Attacks in Apache servers
Hi, Anyone attacked with reference to below URL? http://efytimes.com/e1/fullnews.asp?edid=105167ntype=moredate=4/29/2013
Re: Attacks in Apache servers
M Eashwar wrote: Hi, Anyone attacked with reference to below URL? http://efytimes.com/e1/fullnews.asp?edid=105167ntype=moredate=4/29/2013 Never heard of EFYtimes before, but considering what I have been reading lately about bots, I would advise a modicum of caution before following this link. (And also maybe a modicum of healthy scepticism about that news article itself). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Attacks in Apache servers
On 02/05/13 09:32, André Warnier wrote: M Eashwar wrote: Hi, Anyone attacked with reference to below URL? http://efytimes.com/e1/fullnews.asp?edid=105167ntype=moredate=4/29/2013 Never heard of EFYtimes before, but considering what I have been reading lately about bots, I would advise a modicum of caution before following this link. (And also maybe a modicum of healthy scepticism about that news article itself). This vulnerability applies only to apache httpd and is not relevant to tomcat. ALSO, it only applies to apache httpd when installed via a third-party automated management system that is reported to not verify the digital signature of the binary... which would be very negligent. You should always verify apache packages against the published signatures. Although linux distribution rpm and deb packages are automatically verified during installation, we strongly recommend installing packages directly from the official apache distribution servers and then verifying the signature yourself - prior to installation! Regards, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Attacks in Apache servers
Last Friday (April 26), ESET and Sucuri simultaneously blogged about the discovery of Linux/Cdorked, a backdoor impacting Apache servers running cPanel. -http://blogs.cisco.com/security/linuxcdorked-faqs/ So it looks like an cPanel application vulnerability, not an Apache vulnerability. The title of that first article in simple WRONG. And seriously, who manages a site via cPanel? If you use cPanel, maybe linux isn't a good fit for you. On 2/05/13 7:48 PM, Brian Burch br...@pingtoo.com wrote: On 02/05/13 09:32, André Warnier wrote: M Eashwar wrote: Hi, Anyone attacked with reference to below URL? http://efytimes.com/e1/fullnews.asp?edid=105167ntype=moredate=4/29/201 3 Never heard of EFYtimes before, but considering what I have been reading lately about bots, I would advise a modicum of caution before following this link. (And also maybe a modicum of healthy scepticism about that news article itself). This vulnerability applies only to apache httpd and is not relevant to tomcat. ALSO, it only applies to apache httpd when installed via a third-party automated management system that is reported to not verify the digital signature of the binary... which would be very negligent. You should always verify apache packages against the published signatures. Although linux distribution rpm and deb packages are automatically verified during installation, we strongly recommend installing packages directly from the official apache distribution servers and then verifying the signature yourself - prior to installation! Regards, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Attacks in Apache servers
http://blogs.cisco.com/security/linuxcdorked-faqs/ claims this is not a cPanel vulnerability per se... On 5/2/2013 6:22 AM, Darryl Lewis wrote: Last Friday (April 26), ESET and Sucuri simultaneously blogged about the discovery of Linux/Cdorked, a backdoor impacting Apache servers running cPanel. -http://blogs.cisco.com/security/linuxcdorked-faqs/ So it looks like an cPanel application vulnerability, not an Apache vulnerability. The title of that first article in simple WRONG. And seriously, who manages a site via cPanel? If you use cPanel, maybe linux isn't a good fit for you. On 2/05/13 7:48 PM, Brian Burch br...