A malicious backdoor designed to infect web servers poses a severe threat, Trend Micro warns. The malware, dubbed BKDR_JAVAWAR.JG, poses as a Java Server page but actually creates a backdoor on compromised servers. "This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other …
Strictly speaking, is this a Java exploit? I might be reading this wrong, but it seems to me the server needs to be previously compromised so that a file is deployed. Only then is tomcat/other told to install a web portal to give easy access to the server for miscreants.
I'm guessing the ease of installing WARs is what's being used as an easy way of giving access, but apart from that, it's hardly a Java exploit?
I could certainly be wrong, not many details in that article.
Not really a Java Exploit
Completely agree with WeaselNo7. This is a fairly basic script which allows you to read/write/navigate files and folders on a server. There is nothing in the Trend article about this having the ability to actually get itself onto a system.
Same conclusion as WeaselNo7: crack the password to gain access to a server, and then you can do naughty things.
No wonder they removed the article rating system.
It would probably avoid confusion if the article concentrated on this being an 'innovative use of an existing tomcat/other servlet container on an already compromised server to allow ne'er-do-wells to have easy web access to server content'.
On headlines put some words on a BIG FONT and you are done.
Trendlabs, clear as mud.
This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware.
Woah now, someone with Hollywood cyberspace sense must have written this.
What does it all mean?
Re: Trendlabs, clear as mud.
The whole original blog post is pretty useless " We recently spotted a Java Server page that performs backdoor routines and gains control over vulnerable server.
But what does it mean by "vulnerable server" - one that's mis-configured or what?
And why haven't the journalists at El Reg tried to work out what they mean..???
Surely if Java is running on your server
Then it's already useless anyway?
this can't be blamed on Microsoft? what's happening? Were the Mayans right... did the world end while I nursed my festive hangover?!
Remote access server app allows remote access SHOCK!
I think by "vulnerable host" they mean "one that's already been hacked and had a malicious JSP uploaded to it."
i.e. if the web system/account has been compromised, the JSP will then attack other accounts on the system.
I'm sure there's a Blackadder quote which goes with that statement.
Malware doesn't open creaky back door to servers ..
Let me see if I understand, you first have to brute-force the admin password on a Java-based HTTP server, only then can you upload and install the malware, which can only target Windows. What's the point of posting this 'information' ?