tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leon Rosenberg <rosenberg.l...@googlemail.com>
Subject Re: tomcat server hacked
Date Tue, 18 Aug 2009 14:32:24 GMT
just a quick shot. Have you run your tomcat as root and what is your
kernel version?

If you don't run your tomcat as root and have a more or less uptodate
kernel without local root exploits, its highly unprobable that
you got hacked via tomcat.
Do you have anything that proves it anyway? :-)


best regards
Leon

On Tue, Aug 18, 2009 at 3:45 PM, Nick Knol<nickknol@gmail.com> wrote:
> First post, sorry if I'm breaking protocol.  I could really use help
> tightening up security with the tomcat web server I'm running.  A hacker got
> in and trashed a bunch of files and I'm scared to death it will happen
> again.   I've been setting up a tomcat web server with the native apr
> library on a linux box and it looks like I got hacked through it.  I've been
> using iptable, ssh, and vncserver to login to the box and have been as
> careful as I know how to be with security in that regard (although its quite
> possible I've made a mistake there, I have reason to believe that the fault
> lies w/ tomcat as you'll see).    Here is the server info:
>
> Tomcat Version: Apache Tomcat/6.0.14
> OS Name: Linux
> OS Version: 2.6.18-128.1.6.el5xen
> OS Architecture: amd64
> JVM Version: 1.6.0_14-b08
>
> JVM Vendor: Sun Microsystems Inc.
>
> One thing that I definitely was not careful  about was file permissions w/
> regard to my home database and $CATALINA_HOME, so that's probably how the
> hacker managed to screw around with my files.  I'm starting tomcat through
> jsvc using the following script in init.d:
>
> *#!/bin/sh*
> *#*
> *# Startup script for Tomcat*
> *#*
> *# chkconfig: - 2345 86 15*
> *# description: Tomcat is a JSP server.*
> *# processname: tomcat*
> *# pidfile: /var/run/jsvc.pid*
> *
> *
> *. /etc/init.d/functions*
> *
> *
> *JAVA_HOME=/usr/java/latest*
> *CATALINA_HOME=/opt/tomcatus/tomcat*
> *CATALINA_BASE=/opt/tomcatus/tomcat*
> *DAEMON_HOME=$CATALINA_HOME/bin*
> *TOMCAT_USER=tomcat*
> *
> *
> *TMP_DIR=/var/tmp*
> *PID_FILE=/var/run/jsvc.pid*
> *
> *
> *CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"*
> *JAVA_OPTS="-Xms256m -Xmx512m
> -Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m"*
> *SECURITY_OPTS="-Djava.security.manager
> -Djava.security.policy==$CATALINA_BASE/conf/catalina.policy"*
> *
> CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar
> *
> *
> *
> *
> *
> *start() {*
> *    # Start Tomcat*
> *    echo "Starting Tomcat"*
> *    rm -f $CATALINA_HOME/logs/catalina.out*
> *    $DAEMON_HOME/jsvc \*
> *    -user $TOMCAT_USER \*
> *    -home $JAVA_HOME \*
> *    -Dcatalina.home=$CATALINA_HOME \*
> *    -Dcatalina.base=$CATALINA_BASE \*
> *    -Djava.io.tmpdir=$TMP_DIR \*
> *    -wait 10 \*
> *    -pidfile $PID_FILE \*
> *    -outfile $CATALINA_HOME/logs/catalina.out \*
> *    -errfile '&1' \*
> *    $CATALINA_OPTS \*
> *    $JAVA_OPTS \*
> *    $SECURITY_OPTS \*
> *    -cp $CLASSPATH \*
> *    org.apache.catalina.startup.Bootstrap*
> *}   *
> *case "$1" in*
> *  start)*
> *    start*
> *    ;;*
> *  *)*
> *    echo "Usage $0 (start|stop|status|restart|log)"*
> *    exit 1;;*
> *
> *
> *esac*
> * *
> *exit $?*
>
>
>
> Here are the following things that's been messed up on the machine:
>
> -My user account was deleted
>
>
> -/etc/ssh/ssh_host_key.pub file was modified (one key added, another
> deleted)
>
>
> -my user home directory was added to
> $CATALINA_HOME/webapps/<app_name>/META-INF/<username>
>
>
> - $CATALINA_HOME/conf/server.xml was changed to this:
>
> *<!--<Valve
> className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443"
> />-->->*
> *       <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"  *
> *            <Alias>analysisfactory.biz</Alias>Aware="false">"
> unpackWARs="true" autoDeploy="false"sword" *
> *
> *
> *
> *
> *       <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"  *
> *  ** **               prefix="localhost." pattern="common"
> resolveHosts="false"/>*
> *
> *
> *
> *
> * **   <!-- <Valve
> className="org.apache.catalina.valves.RequestDumperValve"/> -->*
> *</Server>ce>>> ntext path="/forecasterDemo" docBase="ForecasterDemo"/>>ROOT
> *
>
>
>
> -file $CATALINA_HOME/conf/server.xml~ was added:
>
>  *  <Engine name="Catalina"
> defaultHost="www.analysisfactory.biz">/>em"/>l="TLS""TLS"/>"443"
> />-->->*
> *            <Alias>analysisfactory.biz</Alias>Aware="false">"
> unpackWARs="true" autoDeploy="false"sword" *
> *
> *
> *
> *
> *       <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"  *
> *  ** **               prefix="localhost." pattern="common"
> resolveHosts="false"/>*
> *
> *
> *
> *
> * **   <!-- <Valve
> className="org.apache.catalina.valves.RequestDumperValve"/> -->*
> *</Server>ce>>ame="org.apache.catalina.valves.RequestDumperValve"/>o"/>>ROOT
> *
>
>
>
>
> Does anyone recognize these symptoms and could possibly point me to a fix?
>  Thanks a million.
>
> -Nick
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message