more info: the conf.n file is just a small binary file (69 bytes) which is probably a marker of infection. It does create malware executable in /tmp with names like "L26_123_web", which is detected as backdoors by https://www.virustotal.com:
Avast ELF:Elknot-AE [Trj] 20140730 DrWeb Linux.BackDoor.Gates.6 20140730 Kaspersky Backdoor.Linux.Ganiw.a 20140730 Sophos Linux/DDoS-BD 20140730 On Sat, Aug 2, 2014 at 10:02 AM, Kent Tong <[email protected]> wrote: > Hi all, > > thanks for the help! > > > File and directory permissions too permissive, maybe? > > the directory (and everything inside) is owned and writable by the "jetty" > user only. > > > Which user is jetty running as? > > it is run as jetty on port 8080. > > > What's in conf.n? (details please) > > it is malware. The "file" command says it is data. Scanning it with online > virus detection would say that it is some kind of backdoor malware. > > > What do you have in your webapp? (be detailed) > > it is an in-house developed webapp. I am going to replace it with a simple > webapp to see if it is really the culprit. > > > How do you start Jetty? (your command line *AND* your start.ini and > > start.d/ contents) > > I start it with "sudo -u jetty /opt/jetty/bin/jetty.sh". > > start.ini is: > > etc/jetty.xml > etc/jetty-annotations.xml > etc/jetty-ssl.xml > etc/jetty-deploy.xml > etc/jetty-contexts.xml > > no change has been made to those .xml files (except the SSL key and cert) > and start.d contents. > > > Do you customize anything in ${jetty.home}? (like lib or xml files) > > no. > > > Do you run elasticsearch on your machine? > > no. > > > -- > Kent Tong > IT author and consultant, child education coach > -- Kent Tong IT author and consultant, child education coach
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
