Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 37055 invoked from network); 11 Aug 2008 09:35:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 Aug 2008 09:35:14 -0000 Received: (qmail 29233 invoked by uid 500); 11 Aug 2008 09:34:59 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 28864 invoked by uid 500); 11 Aug 2008 09:34:58 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 28853 invoked by uid 99); 11 Aug 2008 09:34:58 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Aug 2008 02:34:58 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [193.252.22.159] (HELO smtp5.freeserve.com) (193.252.22.159) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Aug 2008 09:34:00 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3404.me.freeserve.com (SMTP Server) with ESMTP id 128AD1C0008E for ; Mon, 11 Aug 2008 11:34:16 +0200 (CEST) Received: from smtp.homeinbox.net (unknown [91.109.134.218]) by mwinf3404.me.freeserve.com (SMTP Server) with ESMTP id EA1301C00089 for ; Mon, 11 Aug 2008 11:34:13 +0200 (CEST) X-ME-UUID: 20080811093413958.EA1301C00089@mwinf3404.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id 64D43112200 for ; Mon, 11 Aug 2008 10:26:17 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server02.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ko0jVKeb7jRS for ; Mon, 11 Aug 2008 10:26:13 +0100 (BST) Received: from host57.msm.che.vodafone (host212-183-132-78.uk.access.vodafone.net [212.183.132.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id EE96A112030 for ; Mon, 11 Aug 2008 10:26:11 +0100 (BST) Message-ID: <48A00787.7040804@apache.org> Date: Mon, 11 Aug 2008 10:33:59 +0100 From: Mark Thomas User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Possible virus uploaded to Tomcat 5.5.3 - SOLVED References: <63788.81203.qm@web52408.mail.re2.yahoo.com> In-Reply-To: <63788.81203.qm@web52408.mail.re2.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Sameer Acharya wrote: > Just a couple of questions on this. > > 1. I read your mail exchange and it seems that the OP has mentioned no Manager app was installed, but your analysis indicates that the rogue app was uploaded through manager app ?. There were quite a few e-mails exchanged off list, mainly because they contain specific details like IP addresses, ports, config files etc. > 2. Normally firewalls keep a log of port activity so was this activity not detected by the firewall ? That depends on a) the firewall and b) how different this traffic looks from normal traffic. In this case the firewall didn't generate an alert. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org