

What the Chinese deploy into your Tomcat server if you don't secure it - Riyadh

I was going through the subfolders of one of the (public back then; currently shut down) Tomcat servers of a customer and noticed a strange deployment in the &quot;webapps&#x2F;&quot;-folder. The deployable&#x27;s filename was &quot;8888.war&quot; and the only file that it contained was &quot;index.jsp&quot;.<p>Here&#x27;s the content (anonymized two variables, just in case):
https:&#x2F;&#x2F;gist.github.com&#x2F;anonymous&#x2F;93154503b5763961af9f
(Please let me know if this goes against any HN rule, I&#x27;ll delete the Gist right away.)<p>Looking at the source code you see what it does - uploading files and stuff, no rocket science.<p>Of course the deployment was made using the Tomcat manager console and the IP addresses that show up in the log file trace back to China&#x2F;Shanghai, e.g. 112.65.211.246.
(So that explains why the filename was &quot;8888&quot;: http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Numbers_in_Chinese_culture#Eight)<p>The &quot;tomcat-users.xml&quot; contained the default user names and passwords and the entire section was commented out. Someone was testing remote deployments and didn&#x27;t bother changing the passwords first... well that&#x27;s how you get ants.<p>I don&#x27;t see what damage was actually done, except for a few attempted multipart&#x2F;form uploads that timed out. Other than that the server was shut down about 2 weeks after the incident... which was more than enough time to have some fun.<p>I couldn&#x27;t find any rootkits or anything else suspicious-looking, using the known tools (chkrootkit etc.).<p>Anyone else experienced this before?
======
rosenjon
Looks like this program itself is designed to root your machine. If it has
proper permissions, the exeCmd method is designed to be able to execute
arbitrary commands on your machine. It's probably a command and control type
situation (looks like they even dropped in a javascript file browser), which
is kind of odd though if this is part of a botnet. If this script is actually
runnable, it would be hard to know what's been done to your machine.

~~~
Riyadh
Unfortunately the Tomcat log files don't contain any other information. I
still have to check and see what exactly gets logged when the script is used.
As of now I don't see any other calls logged, so my hope is that the timeouts
prevented worse from happening.

------
MalcolmDiggs
To be fair, all you know re: China is that an IP address near Shanghai was
_somehow_ involved (possibly as an innocent/unsuspecting member of a botnet,
possibly as a malicious attacker, possibly as a decoy to throw people off the
scent, possibly as a single node in an onion router, who knows).

I think it's a stretch to title this "What the Chinese deploy..." No need to
go there.

~~~
Artemis2
I think we can go as far as saying that the IP addresses' geolocation data are
irrelevant. On top of what you mentioned, a lot of companies are already using
IP addresses where they shouldn't be, because of the limited quantities of
IPv4 addresses.

------
hjek
There a lot of strings and comments in the code, showing up as Mojibake. Could
be interresting to translate them.
[https://en.wikipedia.org/wiki/Mojibake](https://en.wikipedia.org/wiki/Mojibake)

