What are the dangers of a hacked Apache Tomcat server? [closed]

Question

If a Tomcat7 (on Ubuntu 12.x) gets hacked (caused by weak username/password) what is the hacker able to do? Of course he can deploy .war archives.

But: Can he get access on the complete file system? Can he change tomcat/FTP/ubuntu admin passwords? Or are there no limits at all?

Answer 1

If you are talking about a weak password for the tomcat manager application (that you can use to deploy new webapplications): Well - can you imagine a web application called "remote file explorer"? or "remote shell"? Basically, if you can upload code to servers that gets executed, there's almost no limit.

Well, the limit is set by your admins: Java (and with it Tomcat) can run in a sandbox/security manager. I actually know not many installations that do this. Also, quite a lot of tomcat installations run as the root user - if you lose control over such an instance, you're toast.

So the question you're asking is: "Is it dangerous when attackers can run arbitrary code on my server?" I hate to reveal this, but the answer is "yes".

As of tomcat, I feel that the manager application is nice for debugging, but not something you want to deploy on a production system, visible to the world. But that's only a very small part of the hardening process.

Oh, and even though it might not exactly fit in this context, but you might want to look at Java/Tomcat hacked, I just found this scrolling by - a nice alternative vulnerability to a weak password.