pentesting going on? On Feb 16, 2015 10:44 AM, "Mathias af Jochnick" <math...@lightlabs.se> wrote:
> Christopher, thanks for responding. See my comments below. > > -- > Mathias af Jochnick, +46703414084 > > On 16 February 2015 at 16:36:32, Christopher Schultz ( > ch...@christopherschultz.net) wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mathias, > > On 2/16/15 5:43 AM, Mathias af Jochnick wrote: > > Our server has been in production for years without issues, but > > today it crashed out of the blue. > > > > Last in the logs: > > > > Exception in thread "main" java.lang.NoClassDefFoundError: > > aasxknsakadskdskdskdsakmxxads Caused by: > > java.lang.ClassNotFoundException: aasknsakadskdskdskdsakmads at > > java.net.URLClassLoader$1.run(URLClassLoader.java:217) at > > java.security.AccessController.doPrivileged(Native Method) at > > java.net.URLClassLoader.findClass(URLClassLoader.java:205) at > > java.lang.ClassLoader.loadClass(ClassLoader.java:321) at > > sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) at > > java.lang.ClassLoader.loadClass(ClassLoader.java:266) > > > > Could not find the main class: aasxknsakadskdskdskdsakxxmads. > > Program will exit. > > Where do you see this? Which log file? > >>Catalina.out > > > > When Java can't load a class, a ClassNotFoundException or > NoClassDefFoundError is thrown, but it does not terminate the JVM. > > The message above says "Could not find the main class", which > indicates that a JVM was trying to launch with a new main class, not > that an existing JVM (i.e. Tomcat running your web apps) was trying to > load a class. > >>Right, well as i said, it’s in catalina.out > > > > When I run my JVM with a bad main class, I don't get a stack trace: > > $ java -showversion foo > java version "1.8.0_31" > Java(TM) SE Runtime Environment (build 1.8.0_31-b13) > Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode) > > Error: Could not find or load main class foo > > Other versions of Java: > > $ java -showversion foo > java version "1.7.0_76" > Java(TM) SE Runtime Environment (build 1.7.0_76-b13) > Java HotSpot(TM) 64-Bit Server VM (build 24.76-b04, mixed mode) > > Error: Could not find or load main class foo > > $ java -showversion foo > java version "1.6.0_65" > Java(TM) SE Runtime Environment (build 1.6.0_65-b14-466.1-11M4716) > Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-466.1, mixed mode) > > Exception in thread "main" java.lang.NoClassDefFoundError: foo > Caused by: java.lang.ClassNotFoundException: foo > at java.net.URLClassLoader$1.run(URLClassLoader.java:202) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(URLClassLoader.java:190) > at java.lang.ClassLoader.loadClass(ClassLoader.java:306) > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301) > at java.lang.ClassLoader.loadClass(ClassLoader.java:247) > > So, I get the exception and stack trace, but no message about how the > "Program will exit." > > So... how is this being launched? > >>>Well, that’s what i’m wondering too. Our Tomcat process died, that was > what was last in the logfile, the server had been up for a week. Nobody had > logged in and done anything, unless we’re missing something. The server is > at a hosting partner and i’m pretty confident they’re not complete tools if > you see what i mean. > > > > > While its obvious what caused the crash, i have no clue as to why. > > We have no new production code, nothing has changed as far as we > > know. I'm not sure how to investigate this, to me it seems like > > some sort of dynamic class-loading hack attempt? > > > > Can i look for some configured service to turn off? > > > > I'm at a loss so any pointers on how to investigate / prevent this > > would be extremely appreciated. > > > > Tomcat/6.0.28 > > No currently-supported version of Tomcat prints the message "Program > will exit.". I'm at a loss to explain why you would *ever* see this > message, let alone what is causing it in your particular case. > > I would treat the server as suspicious and take appropriate steps. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU4g4aAAoJEBzwKT+lPKRYdAUP/0ud2VoU5Ts5ztmHCHGBkeF4 > bGAvY7/eKNWxOG7Zt7KlDvIl06dZa7yQarnD6EtpdAWtg1lP3YO5GM6HXlS8EN9g > 14MrTxsC0rGJXji2+z7EHXwi2v1bosLqadufgaS6RXgbhiZ/YhoiHK2MWTEDgONX > 5GLe8yjQQ2ADZeb8JaOO3fT0Tt1/ZQd/hRLsyCw2QFCUF/VP9puczMb7cQj6v2L/ > xizSxJenSZsVljVSEnwC/XBv/JpIja/F9FD2qvB0da9hSa5Usuvg6GSPihegldMS > nIXgbdYQcb8m3aFysF/LVTd2cRHp3RQfz/O10mNjSI0eDFkPOHXeEXOy0Sqdew8u > VtrUm1haWrbo/sAUDBpgIvL5RP4L/YBH84CFcG2syXeff/kfCE1wkKH/HaOx9B31 > S7wLVp/fk1RW1N2KHv3SdxWh1Ual7uvidyP3+Gmztk3278OwPX8Ji49tXB9aLc8R > fzXi06laGkQ8T/mQggzeSvr70BW6rBmcK9gziFmNxUbOrCvOCP987h97YXd2NRZc > qTXOWVdO+GkO09thdVCRCd3IPbvt+P7en+A0b+p7eJUQZjIYlFHA1pL9hoDxYLD1 > C3Zfedk4tpig4ynDM+VHZ9n44zEJO8RSZlzknNiLiy0GE1pFMr0TJePTMsc4tCu0 > zb/vU3pKvKrQNFIdydaE > =jXyS > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
