Hi Ann, and welcome to the group. I forgot to say that in the earlier post.
WOW. RHEL 3.........Thats old, whats the uptime? I would upgraded to RHEL5 or Centos 5 and keep the boxes patched. There is quite a differences between 3 and 5 as you probably already know. The best option may be to build another box or rebuild that box with the newest version of RHEL. This might not be an option, but if it is, it might save you time instead of tracking down every rootkit or alien script that may have been put on the system. I would definitely copy that drive and study exactly what has happen. If you don't upgrade the box, then definitely get up to date with all of the patches. Since it is often a pain to update the older versions of RHEL many people just forget it and leave it for years without updates. You definitely want to check security settings and logs. chkrootkit and lynis are pretty neat. What version of Tomcat? Chris... On Wed, Aug 20, 2008 at 1:25 AM, Roger E. Rustad, Jr <[email protected]> wrote: > Ann Richmond wrote: >> Hi, its Ann Richmond. >> A few weeks ago we found some applications had been installed under >> tomcat on a few servers. The war file was there as well as the expanded >> apps. > > I'll bet you've got pwned. > > Perhaps someone else has answered this, but I would recommend googling > some of the security websites and seeing if there is anything (default > security settings, easy passwords, etc) that kiddie scripters are taking > advantage of. > > Also, have you checked out chkrootkit? > > http://www.chkrootkit.org/ > > What user is Tomcat running under? Maybe someone got root access quite > easily that way... > _______________________________________________ > LinuxUsers mailing list > [email protected] > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers > -- "As we open our newspapers or watch our television screens, we seem to be continually assaulted by the fruits of Mankind's stupidity." -Roger Penrose
