HideShell
A JSP backdoor that enables under Tomcat hiding arbitrary JSP files, in addition to their access logs. JSPs hidden by hideshell.jsp remain accessbile until the next reboot of Tomcat instance.
Environments tested
- Tomcat 7
- Tomcat 8
How it works?
TL;DR
Hideshell.jsp hides JSP files by simply deleting them, while persuading Tomcat into believing that files are still there, thus serving them as usual.