Subject: Re: a compromised tomcat server
On 6/10/06, hv @ Fashion Content [EMAIL PROTECTED] wrote:
I had an incident on my server the other day where someone had
succesfully
broken into the server to execute a port scanner.
do you have any kind of logs?
The port scanner was running under
On 6/10/06, hv @ Fashion Content [EMAIL PROTECTED] wrote:
I had an incident on my server the other day where someone had succesfully
broken into the server to execute a port scanner.
The port scanner was running under the tomcat process so I assume the
breakin was done by getting through the
On 6/10/06, hv @ Fashion Content [EMAIL PROTECTED] wrote:
I had an incident on my server the other day where someone had succesfully
broken into the server to execute a port scanner.
do you have any kind of logs?
The port scanner was running under the tomcat process so I assume the
breakin
I had an incident on my server the other day where someone had succesfully
broken into the server to execute a port scanner.
The port scanner was running under the tomcat process so I assume the
breakin was done by getting through the Tomcat manager app.
At first I feared that I had made a
It's possible (anything is possible), but not likely with a default
install. I would look at all the services running on that server. If
you focus on your tomcat server to the detriment of other services, you
will miss critical forensic evidence. The tomcat user account may have
just had a
I would assume a compromised password as well, but am I fair in assuming
that the breakin was via a manager login.
The odd thing(in my mind at least) was that a shell was executed as a child
process of tomcat and then the port scanner
under that... but I dont see any new web-apps being
Others with more experience with the manager's inner workings can chime
in, but I don't think it can execute commands on the system -- at least
not with the default build from Apache. It's magic occurs entirely via
java code.
Some other vectors of possible attack include the CGI library if
