tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn Heisey <>
Subject Re: Amazon EC2 Tomcat 7.0.85 not starting up due to some memory issue .Please mask if
Date Wed, 16 May 2018 18:20:02 GMT
On 5/16/2018 11:13 AM, Kiran Badi wrote:
> Yes tomcat is not starting up. I am also suspecting that EC2 instance was > probably
compromised. Not sure as how but I see some rogue programs
were > running under tomcat user. I use putty with private keys to login
and those > keys are not in public view for sure. > > These program were
talking to some servers based out of China,Russia and > Germany with
tcp,http and stratrum-tcp protocol with jsonp as data exchange > formt.
I am not sure as how they got access to my ec2 instance and got >
themselves installed. > > I did some initial analysis on this one and
have put those files in my g > drive which I have made public. I suspect
either they have used tomcat to > gain access or they might have used
yum updates for getting access to ec2 > instance.
Because the evil software is/was running as the tomcat user, it is
likely that a vulnerability in Tomcat or a vulnerability in the
application(s) you're running in tomcat was the entry point.  Your logs
may provide clues, but it's also possible that information about exactly
how they broke in isn't available.

Information in the file you provided indicates that this is a
crypto-mining program for the monero crypto-currency.  They're using
your system resources to mine currency for themselves.

The Java Hotspot warning you received during startup indicates that Java
was not able to allocate memory from the operating system.

The information in the hotspot error log (near the end, from
/proc/meminfo) says that this machine only has 1GB of total memory, and
that at the time of the crash, 899240KB of that was actively being
used.  There wasn't enough memory for Java to allocate what it was being
asked to allocate.

Depending on how much memory the programs added by the attacker are
using, killing them might allow Tomcat to start up.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message