Wowza Community

Securing Wowza Streaming Engine Manager from Backdoors

Dear All,

Recently, the Microsoft Defender reported backdoor:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/BadecShell.A!dha&ThreatID=2147809911

from:

file: C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.2.0\manager\temp\webapps\enginemanager\img\wowza_kmEQx.jsp

file: C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.2.0\manager\temp\webapps\enginemanager\img\wowza_UeLWx.jsp

file: C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.2.0\manager\temp\work\Tomcat\localhost\enginemanager\org\apache\jsp\img\wowza_005fkmEQx_jsp.java

file: C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.2.0\manager\temp\work\Tomcat\localhost\enginemanager\org\apache\jsp\img\wowza_005fUeLWx_jsp.java

Additionally the following files were found:
C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.2.0\manager\temp\work\Tomcat\localhost\enginemanager\org\apache\jsp\img\wowza_005fkmEQx_jsp.class

C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.2.0\manager\temp\work\Tomcat\localhost\enginemanager\org\apache\jsp\img\wowza_005fUeLWx_jsp.class

It is assumed, that this backdoor was used to install (detected by ESET AV):

which resulted in a bitcoin mining software. That software established a VPN link to an IP reported to be blacklisted on:

https://whatismyipaddress.com/blacklist-check

The PC was showing dllhost.exe (otherwise not used) to be using 3 and then 6 CPU cores before it was blocked.

This happened on Windows 2019 Server Standard with all updates installed and Wowza Streaming Engine Version

4.8.8.01

Which we cannot update due to excessive CPU usage of the Beamr video encoder used by Wowza in the newer releases.

Is it safe to delete the contents of the folder:

C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.2.0\manager\temp

???

It has over 100MB and 4000+ files.

Thanks!
Atmapuri

Before you delete the files you have some debugging to do. Otherwise you will have the same problem again in no time.

  • Did you secure your windows server? installing with the basic settings is not enough.
  • Windows defender is not suitable for servers (in my opinion).
  • Get server monitoring (zabbix or some sort).
  • Close down all the ports you dont need
  • is your Java up-to-date?
  • Did you patch your Wowza with the log4j patch?
    UPDATE: FIX RELEASED FOR BOTH CVE-2021-44228 or CVE-2021-45046/ log4j2

You have to find the source first and close that down. Close the leak first then you can delete the files.
Edit: Am i right you already found the source?

If you have an annual license you could also ask wowza for support. I don’t think they help you with removing the trojan, but they can advise you on your Windows setup.

Did you secure your windows server? installing with the basic settings is not enough.

We have been running the server for several years. However, if you have additional suggestions, of course it would be interesting to hear.

Windows defender is not suitable for servers (in my opinion).

It did find the malware written in java, which other AV did not. But then again not everything.

Get server monitoring (zabbix or some sort).

Thats a nice idea.

Close down all the ports you dont need

Of course.

is your Java up-to-date?

Using standard included with Wowza installation. It was not clear which version will work with Wowza. There were some constraints before.

Did you patch your Wowza with the log4j patch?

We did something when the issue was first publicized, but will look at this again.

Edit: Am i right you already found the source?

We are guessing that the point of Entry was “Wowza Streaming Engine Manager” because:
a.) The .class files of compiled Java malware code specifically contain the name “wowza” several times.
b.) The malware files were located in the “temp or working” sub-folder of the manager.

With a bit (not too much) of wild-guessing, the “Wowza streaming Engine Manager” has become a target of a bot-net. We were not running the manager on a default port either. Thus far we have:

a.) Added dllhost.exe to Firewall to block all connections. (distribution method)
b.) Removed “Wowza Streaming Engine Manager” from public internet. (assumed entry point)

If you have an annual license you could also ask wowza for support.

Yes, we will do that. I just wanted to post first in to a public forum, because we never saw a bot-net that targets Wowza specifically and maybe it will help others.

Kind Regards!
Atmapuri