I just wanted to point out that I think everyone's comments here (Roger, Chris, Brian, etc.) are spot on with a whole list of great security measures - but in this case... you can be certain that it was a Tomcat exploit, so I think you have to prioritize towards that and not start off immediately investigating for other holes.
How would I prioritize? Before I burned dozens of hours installing, configuring, running & monitoring a list of system/detection tools, I would immediately stop the Tomcat manager service, and do an upgrade, etc. to at least prevent the Tomcat attack from being successful. Second priority would be to understand what exposure the tomcat user has to the rest of the system, because the webapp could only have permissions of the tomcat user, and you may find out that the Tomcat user only could write to locations within 1 directory or something. If you can prove this through some auditing or testing process, you may be pleasantly surprised to see that this nefarious webapp might not have been able to install any rootkit (operating system level hacks or whatever). I would also change the passwords immediately, since the webapp might not have had write permissions, but likely could have read various files from /etc, like /etc/passwd and delivered it to the attacker. Then, only when you have understanding of the exposure of the problem, I strongly recommend spending all the time you can on the security recommendations everyone is providing - because in general, if you are not scanning for rootkits or applying patches to your system, then you really aren't following good security practices. Also, if there is any kind of rootkit, keylogger, network capturing, etc. then you can assume that your "new" passwords (changed immediately, right?) are also exposed. At some point, starting with a VPN console, and re-installing the entire system, starting with a newer OS, etc. becomes quite a bit less work than doing all the post-mortem & detective work. Just my $0.02. DK Brian Friday wrote: > Actually while I would check the logs in the course of the > investigation the fact of the matter is that editing log files is > pretty trivial for package exploits. > > Couple thoughts on my side: > - on the packages themselves do ls -asl (and/or other variations) > that may give you some data > - since your using a old release but there is probably a good reason > for it be sure to check: > - vulnerabilties for all software running on 127.0.0.1 as well > as > the normal network side > - that the software running even if it is listening on the > localhost > should be running/is needed > - be sure additional modules for apache that are not needed are > not > running ie: > - proxy, dav etc > - check the rev on php as well as if php allows remote file > upload > capabilities > > Preventative measures > - always make use of sshd_config's ability to set a allow user line > and never allow remote root > - lock down the box daemons with tcpwrappers, iptables etc if its a > web server you shouldn't see > ftp traffic from/to it, or irc etc. > - grab something that can independantly verify the binaries on your box > > - Brian > > On Aug 20, 2008, at 6:44 AM, Chris Thomas wrote: > > >> I agree with Chris about checking the log files. When you first >> found the program, you didn't know when it got installed on your >> box. Was it installed a week, month, year ago? So, searching the >> logs would probably be useless for that attack. Since you deleted >> the app and it came back, you have an appox. time, so you only have >> a little bit of logs to look through. >> >> Chris >> >> >> ----- Original Message ---- >> From: Chris Penn <[email protected]> >> To: [email protected]; SoCal LUG Users List <[email protected] >> >> Sent: Wednesday, August 20, 2008 3:41:55 AM >> Subject: Re: [LinuxUsers] Could use some help please, >> >> <snip> >> >> You definitely want to check security settings and logs. chkrootkit >> and lynis are pretty neat. What version of Tomcat? >> >> Chris... >> >> On Wed, Aug 20, 2008 at 1:25 AM, Roger E. Rustad, Jr >> <[email protected]> wrote: >> >>> Ann Richmond wrote: >>> >>>> Hi, its Ann Richmond. >>>> A few weeks ago we found some applications had been installed under >>>> tomcat on a few servers. The war file was there as well as the >>>> expanded >>>> apps. >>>> >>> I'll bet you've got pwned. >>> >>> Perhaps someone else has answered this, but I would recommend >>> googling >>> some of the security websites and seeing if there is anything >>> (default >>> security settings, easy passwords, etc) that kiddie scripters are >>> taking >>> advantage of. >>> >>> Also, have you checked out chkrootkit? >>> >>> http://www.chkrootkit.org/ >>> >>> What user is Tomcat running under? Maybe someone got root access >>> quite >>> easily that way... >>> _______________________________________________ >>> LinuxUsers mailing list >>> [email protected] >>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >>> >>> >> >> -- >> "As we open our newspapers or watch our television screens, we seem to >> be continually assaulted by the fruits of Mankind's stupidity." >> -Roger Penrose >> _______________________________________________ >> LinuxUsers mailing list >> [email protected] >> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >> >> _______________________________________________ >> LinuxUsers mailing list >> [email protected] >> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >> > > _______________________________________________ > LinuxUsers mailing list > [email protected] > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >
