Hello Nick,
probably someone of the tomcat developers will comment this related to tomcat but

-/etc/ssh/ssh_host_key.pub file was modified (one key added, another
deleted)


This is owned by root and only root have access to modify it.
Are you sure your root account is compromised?



Best regards,

Nikolay Diulgerov
Network Administrator
E-mail: ndiulge...@imx.fr
Telephone : +33 4 89 87 77 77
Fax :       +33 4 89 87 77 00
Web: http://www.codix-france.com



Nick Knol wrote:
First post, sorry if I'm breaking protocol.  I could really use help
tightening up security with the tomcat web server I'm running.  A hacker got
in and trashed a bunch of files and I'm scared to death it will happen
again.   I've been setting up a tomcat web server with the native apr
library on a linux box and it looks like I got hacked through it.  I've been
using iptable, ssh, and vncserver to login to the box and have been as
careful as I know how to be with security in that regard (although its quite
possible I've made a mistake there, I have reason to believe that the fault
lies w/ tomcat as you'll see).    Here is the server info:

Tomcat Version: Apache Tomcat/6.0.14
OS Name: Linux
OS Version: 2.6.18-128.1.6.el5xen
OS Architecture: amd64
JVM Version: 1.6.0_14-b08

JVM Vendor: Sun Microsystems Inc.

One thing that I definitely was not careful  about was file permissions w/
regard to my home database and $CATALINA_HOME, so that's probably how the
hacker managed to screw around with my files.  I'm starting tomcat through
jsvc using the following script in init.d:

*#!/bin/sh*
*#*
*# Startup script for Tomcat*
*#*
*# chkconfig: - 2345 86 15*
*# description: Tomcat is a JSP server.*
*# processname: tomcat*
*# pidfile: /var/run/jsvc.pid*
*
*
*. /etc/init.d/functions*
*
*
*JAVA_HOME=/usr/java/latest*
*CATALINA_HOME=/opt/tomcatus/tomcat*
*CATALINA_BASE=/opt/tomcatus/tomcat*
*DAEMON_HOME=$CATALINA_HOME/bin*
*TOMCAT_USER=tomcat*
*
*
*TMP_DIR=/var/tmp*
*PID_FILE=/var/run/jsvc.pid*
*
*
*CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"*
*JAVA_OPTS="-Xms256m -Xmx512m
-Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m"*
*SECURITY_OPTS="-Djava.security.manager
-Djava.security.policy==$CATALINA_BASE/conf/catalina.policy"*
*
CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar
*
*
*
*
*
*start() {*
*    # Start Tomcat*
*    echo "Starting Tomcat"*
*    rm -f $CATALINA_HOME/logs/catalina.out*
*    $DAEMON_HOME/jsvc \*
*    -user $TOMCAT_USER \*
*    -home $JAVA_HOME \*
*    -Dcatalina.home=$CATALINA_HOME \*
*    -Dcatalina.base=$CATALINA_BASE \*
*    -Djava.io.tmpdir=$TMP_DIR \*
*    -wait 10 \*
*    -pidfile $PID_FILE \*
*    -outfile $CATALINA_HOME/logs/catalina.out \*
*    -errfile '&1' \*
*    $CATALINA_OPTS \*
*    $JAVA_OPTS \*
*    $SECURITY_OPTS \*
*    -cp $CLASSPATH \*
*    org.apache.catalina.startup.Bootstrap*
*}   *
*case "$1" in*
*  start)*
*    start*
*    ;;*
*  *)*
*    echo "Usage $0 (start|stop|status|restart|log)"*
*    exit 1;;*
*
*
*esac*
* *
*exit $?*



Here are the following things that's been messed up on the machine:

-My user account was deleted


-/etc/ssh/ssh_host_key.pub file was modified (one key added, another
deleted)


-my user home directory was added to
$CATALINA_HOME/webapps/<app_name>/META-INF/<username>


- $CATALINA_HOME/conf/server.xml was changed to this:

*<!--<Valve
className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443"
/>-->->*
*       <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"  *
*            <Alias>analysisfactory.biz</Alias>Aware="false">"
unpackWARs="true" autoDeploy="false"sword" *
*
*
*
*
*       <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"  *
*  ** **               prefix="localhost." pattern="common"
resolveHosts="false"/>*
*
*
*
*
* **   <!-- <Valve
className="org.apache.catalina.valves.RequestDumperValve"/> -->*
*</Server>ce>>> ntext path="/forecasterDemo" docBase="ForecasterDemo"/>>ROOT
*



-file $CATALINA_HOME/conf/server.xml~ was added:

  *  <Engine name="Catalina"
defaultHost="www.analysisfactory.biz">/>em"/>l="TLS""TLS"/>"443"
/>-->->*
*            <Alias>analysisfactory.biz</Alias>Aware="false">"
unpackWARs="true" autoDeploy="false"sword" *
*
*
*
*
*       <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"  *
*  ** **               prefix="localhost." pattern="common"
resolveHosts="false"/>*
*
*
*
*
* **   <!-- <Valve
className="org.apache.catalina.valves.RequestDumperValve"/> -->*
*</Server>ce>>ame="org.apache.catalina.valves.RequestDumperValve"/>o"/>>ROOT
*




Does anyone recognize these symptoms and could possibly point me to a fix?
 Thanks a million.

-Nick


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to