One more insight: In our case the attacker used the tomcat manager interface (that unfortunately was publicly open with the default password) to install a servlet that started the worm.
We have also experienced this attack on one of our machines that hosted at the Amazon cloud. The instance has been there for only a couple of days and was...