14 DAY TRIAL // Symantec has identified that servers running Apache Tomcat are being affected by a back door worm that acts as a Java Servelet; yet instead of creating a web page, it behaves as an IRC bot that receives commands from the attacker.
Users landing on the pages from the compromised server are not in any danger though, because the threat (Java.Tomdep) is designed to scan and infect other Tomcat servers.
Logging to other servers seems to be achieved by trying a set of weak usernames and passwords such as “admin:admin”, “tomcat:tomcat”, “admin: password” or a combination of these.
Due to this kind of behavior Symantec researchers speculate that DDoS attacks from such servers may actually be the intended purpose of the attacker, whose command and control servers have been located in Taiwan and Luxembourg.
Symantec informs that antivirus protection is not as widespread for servers as it is for personal computers and advises administrators to deploy fully patched and updated security tools.