First post, sorry if I'm breaking protocol. I could really use help
tightening up security with the tomcat web server I'm running. A hacker got
in and trashed a bunch of files and I'm scared to death it will happen
again. I've been setting up a tomcat web server with the native apr
library on a linux box and it looks like I got hacked through it. I've been
using iptable, ssh, and vncserver to login to the box and have been as
careful as I know how to be with security in that regard (although its quite
possible I've made a mistake there, I have reason to believe that the fault
lies w/ tomcat as you'll see). Here is the server info:
Tomcat Version: Apache Tomcat/6.0.14
OS Name: Linux
OS Version: 2.6.18-128.1.6.el5xen
OS Architecture: amd64
JVM Version: 1.6.0_14-b08
JVM Vendor: Sun Microsystems Inc.
One thing that I definitely was not careful about was file permissions w/
regard to my home database and $CATALINA_HOME, so that's probably how the
hacker managed to screw around with my files. I'm starting tomcat through
jsvc using the following script in init.d:
*#!/bin/sh*
*#*
*# Startup script for Tomcat*
*#*
*# chkconfig: - 2345 86 15*
*# description: Tomcat is a JSP server.*
*# processname: tomcat*
*# pidfile: /var/run/jsvc.pid*
*
*
*. /etc/init.d/functions*
*
*
*JAVA_HOME=/usr/java/latest*
*CATALINA_HOME=/opt/tomcatus/tomcat*
*CATALINA_BASE=/opt/tomcatus/tomcat*
*DAEMON_HOME=$CATALINA_HOME/bin*
*TOMCAT_USER=tomcat*
*
*
*TMP_DIR=/var/tmp*
*PID_FILE=/var/run/jsvc.pid*
*
*
*CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"*
*JAVA_OPTS="-Xms256m -Xmx512m
-Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m"*
*SECURITY_OPTS="-Djava.security.manager
-Djava.security.policy==$CATALINA_BASE/conf/catalina.policy"*
*
CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar
*
*
*
*
*
*start() {*
* # Start Tomcat*
* echo "Starting Tomcat"*
* rm -f $CATALINA_HOME/logs/catalina.out*
* $DAEMON_HOME/jsvc \*
* -user $TOMCAT_USER \*
* -home $JAVA_HOME \*
* -Dcatalina.home=$CATALINA_HOME \*
* -Dcatalina.base=$CATALINA_BASE \*
* -Djava.io.tmpdir=$TMP_DIR \*
* -wait 10 \*
* -pidfile $PID_FILE \*
* -outfile $CATALINA_HOME/logs/catalina.out \*
* -errfile '&1' \*
* $CATALINA_OPTS \*
* $JAVA_OPTS \*
* $SECURITY_OPTS \*
* -cp $CLASSPATH \*
* org.apache.catalina.startup.Bootstrap*
*} *
*case "$1" in*
* start)*
* start*
* ;;*
* *)*
* echo "Usage $0 (start|stop|status|restart|log)"*
* exit 1;;*
*
*
*esac*
* *
*exit $?*
Here are the following things that's been messed up on the machine:
-My user account was deleted
-/etc/ssh/ssh_host_key.pub file was modified (one key added, another
deleted)
-my user home directory was added to
$CATALINA_HOME/webapps/<app_name>/META-INF/<username>
- $CATALINA_HOME/conf/server.xml was changed to this:
*<!--<Valve
className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443"
/>-->->*
* <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" *
* <Alias>analysisfactory.biz</Alias>Aware="false">"
unpackWARs="true" autoDeploy="false"sword" *
*
*
*
*
* <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" *
* ** ** prefix="localhost." pattern="common"
resolveHosts="false"/>*
*
*
*
*
* ** <!-- <Valve
className="org.apache.catalina.valves.RequestDumperValve"/> -->*
*</Server>ce>>> ntext path="/forecasterDemo" docBase="ForecasterDemo"/>>ROOT
*
-file $CATALINA_HOME/conf/server.xml~ was added:
* <Engine name="Catalina"
defaultHost="www.analysisfactory.biz">/>em"/>l="TLS""TLS"/>"443"
/>-->->*
* <Alias>analysisfactory.biz</Alias>Aware="false">"
unpackWARs="true" autoDeploy="false"sword" *
*
*
*
*
* <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" *
* ** ** prefix="localhost." pattern="common"
resolveHosts="false"/>*
*
*
*
*
* ** <!-- <Valve
className="org.apache.catalina.valves.RequestDumperValve"/> -->*
*</Server>ce>>ame="org.apache.catalina.valves.RequestDumperValve"/>o"/>>ROOT
*
Does anyone recognize these symptoms and could possibly point me to a fix?
Thanks a million.
-Nick
