tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikolay Diulgerov <ndiulge...@imx.fr>
Subject Re: tomcat server hacked
Date Tue, 18 Aug 2009 14:29:36 GMT
Hello Nick,
probably someone of the tomcat developers will comment this related to 
tomcat but

-/etc/ssh/ssh_host_key.pub file was modified (one key added, another
deleted)


This is owned by root and only root have access to modify it.
Are you sure your root account is compromised?



Best regards,

Nikolay Diulgerov
Network Administrator
E-mail: ndiulgerov@imx.fr
Telephone : +33 4 89 87 77 77
Fax :       +33 4 89 87 77 00
Web: http://www.codix-france.com



Nick Knol wrote:
> First post, sorry if I'm breaking protocol.  I could really use help
> tightening up security with the tomcat web server I'm running.  A hacker got
> in and trashed a bunch of files and I'm scared to death it will happen
> again.   I've been setting up a tomcat web server with the native apr
> library on a linux box and it looks like I got hacked through it.  I've been
> using iptable, ssh, and vncserver to login to the box and have been as
> careful as I know how to be with security in that regard (although its quite
> possible I've made a mistake there, I have reason to believe that the fault
> lies w/ tomcat as you'll see).    Here is the server info:
>
> Tomcat Version: Apache Tomcat/6.0.14
> OS Name: Linux
> OS Version: 2.6.18-128.1.6.el5xen
> OS Architecture: amd64
> JVM Version: 1.6.0_14-b08
>
> JVM Vendor: Sun Microsystems Inc.
>
> One thing that I definitely was not careful  about was file permissions w/
> regard to my home database and $CATALINA_HOME, so that's probably how the
> hacker managed to screw around with my files.  I'm starting tomcat through
> jsvc using the following script in init.d:
>
> *#!/bin/sh*
> *#*
> *# Startup script for Tomcat*
> *#*
> *# chkconfig: - 2345 86 15*
> *# description: Tomcat is a JSP server.*
> *# processname: tomcat*
> *# pidfile: /var/run/jsvc.pid*
> *
> *
> *. /etc/init.d/functions*
> *
> *
> *JAVA_HOME=/usr/java/latest*
> *CATALINA_HOME=/opt/tomcatus/tomcat*
> *CATALINA_BASE=/opt/tomcatus/tomcat*
> *DAEMON_HOME=$CATALINA_HOME/bin*
> *TOMCAT_USER=tomcat*
> *
> *
> *TMP_DIR=/var/tmp*
> *PID_FILE=/var/run/jsvc.pid*
> *
> *
> *CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"*
> *JAVA_OPTS="-Xms256m -Xmx512m
> -Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m"*
> *SECURITY_OPTS="-Djava.security.manager
> -Djava.security.policy==$CATALINA_BASE/conf/catalina.policy"*
> *
> CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar
> *
> *
> *
> *
> *
> *start() {*
> *    # Start Tomcat*
> *    echo "Starting Tomcat"*
> *    rm -f $CATALINA_HOME/logs/catalina.out*
> *    $DAEMON_HOME/jsvc \*
> *    -user $TOMCAT_USER \*
> *    -home $JAVA_HOME \*
> *    -Dcatalina.home=$CATALINA_HOME \*
> *    -Dcatalina.base=$CATALINA_BASE \*
> *    -Djava.io.tmpdir=$TMP_DIR \*
> *    -wait 10 \*
> *    -pidfile $PID_FILE \*
> *    -outfile $CATALINA_HOME/logs/catalina.out \*
> *    -errfile '&1' \*
> *    $CATALINA_OPTS \*
> *    $JAVA_OPTS \*
> *    $SECURITY_OPTS \*
> *    -cp $CLASSPATH \*
> *    org.apache.catalina.startup.Bootstrap*
> *}   *
> *case "$1" in*
> *  start)*
> *    start*
> *    ;;*
> *  *)*
> *    echo "Usage $0 (start|stop|status|restart|log)"*
> *    exit 1;;*
> *
> *
> *esac*
> * *
> *exit $?*
>
>
>
> Here are the following things that's been messed up on the machine:
>
> -My user account was deleted
>
>
> -/etc/ssh/ssh_host_key.pub file was modified (one key added, another
> deleted)
>
>
> -my user home directory was added to
> $CATALINA_HOME/webapps/<app_name>/META-INF/<username>
>
>
> - $CATALINA_HOME/conf/server.xml was changed to this:
>
> *<!--<Valve
> className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443"
> />-->->*
> *       <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"  *
> *            <Alias>analysisfactory.biz</Alias>Aware="false">"
> unpackWARs="true" autoDeploy="false"sword" *
> *
> *
> *
> *
> *       <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"  *
> *  ** **               prefix="localhost." pattern="common"
> resolveHosts="false"/>*
> *
> *
> *
> *
> * **   <!-- <Valve
> className="org.apache.catalina.valves.RequestDumperValve"/> -->*
> *</Server>ce>>> ntext path="/forecasterDemo" docBase="ForecasterDemo"/>>ROOT
> *
>
>
>
> -file $CATALINA_HOME/conf/server.xml~ was added:
>
>   *  <Engine name="Catalina"
> defaultHost="www.analysisfactory.biz">/>em"/>l="TLS""TLS"/>"443"
> />-->->*
> *            <Alias>analysisfactory.biz</Alias>Aware="false">"
> unpackWARs="true" autoDeploy="false"sword" *
> *
> *
> *
> *
> *       <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"  *
> *  ** **               prefix="localhost." pattern="common"
> resolveHosts="false"/>*
> *
> *
> *
> *
> * **   <!-- <Valve
> className="org.apache.catalina.valves.RequestDumperValve"/> -->*
> *</Server>ce>>ame="org.apache.catalina.valves.RequestDumperValve"/>o"/>>ROOT
> *
>
>
>
>
> Does anyone recognize these symptoms and could possibly point me to a fix?
>  Thanks a million.
>
> -Nick
>
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message