tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chanaka Dharmarathna <pe.chanaka...@gmail.com>
Subject Security Issue in Tomcat
Date Fri, 12 Jul 2013 04:51:15 GMT
Hi All,

I'm using Tomcat 7.0.40 for hosted application. I have not configured any
user accounts for tomcat (admin, manager, user etc.). Recently my deployed
web application was damaged. Restarting tomcat recovered it back.

But it seems someone tried to access my tomcat and delete some files(I
guess class file of index.jsp as mentioned in the log). I have added my log
files [0], [1], [2] and [3]. Currently I have my jsp directory outside the
WEB-INF directory (yes, it's bad practice and I'll correct it).

1. Do you see any issues after looking my log files ? May be due to a bad
configuration/practice etc.
2. And can someone delete files if there are no user accounts for tomcat ?
3. Is it possible to secure my tomcat with this kind of issues by deleting
manager and ROOT directories of tomcat/webapps/ ?

Highly appreciate if you can share your thoughts.

[0] : localhost.log <http://pastie.org/private/nlbick7wddmlg9rybtgg>
[1] : catalina.log <http://pastie.org/private/wb1dkzfdqzpwb9ygtbrcwg>
[2] : localhost_access_log.txt<http://pastie.org/private/mlp1buwtqmygiutdcnxuza>
[3] : manager.log <http://pastie.org/private/olr1ydofyh29wcabhb1w>

Regards !
*Chanaka*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message