tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Knol <nickk...@gmail.com>
Subject tomcat server hacked
Date Tue, 18 Aug 2009 13:45:09 GMT
First post, sorry if I'm breaking protocol.  I could really use help
tightening up security with the tomcat web server I'm running.  A hacker got
in and trashed a bunch of files and I'm scared to death it will happen
again.   I've been setting up a tomcat web server with the native apr
library on a linux box and it looks like I got hacked through it.  I've been
using iptable, ssh, and vncserver to login to the box and have been as
careful as I know how to be with security in that regard (although its quite
possible I've made a mistake there, I have reason to believe that the fault
lies w/ tomcat as you'll see).    Here is the server info:

Tomcat Version: Apache Tomcat/6.0.14
OS Name: Linux
OS Version: 2.6.18-128.1.6.el5xen
OS Architecture: amd64
JVM Version: 1.6.0_14-b08

JVM Vendor: Sun Microsystems Inc.

One thing that I definitely was not careful  about was file permissions w/
regard to my home database and $CATALINA_HOME, so that's probably how the
hacker managed to screw around with my files.  I'm starting tomcat through
jsvc using the following script in init.d:

*#!/bin/sh*
*#*
*# Startup script for Tomcat*
*#*
*# chkconfig: - 2345 86 15*
*# description: Tomcat is a JSP server.*
*# processname: tomcat*
*# pidfile: /var/run/jsvc.pid*
*
*
*. /etc/init.d/functions*
*
*
*JAVA_HOME=/usr/java/latest*
*CATALINA_HOME=/opt/tomcatus/tomcat*
*CATALINA_BASE=/opt/tomcatus/tomcat*
*DAEMON_HOME=$CATALINA_HOME/bin*
*TOMCAT_USER=tomcat*
*
*
*TMP_DIR=/var/tmp*
*PID_FILE=/var/run/jsvc.pid*
*
*
*CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"*
*JAVA_OPTS="-Xms256m -Xmx512m
-Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m"*
*SECURITY_OPTS="-Djava.security.manager
-Djava.security.policy==$CATALINA_BASE/conf/catalina.policy"*
*
CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar
*
*
*
*
*
*start() {*
*    # Start Tomcat*
*    echo "Starting Tomcat"*
*    rm -f $CATALINA_HOME/logs/catalina.out*
*    $DAEMON_HOME/jsvc \*
*    -user $TOMCAT_USER \*
*    -home $JAVA_HOME \*
*    -Dcatalina.home=$CATALINA_HOME \*
*    -Dcatalina.base=$CATALINA_BASE \*
*    -Djava.io.tmpdir=$TMP_DIR \*
*    -wait 10 \*
*    -pidfile $PID_FILE \*
*    -outfile $CATALINA_HOME/logs/catalina.out \*
*    -errfile '&1' \*
*    $CATALINA_OPTS \*
*    $JAVA_OPTS \*
*    $SECURITY_OPTS \*
*    -cp $CLASSPATH \*
*    org.apache.catalina.startup.Bootstrap*
*}   *
*case "$1" in*
*  start)*
*    start*
*    ;;*
*  *)*
*    echo "Usage $0 (start|stop|status|restart|log)"*
*    exit 1;;*
*
*
*esac*
* *
*exit $?*



Here are the following things that's been messed up on the machine:

-My user account was deleted


-/etc/ssh/ssh_host_key.pub file was modified (one key added, another
deleted)


-my user home directory was added to
$CATALINA_HOME/webapps/<app_name>/META-INF/<username>


- $CATALINA_HOME/conf/server.xml was changed to this:

*<!--<Valve
className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443"
/>-->->*
*       <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"  *
*            <Alias>analysisfactory.biz</Alias>Aware="false">"
unpackWARs="true" autoDeploy="false"sword" *
*
*
*
*
*       <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"  *
*  ** **               prefix="localhost." pattern="common"
resolveHosts="false"/>*
*
*
*
*
* **   <!-- <Valve
className="org.apache.catalina.valves.RequestDumperValve"/> -->*
*</Server>ce>>> ntext path="/forecasterDemo" docBase="ForecasterDemo"/>>ROOT
*



-file $CATALINA_HOME/conf/server.xml~ was added:

  *  <Engine name="Catalina"
defaultHost="www.analysisfactory.biz">/>em"/>l="TLS""TLS"/>"443"
/>-->->*
*            <Alias>analysisfactory.biz</Alias>Aware="false">"
unpackWARs="true" autoDeploy="false"sword" *
*
*
*
*
*       <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"  *
*  ** **               prefix="localhost." pattern="common"
resolveHosts="false"/>*
*
*
*
*
* **   <!-- <Valve
className="org.apache.catalina.valves.RequestDumperValve"/> -->*
*</Server>ce>>ame="org.apache.catalina.valves.RequestDumperValve"/>o"/>>ROOT
*




Does anyone recognize these symptoms and could possibly point me to a fix?
 Thanks a million.

-Nick

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message