tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: tomcat server hacked
Date Tue, 18 Aug 2009 14:46:50 GMT
Nick Knol wrote:
> First post, sorry if I'm breaking protocol.  I could really use help
> tightening up security with the tomcat web server I'm running.  A hacker got
> in and trashed a bunch of files and I'm scared to death it will happen
> again.   I've been setting up a tomcat web server with the native apr
> library on a linux box and it looks like I got hacked through it.  I've been
> using iptable, ssh, and vncserver to login to the box and have been as
> careful as I know how to be with security in that regard (although its quite
> possible I've made a mistake there, I have reason to believe that the fault
> lies w/ tomcat as you'll see).

I've read your e-mail and I don't see. What makes you think Tomcat is
the source of the infection?

> Tomcat Version: Apache Tomcat/6.0.14
See for a host of very good
reasons to upgrade to 6.0.20 asap.

> OS Name: Linux
> OS Version: 2.6.18-128.1.6.el5xen
> OS Architecture: amd64
> JVM Version: 1.6.0_14-b08
> JVM Vendor: Sun Microsystems Inc.
> One thing that I definitely was not careful  about was file permissions w/
> regard to my home database and $CATALINA_HOME, so that's probably how the
> hacker managed to screw around with my files.  I'm starting tomcat through
> jsvc using the following script in init.d:

Your files are very hard to read with lots of extra * characters and odd
line breaks.

> - $CATALINA_HOME/conf/server.xml was changed to this:
> *<!--<Valve
> className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443"
> />-->->*

That makes no sense. I don't think Tomcat would even start if that was
what is really in that file. Any chance of a cleaner copy?

> Does anyone recognize these symptoms and could possibly point me to a fix?
>  Thanks a million.

It doesn't match any of the infection patterns that I am aware of. Those
nearly always come down to manager apps with very weak passwords.

Since the config files don't make much sense, it is hard to see what the
attacker was trying to do.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message