@pingtoo.com wrote: On 02/05/13 09:32, André Warnier wrote: M Eashwar wrote: Hi, Anyone attacked with reference to below URL? http://efytimes.com/e1/fullnews.asp?edid=105167ntype=moredate=4/29/201 3 Never heard of EFYtimes before, but considering what I have been reading lately about bots, I would advise a modicum of caution before following this link. (And also maybe a modicum of healthy scepticism about that news article itself). This vulnerability applies only to apache httpd and is not relevant to tomcat. ALSO, it only applies to apache httpd when installed via a third-party automated management system that is reported to not verify the digital signature of the binary... which would be very negligent. You should always verify apache packages against the published signatures. Although linux distribution rpm and deb packages are automatically verified during installation, we strongly recommend installing packages directly from the official apache distribution servers and then verifying the signature yourself - prior to installation! Regards, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org . - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Attacks in Apache servers
On 02/05/2013 12:29, Jess Holle wrote: http://blogs.cisco.com/security/linuxcdorked-faqs/ claims this is not a cPanel vulnerability per se... To quote the relevant part of that article: quote How are attackers gaining access to the host servers? How the attackers are gaining root access to begin with is a separate matter, still unresolved. Attackers may have stolen login credentials via phishing, or via a localized infection on a management system, or simply by brute-force guessing the login. /quote httpd is simply the vehicle the attackers are using to run their malware *once they already have root access* There is no Apache http vulnerability to see here. Move along. Move along. Mark On 5/2/2013 6:22 AM, Darryl Lewis wrote: Last Friday (April 26), ESET and Sucuri simultaneously blogged about the discovery of Linux/Cdorked, a backdoor impacting Apache servers running cPanel. -http://blogs.cisco.com/security/linuxcdorked-faqs/ So it looks like an cPanel application vulnerability, not an Apache vulnerability. The title of that first article in simple WRONG. And seriously, who manages a site via cPanel? If you use cPanel, maybe linux isn't a good fit for you. On 2/05/13 7:48 PM, Brian Burch br...@pingtoo.com wrote: On 02/05/13 09:32, André Warnier wrote: M Eashwar wrote: Hi, Anyone attacked with reference to below URL? http://efytimes.com/e1/fullnews.asp?edid=105167ntype=moredate=4/29/201 3 Never heard of EFYtimes before, but considering what I have been reading lately about bots, I would advise a modicum of caution before following this link. (And also maybe a modicum of healthy scepticism about that news article itself). This vulnerability applies only to apache httpd and is not relevant to tomcat. ALSO, it only applies to apache httpd when installed via a third-party automated management system that is reported to not verify the digital signature of the binary... which would be very negligent. You should always verify apache packages against the published signatures. Although linux distribution rpm and deb packages are automatically verified during installation, we strongly recommend installing packages directly from the official apache distribution servers and then verifying the signature yourself - prior to installation! Regards, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org . - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Attacks in Apache servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/2/13 7:42 AM, Mark Thomas wrote: On 02/05/2013 12:29, Jess Holle wrote: http://blogs.cisco.com/security/linuxcdorked-faqs/ claims this is not a cPanel vulnerability per se... To quote the relevant part of that article: quote How are attackers gaining access to the host servers? How the attackers are gaining root access to begin with is a separate matter, still unresolved. Attackers may have stolen login credentials via phishing, or via a localized infection on a management system, or simply by brute-force guessing the login. /quote httpd is simply the vehicle the attackers are using to run their malware *once they already have root access* There is no Apache http vulnerability to see here. Move along. Move along. Didn't you know that 'rm' was vulnerable on Linux?!?! An attacker with escalated privileges can -- through clever use of this misunderstood command with code so complicated, that this enormous vulnerability went unnoticed for decades -- wreak havoc on any Linux system connected to the iterwebs. The only plausible mitigation of this egregious vulnerability is to uninstall the 'rm' package or switch to a more secure OS. ... The fact that this exploit is being called Linux/CDorked leads me to believe that cPanel is definitely the vector. Why the attackers decided to use httpd and not the gopher-over-uucp service is beyond me. