Symantec has discovered a new back door worm-type threat on Apache Tomcat running servers.This threat should be little different from the ones we usually encounter every day.
Back door type Trojan horses and worms let attackers execute various commands on compromised computers and essentially enable the attacker to control a computer remotely, then important information can be stolen from the user and their computer could be used to attack other victims.
The attack only targets personal computers, such as desktops and laptops, but unfortunately that is not true, servers can also be attacked. Trojans that are written in PHP, such as PHP.Backdoor.Trojan. This time around though, Symantec has found a back door worm that acts as a Java Servlet. We have named it Java.Tomdep.
The Java Servlet is executed on Apache Tomcat, but it does not create a Web page and instead behaves as an IRC bot. It connects to an IRC server and performs commands sent from the attacker. End users who visit Web pages from the compromised Tomcat server are not affected by this threat.
If we try in another Tomcat server, it first attempts to log in with the pairs of weak usernames and passwords
It deploys itself to the found Tomcat server:
To avoid this threat ensure that your server and AV products are fully patched and updated. We recommend that you use strong passwords and do not open the management port to public access.
Back door type Trojan horses and worms let attackers execute various commands on compromised computers and essentially enable the attacker to control a computer remotely, then important information can be stolen from the user and their computer could be used to attack other victims.
The attack only targets personal computers, such as desktops and laptops, but unfortunately that is not true, servers can also be attacked. Trojans that are written in PHP, such as PHP.Backdoor.Trojan. This time around though, Symantec has found a back door worm that acts as a Java Servlet. We have named it Java.Tomdep.
The Java Servlet is executed on Apache Tomcat, but it does not create a Web page and instead behaves as an IRC bot. It connects to an IRC server and performs commands sent from the attacker. End users who visit Web pages from the compromised Tomcat server are not affected by this threat.
If we try in another Tomcat server, it first attempts to log in with the pairs of weak usernames and passwords
It deploys itself to the found Tomcat server:
Dear All,
ReplyDeleteWe are going to introduce you a new and exciting world of social network.
FUNBOOK
Join now for free and be a part of this fast growing online social community. Enjoy the new features at one place.
Click Here to Join
or
feel free to contact us HERE
Your precious feedback is highly appreciated
Best of Luck