What the Chinese deploy into your Tomcat server if you don't secure it

[Riyadh]

I was going through the subfolders of one of the (public back then; currently shut down) Tomcat servers of a customer and noticed a strange deployment in the "webapps/"-folder. The deployable's filename was "8888.war" and the only file that it contained was "index.jsp".

Here's the content (anonymized two variables, just in case): https://gist.github.com/anonymous/93154503b5763961af9f (Please let me know if this goes against any HN rule, I'll delete the Gist right away.)

Looking at the source code you see what it does - uploading files and stuff, no rocket science.

Of course the deployment was made using the Tomcat manager console and the IP addresses that show up in the log file trace back to China/Shanghai, e.g. 112.65.211.246. (So that explains why the filename was "8888": http://en.wikipedia.org/wiki/Numbers_in_Chinese_culture#Eight)

The "tomcat-users.xml" contained the default user names and passwords and the entire section was commented out. Someone was testing remote deployments and didn't bother changing the passwords first... well that's how you get ants.

I don't see what damage was actually done, except for a few attempted multipart/form uploads that timed out. Other than that the server was shut down about 2 weeks after the incident... which was more than enough time to have some fun.

I couldn't find any rootkits or anything else suspicious-looking, using the known tools (chkrootkit etc.).

Anyone else experienced this before?

[rosenjon]

Looks like this program itself is designed to root your machine. If it has proper permissions, the exeCmd method is designed to be able to execute arbitrary commands on your machine. It's probably a command and control type situation (looks like they even dropped in a javascript file browser), which is kind of odd though if this is part of a botnet. If this script is actually runnable, it would be hard to know what's been done to your machine.

[Riyadh]

Unfortunately the Tomcat log files don't contain any other information. I still have to check and see what exactly gets logged when the script is used. As of now I don't see any other calls logged, so my hope is that the timeouts prevented worse from happening.

[MalcolmDiggs]

To be fair, all you know re: China is that an IP address near Shanghai was somehow involved (possibly as an innocent/unsuspecting member of a botnet, possibly as a malicious attacker, possibly as a decoy to throw people off the scent, possibly as a single node in an onion router, who knows).

I think it's a stretch to title this "What the Chinese deploy..." No need to go there.

[Artemis2]

I think we can go as far as saying that the IP addresses' geolocation data are irrelevant. On top of what you mentioned, a lot of companies are already using IP addresses where they shouldn't be, because of the limited quantities of IPv4 addresses.

[Riyadh]

You're right about that, Malcolm. Then again that was just one of several IP addresses tracking to China.

Nevertheless I should have replaced "Chinese" with "hackers".

[hjek]

There a lot of strings and comments in the code, showing up as Mojibake. Could be interresting to translate them. https://en.wikipedia.org/wiki/Mojibake