Hello all. We internally had closed the issue. So i can tell you thanks a lot you rock =)
Thank for all your effort and time. Kindly yours, Leonardo Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-05-26 15:32 GMT-03:00 Leonardo Santagostini <lsantagost...@gmail.com>: > Well well well. Thank you all so much !!! > > Since Struts upgrade i got not intrussion on my servers =) =) > > Thank you list for the support, for the time and for helpme with this > issue. > > Yours, > Leonardo > > > Saludos.- > Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2014-05-20 12:45 GMT-03:00 Leonardo Santagostini <lsantagost...@gmail.com> > : > > Hello all, again its me =) >> >> Just for you that today we deployed our apps using struts 2.3.16.2 >> >> So since today i will monitor those server very closely =) >> >> Thanks all people. I will tell you how things go. >> >> Regards, >> Leonardo >> >> Saludos.- >> Leonardo Santagostini >> >> <http://ar.linkedin.com/in/santagostini> >> >> >> >> >> >> 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini <lsantagost...@gmail.com >> >: >> >> Hello all ! >>> >>> Developers are still "estimating the effort" for upgrading struts.... i >>> will let you know how things are going. >>> >>> Thanks all for replying me. >>> >>> Regards, >>> Leonardo >>> >>> Saludos.- >>> Leonardo Santagostini >>> >>> <http://ar.linkedin.com/in/santagostini> >>> >>> >>> >>> >>> >>> 2014-05-05 15:39 GMT-03:00 Martin Gainty <mgai...@hotmail.com>: >>> >>>> > Subject: Re: Regarding i think an intrusion >>>> > From: lsantagost...@gmail.com >>>> > To: users@tomcat.apache.org >>>> > >>>> > Hello Chris, but this logfile was only one day. >>>> MG>Ay Caramba! >>>> > >>>> > Maybe i had a concept mismatch trying to capture the exact moment >>>> when the >>>> > execution begins. >>>> > >>>> > My command was >>>> > >>>> > while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep >>>> -v >>>> > "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | >>>> grep >>>> > java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget >>>> > corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; >>>> done >>>> > >>>> > Maybe too many dumps all togheter, now im trying to get a "live" >>>> capture >>>> > without luck =( >>>> > >>>> > If you know a better method, please letme know it. >>>> > >>>> > Thanks for your effort, knid regards, >>>> > Leonardo >>>> > >>>> > Saludos.- >>>> > Leonardo Santagostini >>>> MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita >>>> utilizar JDK @ 1.7 (ahora) >>>> MG>esto >>>> "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10 >>>> tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000] >>>> java.lang.Thread.State: TIMED_WAITING (sleeping) >>>> at java.lang.Thread.sleep(Native Method) >>>> at >>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) >>>> at java.lang.Thread.run(Thread.java:662) >>>> MG>Estos registros informativos producen MUCHO ruido >>>> MG>log4j.properties >>>> MG>log4j.logger.org.quartz=OFF //(Callate Quartz) >>>> >>>> MG>eso >>>> "ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656 >>>> runnable [0x0000000046f34000] >>>> java.lang.Thread.State: RUNNABLE >>>> at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) >>>> at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4282) >>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311) >>>> at java.util.regex.Pattern$Prolog.match(Pattern.java:4251) >>>> at java.util.regex.Pattern$Branch.match(Pattern.java:4114) >>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) >>>> at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366) >>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) >>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744) >>>> at java.util.regex.Pattern$SliceI.match(Pattern.java:3507) >>>> at java.util.regex.Pattern$Begin.match(Pattern.java:3120) >>>> MG>DEMASIADO! >>>> MG>necesita cambiar match-type desde regex at wildcard en Tuckey >>>> .\WEB-INF\urlrewrite.xml...por ejemplo >>>> <!-- regex no es necessario --> >>>> <!