Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations are located in the TOMCAT_HOME/config directory. ">Now that we know where to look, lets go over the incident. A system was discovered to be compromised so I started our IR process. When looking at the processes running, a process was quickly changing its name and running as root. ">qymasclks 10346 root ">">05:58:38,493137,mac.,-rw-r--r--,0,0,0,/usr/share/apache-tomcat-7.0.65/webapps/eei.war">Tue Dec 01 2015 05:58:38,69334,.ac.,-rw-r--r--,0,0,0,/usr/share/apache-tomcat-7.0.65/webapps/eei/a.jsp
">There is a new file eei.war that has been created. Lets take a look at the log files and see what we can get from that time frame. ">#fgrep Dec 01, 2015">INFO: Deployment of web application archive /usr/share/apache-tomcat-7.0.65/webapps/eei.war has finished in 118 ms
">You can see that a new application has been deployed, which means the attacker had access to the Tomcat admin. Let look at the access_logs to see if we can get more detail.
">#fgrep 01/Dec/2015">122.236.51.194 - - [01/Dec/2015:05:58:08 -0500] GET /manager/html HTTP/1.1">[01/Dec/2015:05:58:09 -0500] GET /manager/html HTTP/1.1">122.236.51.194 - admin [01/Dec/2015:05:58:39 -0500] ">?org.apache.catalina.filters.CSRF_NONCE=4C0343589816E985E2010C618944EF5A HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:43 -0500] GET /eei/ HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:45 -0500] POST /eei/ HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:49 -0500] GET /eei/?action=command HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:55 -0500] ">HTTP/1.1">122.236.51.194 - - [01/Dec/2015:05:58:58 -0500] POST /eei/?action=command HTTP/1.1">Lets see how the attacker was able to gain access as the admin user to the manager site. By viewing the tomcat-users.xml file, we can see that the default username is being used.
">--">
">filename: ">">">">">">kill.sh
">filepath: ">/lib/udev
">23.234.60.143 (C.rar download every 30 min)
--
Tom Webb
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.