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRgqIuAAoJEBzwKT+lPKRYCloQAKEUioBthFMYvLPkCk41B+pb fVXyMwouHbG3HrJzzt8AP+7PtcJvqRwtsBYjOlzrxlbUyOhusKsucZGGAgy4ftWz aH8iVRFenU43y5yd3GEep0eS8WaRpc9SFqGN/lEVElAQgR0ukK3iZqJUlskN8tra x4mthXTtBGrPgA5L4lwZtkSasrqO74QrjNCqQ1lXKWDpB16HCi16DyTNCF3tGXV3 wuCIr7HtHdNHS0gbK+7yq0K02BArBj+HQ7ol13h6KIYGGhlLtehRD7e+gY1nfdQ7 ILwrX/knzQV/R6X+x4L1vP7sHI4nYjROVPtj3R15JB/Dcvj2F1wdiYulk8AYLfQD 3caDOzt616MKvWU4rQTtVlAWKkIcsHCyka2KGn8Yb+e2EYx2nd6p5SDGw87gxvgv Er/nrlHbIjMZfbvkcrMF/jgKx7CVA2lqpqBleUCjBJUoBxCz57AoaBvq6PiEKySJ kflCiSAA/Z6zoHl5Pt0Dzjd6We4bEohdWiMQNbFCZCLnrliqBK5Zls7Kww7k4QZ8 z/zDyJ2sT/NZIAwdVj/tafZq5pS8tp6FzPo7WOGTC8F+SAzqPAlgh8SAsgAZHMGs iY7oocCu5C/3hfAtgcGDJIPhLIbb7Eyi3Fyi/0olP6v4RqxrumH+i1EfgKuV58uP r3NWLf3DUOhP+nf+08Ix =kyVJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat apr openssl logging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeremy, On 4/30/13 5:23 PM, Christopher Schultz wrote: Jeremy, On 4/30/13 1:47 PM, Jeremy Bowers wrote: How do I go about setting up server side logging to gain more detailed information about ssl connections when using tomcat with apache tomcat native, apr, and openssl for https? Can you explain in a little more detail? Do you want something other than what AccessLogValve[1] can provide? You can learn a lot from the standard request attributes that the servlet spec mandates[2] such as javax.servlet.request.cipher_suite, javax.servlet.request.key_size, etc. What kind of information are you looking for specifically? -chris [1] https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Log_Valve [2] See Servlet Spec 3.0, Section 3.8 Perhaps your lack of results stems from the lack of follow-ups? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRgqKZAAoJEBzwKT+lPKRYqAcP/0tW5W2g0nYo4RgdVJzBOzeH R/JNg4UCzcdOzfJ1Fw961/zo08t5UJxxqtdvjzC5FARfUFWxrP+Jiu6XKSR1FWL7 UgnF22mW5ExRvOkbHQExc1E20rfijalNeigRLq4CKkrwTW49x8R1IPXPgbmxFkj3 M/0ESuoWj4iMf8QnnGuzrWFwk3FUMJfjg0pHradhq7OX4Dci21GOXrFFZmc9DgFB SxywrUawQKcFIAsvb4UGgnENdMDN4SN2g3yLgsS5+5OWc0lEoqAsavOR/jYp3Dre c/IJpGitX1fpgdT/4E7WXcJVs0vGIU0el978TpsP5mxIvEmPiNwRZxP+gHc8HTc2 RpLDopriBXuSXG9ZBYiyr8wauVznkUZIfU0mKojc66o9FksF6wsV1wJp9KwO+V2w NyjlrG4JVEEuqaaAOVnkEEYg07FKx2c2P3k++disWYSlS/EVP5YgIdOSOWgGNWyp LcsGTnlWcx9bmwY5vDvsf4h2qyB3pjk9OL224N3bTqWhoJX+IHoTGlpKmB701/g8 VCUalzcLk7BH9+nNoLj5FkY1idinHBXLsFlLHNsBneuNzCJD6WI8gCbz7UZkDRm0 feDNiMhH4rXCeVe586JV5TqH+N93BUOSu4pB3rnheTYpeWuw2BO4Z8r+xybveTvd WrUN7w+TUdH1h7UVhmGK =JIej -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Attacks in Apache servers
Didn't you know that 'rm' was vulnerable on Linux?!?! An attacker with escalated privileges can -- through clever use of this misunderstood command with code so complicated, that this enormous vulnerability went unnoticed for decades -- wreak havoc on any Linux system connected to the iterwebs. The only plausible mitigation of this egregious vulnerability is to uninstall the 'rm' package or switch to a more secure OS. I think the vulnerability is limited to versions that support the options -r and -f. ;-) -- David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Multiple tomcat containers or instance on same servers
I eventually installed version 6.0.36 7.0.29 as the highest supported version by the concerned applications respectively. I used the installer and both applications seen to be running fine. Though still testing, but would like to be rest assured of this 2 version decision before going into production. Is there any foreseeable complications that could emerge from such configuration? Sent from my Windows Phone From: Howard W. Smith, Jr. Sent: 02.05.2013 03:21 To: Tomcat Users List; ch...@derham.me.uk Subject: Re: Multiple tomcat containers or instance on same servers On Wed, May 1, 2013 at 8:51 PM, chris derham ch...@derham.me.uk wrote: If anyone else wants to chip in with any relevant additions, let me know. I might be able to have a look at updating the documentation page later, but being as I'm a developer my linguistic skills have never really been approved off so not sure any changes will be approved :-) HTH Chris I've added some comments to http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html - +1 I like the comments you added Chris! You must edit CATALINA_BASE\conf\server.xml to specify a unique IP/port for the instance to listen on. You gave some examples in those comments. it would be nice to see examples to clarify the statement above, too.