Re: tomcat server hacked
Hello Nick, probably someone of the tomcat developers will comment this related to tomcat but -/etc/ssh/ssh_host_key.pub file was modified (one key added, another deleted) This is owned by root and only root have access to modify it. Are you sure your root account is compromised? Best regards, Nikolay Diulgerov Network Administrator E-mail: ndiulge...@imx.fr Telephone : +33 4 89 87 77 77 Fax : +33 4 89 87 77 00 Web: http://www.codix-france.com Nick Knol wrote: First post, sorry if I'm breaking protocol. I could really use help tightening up security with the tomcat web server I'm running. A hacker got in and trashed a bunch of files and I'm scared to death it will happen again. I've been setting up a tomcat web server with the native apr library on a linux box and it looks like I got hacked through it. I've been using iptable, ssh, and vncserver to login to the box and have been as careful as I know how to be with security in that regard (although its quite possible I've made a mistake there, I have reason to believe that the fault lies w/ tomcat as you'll see).Here is the server info: Tomcat Version: Apache Tomcat/6.0.14 OS Name: Linux OS Version: 2.6.18-128.1.6.el5xen OS Architecture: amd64 JVM Version: 1.6.0_14-b08 JVM Vendor: Sun Microsystems Inc. One thing that I definitely was not careful about was file permissions w/ regard to my home database and $CATALINA_HOME, so that's probably how the hacker managed to screw around with my files. I'm starting tomcat through jsvc using the following script in init.d: *#!/bin/sh* *#* *# Startup script for Tomcat* *#* *# chkconfig: - 2345 86 15* *# description: Tomcat is a JSP server.* *# processname: tomcat* *# pidfile: /var/run/jsvc.pid* * * *. /etc/init.d/functions* * * *JAVA_HOME=/usr/java/latest* *CATALINA_HOME=/opt/tomcatus/tomcat* *CATALINA_BASE=/opt/tomcatus/tomcat* *DAEMON_HOME=$CATALINA_HOME/bin* *TOMCAT_USER=tomcat* * * *TMP_DIR=/var/tmp* *PID_FILE=/var/run/jsvc.pid* * * *CATALINA_OPTS=-Djava.library.path=/usr/local/apr/lib* *JAVA_OPTS=-Xms256m -Xmx512m -Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m* *SECURITY_OPTS=-Djava.security.manager -Djava.security.policy==$CATALINA_BASE/conf/catalina.policy* * CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar * * * * * *start() {* *# Start Tomcat* *echo Starting Tomcat* *rm -f $CATALINA_HOME/logs/catalina.out* *$DAEMON_HOME/jsvc \* *-user $TOMCAT_USER \* *-home $JAVA_HOME \* *-Dcatalina.home=$CATALINA_HOME \* *-Dcatalina.base=$CATALINA_BASE \* *-Djava.io.tmpdir=$TMP_DIR \* *-wait 10 \* *-pidfile $PID_FILE \* *-outfile $CATALINA_HOME/logs/catalina.out \* *-errfile '1' \* *$CATALINA_OPTS \* *$JAVA_OPTS \* *$SECURITY_OPTS \* *-cp $CLASSPATH \* *org.apache.catalina.startup.Bootstrap* *} * *case $1 in* * start)* *start* *;;* * *)* *echo Usage $0 (start|stop|status|restart|log)* *exit 1;;* * * *esac* * * *exit $?* Here are the following things that's been messed up on the machine: -My user account was deleted -/etc/ssh/ssh_host_key.pub file was modified (one key added, another deleted) -my user home directory was added to $CATALINA_HOME/webapps/app_name/META-INF/username - $CATALINA_HOME/conf/server.xml was changed to this: *!--Valve className=org.apache.catalina.valves.RequestDumperValve/--LSTLS/443 /---* * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * *Aliasanalysisfactory.biz/AliasAware=false unpackWARs=true autoDeploy=falsesword * * * * * * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * * ** ** prefix=localhost. pattern=common resolveHosts=false/* * * * * * ** !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ --* */Serverce ntext path=/forecasterDemo docBase=ForecasterDemo/ROOT * -file $CATALINA_HOME/conf/server.xml~ was added: * Engine name=Catalina defaultHost=www.analysisfactory.biz/em/l=TLSTLS/443 /---* *Aliasanalysisfactory.biz/AliasAware=false unpackWARs=true autoDeploy=falsesword * * * * * * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * * ** ** prefix=localhost. pattern=common resolveHosts=false/* * * * * * ** !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ --* */Serverceame=org.apache.catalina.valves.RequestDumperValve/o/ROOT * Does anyone recognize these symptoms and could possibly point me to a fix? Thanks a million. -Nick - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat server hacked
