Hello Christopher, thanks for your response. I have a copy of 4.sh and squid (binary ELF file) and tried to see using strings what this program do. I couldn’t see anything =(
Im monitoring the server for getting a dump at the moment this injection occurs. Files still uploanding =( Thanks for all, kind regards Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-04-30 14:07 GMT-03:00 Christopher Schultz <ch...@christopherschultz.net >: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Leonardo, > > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: > > Im uploading mi logfiles so it will be available when finished > > uploading. > > Remember to get a thread dump while Runtime.exec() is running. > > You should copy the script /tmp/4.sh somewhere else so you have a copy > in case the attacker tries to clean-up after themselves. That's > certainly what's doing the evil work. > > You could probably set up iptables or something to restrict outgoing > requests so that the attack can't progress across your network. > > > Regarding the configuration, its working in two other sites > > without problem, and there is no problem putting L4 balancing with > > haproxy. > > > > I have asked developers about that exploit, still without answer. > > You appear to be using struts2 2.1.8, which is in the range of > versions vulnerable to this bug. There is a workaround that you can > probably apply: > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last > section on this page). > > Of course, the vulnerability doesn't allow you to simply inject code > or anything like that: you can certainly mess-around with code that is > already available on the site, though. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN > kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF > mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt > URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p > yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I > 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg > cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV > ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ > F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL > 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO > A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH > ob6Km1Clt4KNLKVyQjt+ > =8KFm > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
