0

We have a tomcat server running on window 2012 server which seems to be constantly being attached by Sage 2.0 ransomeware. Some details of the sever,

1) Tomcat is running on port 80 and 8080. 2) Cygwin is also running. 3) There is no other ports open externally.

We are not sure how the infection is reaching the server in the first place. We formatted our server and re-installed everything, but it go infected again, this is when no files were copied from anywhere.

Any pointers to how we being to solve this problem would be really helpful.

Cool Techie
  • 117
  • 1
  • The problem might be in your app. Check every place where it would accept any incoming data from anywhere... – Anubioz Mar 25 '17 at 03:57
  • The app accept files only after authorisation and with a valid session. Also, we noticed the suspicious JSP file in webapps/ROOT, how can anyone get access to that location when PUT method is prevented – Cool Techie Mar 25 '17 at 06:18
  • By uploading a file with a specialy crafted name (like "../../../file%2Ejsp") with a bruteforced,or leaked credentials? There are lots of ways to do that if your code doesn't do [input validation](https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet) – Anubioz Mar 25 '17 at 06:37
  • @Anubioz How to protect? Do I place a filter which blocks all? or any other standard way – Cool Techie Mar 25 '17 at 08:41
  • or could you point me to how ../../../file%2Ejsp this is done and I can check how to actually block it. – Cool Techie Mar 25 '17 at 08:43
  • Am not able to get how someone can upload and write a file to a Local ROOT folder, so that what I am trying to understand. I understand it can happen, but i was to understand and replication the HOW. Help would be really appreciated. – Cool Techie Mar 25 '17 at 08:47
  • http://stackoverflow.com/questions/18664579/recommended-way-to-save-uploaded-files-in-a-servlet-application – Anubioz Mar 25 '17 at 08:48
  • You may actually want to start with grepping all your server logs for POST requests from suspicious IPs - it may help you to determine which files are actually vulnerable... – Anubioz Mar 25 '17 at 08:55
  • Possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – kasperd Mar 26 '17 at 11:15

0 Answers0