just a quick shot. Have you run your tomcat as root and what is your kernel version? If you don't run your tomcat as root and have a more or less uptodate kernel without local root exploits, its highly unprobable that you got hacked via tomcat. Do you have anything that proves it anyway? :-) best regards Leon On Tue, Aug 18, 2009 at 3:45 PM, Nick Knolnickk...@gmail.com wrote: First post, sorry if I'm breaking protocol. I could really use help tightening up security with the tomcat web server I'm running. A hacker got in and trashed a bunch of files and I'm scared to death it will happen again. I've been setting up a tomcat web server with the native apr library on a linux box and it looks like I got hacked through it. I've been using iptable, ssh, and vncserver to login to the box and have been as careful as I know how to be with security in that regard (although its quite possible I've made a mistake there, I have reason to believe that the fault lies w/ tomcat as you'll see). Here is the server info: Tomcat Version: Apache Tomcat/6.0.14 OS Name: Linux OS Version: 2.6.18-128.1.6.el5xen OS Architecture: amd64 JVM Version: 1.6.0_14-b08 JVM Vendor: Sun Microsystems Inc. One thing that I definitely was not careful about was file permissions w/ regard to my home database and $CATALINA_HOME, so that's probably how the hacker managed to screw around with my files. I'm starting tomcat through jsvc using the following script in init.d: *#!/bin/sh* *#* *# Startup script for Tomcat* *#* *# chkconfig: - 2345 86 15* *# description: Tomcat is a JSP server.* *# processname: tomcat* *# pidfile: /var/run/jsvc.pid* * * *. /etc/init.d/functions* * * *JAVA_HOME=/usr/java/latest* *CATALINA_HOME=/opt/tomcatus/tomcat* *CATALINA_BASE=/opt/tomcatus/tomcat* *DAEMON_HOME=$CATALINA_HOME/bin* *TOMCAT_USER=tomcat* * * *TMP_DIR=/var/tmp* *PID_FILE=/var/run/jsvc.pid* * * *CATALINA_OPTS=-Djava.library.path=/usr/local/apr/lib* *JAVA_OPTS=-Xms256m -Xmx512m -Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m* *SECURITY_OPTS=-Djava.security.manager -Djava.security.policy==$CATALINA_BASE/conf/catalina.policy* * CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar * * * * * *start() {* * # Start Tomcat* * echo Starting Tomcat* * rm -f $CATALINA_HOME/logs/catalina.out* * $DAEMON_HOME/jsvc \* * -user $TOMCAT_USER \* * -home $JAVA_HOME \* * -Dcatalina.home=$CATALINA_HOME \* * -Dcatalina.base=$CATALINA_BASE \* * -Djava.io.tmpdir=$TMP_DIR \* * -wait 10 \* * -pidfile $PID_FILE \* * -outfile $CATALINA_HOME/logs/catalina.out \* * -errfile '1' \* * $CATALINA_OPTS \* * $JAVA_OPTS \* * $SECURITY_OPTS \* * -cp $CLASSPATH \* * org.apache.catalina.startup.Bootstrap* *} * *case $1 in* * start)* * start* * ;;* * *)* * echo Usage $0 (start|stop|status|restart|log)* * exit 1;;* * * *esac* * * *exit $?* Here are the following things that's been messed up on the machine: -My user account was deleted -/etc/ssh/ssh_host_key.pub file was modified (one key added, another deleted) -my user home directory was added to $CATALINA_HOME/webapps/app_name/META-INF/username - $CATALINA_HOME/conf/server.xml was changed to this: *!--Valve className=org.apache.catalina.valves.RequestDumperValve/--LSTLS/443 /---* * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * * Aliasanalysisfactory.biz/AliasAware=false unpackWARs=true autoDeploy=falsesword * * * * * * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * * ** ** prefix=localhost. pattern=common resolveHosts=false/* * * * * * ** !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ --* */Serverce ntext path=/forecasterDemo docBase=ForecasterDemo/ROOT * -file $CATALINA_HOME/conf/server.xml~ was added: * Engine name=Catalina defaultHost=www.analysisfactory.biz/em/l=TLSTLS/443 /---* * Aliasanalysisfactory.biz/AliasAware=false unpackWARs=true autoDeploy=falsesword * * * * * * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * * ** ** prefix=localhost. pattern=common resolveHosts=false/* * * * * * ** !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ --* */Serverceame=org.apache.catalina.valves.RequestDumperValve/o/ROOT * Does anyone recognize these symptoms and could possibly point me to a fix? Thanks a million. -Nick - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat server hacked
