSP RAT was deployed in

/path/to/jboss/server/default/work/jboss.web/localhost/temporary/
/path/to/jboss/server/default/work/jboss.web/localhost/tmp/
/path/to/jboss/server/default/work/jboss.web/localhost/updates/

The problem seems to be Jboss Web 2.0.1 (which is a fork of Tomcat 6).
anyone knows how to secure this JBoss version?
Anyone knows how to secure JBoss?

Nickleus said...

i started with setting correct file permissions (the server had been foolishly set with 777 for the whole jboss folder). i describe it here:
http://nickhumphreyit.blogspot.no/2013/07/jboss-422-files-that-need-execute.html

then remove the following folders from "deploy":
jmx-console
management

i.e.:
rm /path/to/jboss/server/yourdomain/deploy/jmx-console.war

rm /path/to/jboss/server/yourdomain/deploy/management

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Does any body know any possibility of remote file inclusion with jboss 4.2, even after jmx-console is removed?

Nickleus said...

yes, somehow through the JMXInvokerServlet:
http://breenmachine.blogspot.no/2013/09/jboss-jmxinvokerservlet-exploit.html

Anonymous said...

Yes they are accessing Jmx console functions via JMXInvokerServlet and EJBInvokerServlet

We restricted these URL's and we were able to stop this.

If any one knows what are other methods of exploiting jboss, please let us know.