I have a situation where I have had "Kinsing" crypto-mining software get
installed twice on a VM that runs Liferay and Tomcat. Based on what I
have read about this cryto-miner, it seems to target Linux VM's running
Docker images and/or an open redis port. I have none of that on this VM.
The VM is running CentOS 8. The tomcat version I am running is 8.0.32,
java openjdk version "1.8.0_252" OpenJDK Runtime Environment (build
1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode).
It is hosting Liferay 7.0.4 GA5.
The VM running Tomcat/Liferay is served through reverse proxy listening
on port 443 and passes traffic back to the Tomcat instance listening on
7080. The VM has ONLY ports 7080, 7009, and 7005 open (firewalld) I am
trying to sort out how the crypto miner has installed itself.
Originally, I had a CentOS 7 VM but after the first episode, I started
from scratch, locked down the VM and re-installed the Liferay bundle
with Tomcat 8.0.32. After about 2 weeks, the miner was back. I can't
figure out how it is installing itself. I read through the CVE's on
this version of Tomcat and nothing jumped out at me. We don't use JMX
or AJP. It's just Tomcat with Liferay.
I am starting here since it's only the TC port that is open and yes,
it's possible that Liferay may have a vulnerability. I just need ideas
on where to start looking. I am going to try to jump to the latest
Liferay/Tomcat bundle but it isn't an easy upgrade and may take a bit....
--
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek IBM_i_Geek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