What does your tomcat-users.xml look like? (sans the p/w of course) -Original Message- From: Nick Knol [mailto:nickk...@gmail.com] Sent: Tuesday, August 18, 2009 8:45 AM To: users@tomcat.apache.org Subject: tomcat server hacked First post, sorry if I'm breaking protocol. I could really use help tightening up security with the tomcat web server I'm running. A hacker got in and trashed a bunch of files and I'm scared to death it will happen again. I've been setting up a tomcat web server with the native apr library on a linux box and it looks like I got hacked through it. I've been using iptable, ssh, and vncserver to login to the box and have been as careful as I know how to be with security in that regard (although its quite possible I've made a mistake there, I have reason to believe that the fault lies w/ tomcat as you'll see).Here is the server info: Tomcat Version: Apache Tomcat/6.0.14 OS Name: Linux OS Version: 2.6.18-128.1.6.el5xen OS Architecture: amd64 JVM Version: 1.6.0_14-b08 JVM Vendor: Sun Microsystems Inc. One thing that I definitely was not careful about was file permissions w/ regard to my home database and $CATALINA_HOME, so that's probably how the hacker managed to screw around with my files. I'm starting tomcat through jsvc using the following script in init.d: *#!/bin/sh* *#* *# Startup script for Tomcat* *#* *# chkconfig: - 2345 86 15* *# description: Tomcat is a JSP server.* *# processname: tomcat* *# pidfile: /var/run/jsvc.pid* * * *. /etc/init.d/functions* * * *JAVA_HOME=/usr/java/latest* *CATALINA_HOME=/opt/tomcatus/tomcat* *CATALINA_BASE=/opt/tomcatus/tomcat* *DAEMON_HOME=$CATALINA_HOME/bin* *TOMCAT_USER=tomcat* * * *TMP_DIR=/var/tmp* *PID_FILE=/var/run/jsvc.pid* * * *CATALINA_OPTS=-Djava.library.path=/usr/local/apr/lib* *JAVA_OPTS=-Xms256m -Xmx512m -Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m* *SECURITY_OPTS=-Djava.security.manager -Djava.security.policy==$CATALINA_BASE/conf/catalina.policy* * CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar * * * * * *start() {* *# Start Tomcat* *echo Starting Tomcat* *rm -f $CATALINA_HOME/logs/catalina.out* *$DAEMON_HOME/jsvc \* *-user $TOMCAT_USER \* *-home $JAVA_HOME \* *-Dcatalina.home=$CATALINA_HOME \* *-Dcatalina.base=$CATALINA_BASE \* *-Djava.io.tmpdir=$TMP_DIR \* *-wait 10 \* *-pidfile $PID_FILE \* *-outfile $CATALINA_HOME/logs/catalina.out \* *-errfile '1' \* *$CATALINA_OPTS \* *$JAVA_OPTS \* *$SECURITY_OPTS \* *-cp $CLASSPATH \* *org.apache.catalina.startup.Bootstrap* *} * *case $1 in* * start)* *start* *;;* * *)* *echo Usage $0 (start|stop|status|restart|log)* *exit 1;;* * * *esac* * * *exit $?* Here are the following things that's been messed up on the machine: -My user account was deleted -/etc/ssh/ssh_host_key.pub file was modified (one key added, another deleted) -my user home directory was added to $CATALINA_HOME/webapps/app_name/META-INF/username - $CATALINA_HOME/conf/server.xml was changed to this: *!--Valve className=org.apache.catalina.valves.RequestDumperValve/--LSTLS/443 /---* * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * *Aliasanalysisfactory.biz/AliasAware=false unpackWARs=true autoDeploy=falsesword * * * * * * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * * ** ** prefix=localhost. pattern=common resolveHosts=false/* * * * * * ** !