tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: tomcat server hacked
Date Tue, 18 Aug 2009 14:55:14 GMT
> From: Leon Rosenberg [mailto:rosenberg.leon@googlemail.com]
> Subject: Re: tomcat server hacked
> 
> Have you run your tomcat as root and what is your
> kernel version?

According to the first post, Tomcat runs via jsvc with the userid Tomcat.

> If you don't run your tomcat as root and have a more or 
> less uptodate kernel without local root exploits, its
> highly unprobable that you got hacked via tomcat.

Agreed.  Certainly looks like the Tomcat files have been hacked, but nothing presented so
far indicates the hacking was done through Tomcat; rather, the hacking appears to have been
done via some typical interactive mechanism such as telnet, SSH, or VNC.  I can't think of
any mechanism within Tomcat that would permit such file changes to be made.  The presence
of conf/server.xml~ indicates some standard text editor was used, which is obviously not possible
via Tomcat.  Note that Tomcat itself *never* writes server.xml.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message