-- rule match-type="regex"> >>>> <name>BasicRule</name> >>>> <from>basicfrom</from> >>>> <to>basicto</to> >>>> </rule --> >>>> <rule match-type="wildcard"> >>>> <name>BasicRule</name> >>>> <from>basicfrom</from> >>>> <to>basicto</to> >>>> </rule> >>>> MG>puedes ver que nombre, desde y a son los mismos >>>> >>>> MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo) >>>> "http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d >>>> waiting on condition [0x000000004ad9b000] >>>> java.lang.Thread.State: RUNNABLE >>>> at java.util.Vector.addElement(Vector.java:572) >>>> - locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode) >>>> at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509) >>>> at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273) >>>> - locked <0x00000006e0303d80> (a java.util.Hashtable) >>>> >>>> MG>necessita mata el proceso o cambia proceso lento ...(log4j >>>> updateParents) por ejemplo en log4j >>>> package org.apache.log4j; >>>> public class Hierarchy implements org.apache.log4j.spi.LoggerFactory, >>>> org.apache.log4j.spi.RendererSupport{ >>>> private org.apache.log4j.spi.LoggerFactory defaultFactory; >>>> private java.util.Vector listeners; >>>> // Hashtable ht; >>>> java.util.ConcurrentHashMap<String,ProvisionNode> ht=new >>>> java.util.ConcurrentHashMap<String,ProvisionNode>(); >>>> >>>> //mucho mas tarde >>>> public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory >>>> factory) { >>>> { >>>> .... >>>> } else if (o instanceof org.apache.log4j.ProvisionNode) { >>>> //System.out.println("("+name+") ht.get(this) returned ProvisionNode"); >>>> logger = factory.makeNewLoggerInstance(name); >>>> logger.setHierarchy(this); >>>> ht.put(key, logger); >>>> updateChildren((ProvisionNode) o, logger); >>>> updateParents(logger); >>>> return logger; >>>> } >>>> >>>> >>>> http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html >>>> MG>Entiendes? >>>> MG>MartÃn >>>> >>>> > >>>> > <http://ar.linkedin.com/in/santagostini> >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > 2014-05-05 13:06 GMT-03:00 Christopher Schultz < >>>> ch...@christopherschultz.net >>>> > >: >>>> > >>>> > > -----BEGIN PGP SIGNED MESSAGE----- >>>> > > Hash: SHA256 >>>> > > >>>> > > Leonardo, >>>> > > >>>> > > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote: >>>> > > > Ok, again its uploaded. >>>> > > > >>>> > > > This is the link >>>> > > > >>>> > > > >>>> > > >>>> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing >>>> > > >>>> > > 1/2 >>>> > > > >>>> > > GiB log file? Hrm. >>>> > > >>>> > > It doesn't even have any calls to Runtime.exec in it. If you have a >>>> > > snapshot of a thread dump (and only the thread dump, I don't need 3 >>>> > > weeks of your logs) that you took while the "intrusion" was taking >>>> > > place, post that. >>>> > > >>>> > > If you don't, then I think you're out of luck. >>>> > > >>>> > > Sounds like a bad time to go on holiday. >>>> > > >>>> > > - -chris >>>> > > -----BEGIN PGP SIGNATURE----- >>>> > > Version: GnuPG v1 >>>> > > Comment: GPGTools - http://gpgtools.org >>>> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>>> > > >>>> > > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs >>>> > > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO >>>> > > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/ >>>> > > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch >>>> > > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3 >>>> > > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt >>>> > > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m >>>> > > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt >>>> > > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8 >>>> > > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/ >>>> > > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB >>>> > > EcwrNcX2iZ+JXXtSTnzH >>>> > > =nxGK >>>> > > -----END PGP SIGNATURE----- >>>> > > >>>> > > >>>> --------------------------------------------------------------------- >>>> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> > > For additional commands, e-mail: users-h...@tomcat.apache.org >>>> > > >>>> > > >>>> >>>> >>> >>> >> >