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ --* */Serverce ntext path=/forecasterDemo docBase=ForecasterDemo/ROOT * -file $CATALINA_HOME/conf/server.xml~ was added: * Engine name=Catalina defaultHost=www.analysisfactory.biz/em/l=TLSTLS/443 /---* *Aliasanalysisfactory.biz/AliasAware=false unpackWARs=true autoDeploy=falsesword * * * * * * Valve className=org.apache.catalina.valves.AccessLogValve directory=logs * * ** ** prefix=localhost. pattern=common resolveHosts=false/* * * * * * ** !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ --* */Serverceame=org.apache.catalina.valves.RequestDumperValve/o/ROOT * Does anyone recognize these symptoms and could possibly point me to a fix? Thanks a million. -Nick - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat server hacked
Nick Knol wrote: First post, sorry if I'm breaking protocol. I could really use help tightening up security with the tomcat web server I'm running. A hacker got in and trashed a bunch of files and I'm scared to death it will happen again. I've been setting up a tomcat web server with the native apr library on a linux box and it looks like I got hacked through it. I've been using iptable, ssh, and vncserver to login to the box and have been as careful as I know how to be with security in that regard (although its quite possible I've made a mistake there, I have reason to believe that the fault lies w/ tomcat as you'll see). I've read your e-mail and I don't see. What makes you think Tomcat is the source of the infection? Tomcat Version: Apache Tomcat/6.0.14 See http://tomcat.apache.org/security-6.html for a host of very good reasons to upgrade to 6.0.20 asap. OS Name: Linux OS Version: 2.6.18-128.1.6.el5xen OS Architecture: amd64 JVM Version: 1.6.0_14-b08 JVM Vendor: Sun Microsystems Inc. One thing that I definitely was not careful about was file permissions w/ regard to my home database and $CATALINA_HOME, so that's probably how the hacker managed to screw around with my files. I'm starting tomcat through jsvc using the following script in init.d: Your files are very hard to read with lots of extra * characters and odd line breaks. - $CATALINA_HOME/conf/server.xml was changed to this: *!--Valve className=org.apache.catalina.valves.RequestDumperValve/--LSTLS/443 /---* That makes no sense. I don't think Tomcat would even start if that was what is really in that file. Any chance of a cleaner copy? Does anyone recognize these symptoms and could possibly point me to a fix? Thanks a million. It doesn't match any of the infection patterns that I am aware of. Those nearly always come down to manager apps with very weak passwords. Since the config files don't make much sense, it is hard to see what the attacker was trying to do. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat server hacked
From: BJ Selman [mailto:bjsel...@travelhost.com] Subject: RE: tomcat server hacked What does your tomcat-users.xml look like? (sans the p/w of course) Note that using the toy tomcat-users.xml for authentication is inappropriate for a secure environment. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat server hacked
From: Leon Rosenberg [mailto:rosenberg.l...@googlemail.com] Subject: Re: tomcat server hacked Have you run your tomcat as root and what is your kernel version? According to the first post, Tomcat runs via jsvc with the userid Tomcat. If you don't run your tomcat as root and have a more or less uptodate kernel without local root exploits, its highly unprobable that you got hacked via tomcat. Agreed. Certainly looks like the Tomcat files have been hacked, but nothing presented so far indicates the hacking was done through Tomcat; rather, the hacking appears to have been done via some typical interactive mechanism such as telnet, SSH, or VNC. I can't think of any mechanism within Tomcat that would permit such file changes to be made. The presence of conf/server.xml~ indicates some standard text editor was used, which is obviously not possible via Tomcat. Note that Tomcat itself *never* writes server.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org