I would assume a compromised password as well, but am I fair in assuming that the breakin was via a manager login.
The odd thing(in my mind at least) was that a shell was executed as a child process of tomcat and then the port scanner under that... but I dont see any new web-apps being installed. "David Smith" <[EMAIL PROTECTED]> skrev i en meddelelse news:[EMAIL PROTECTED] > It's possible (anything is possible), but not likely with a default > install. I would look at all the services running on that server. If you > focus on your tomcat server to the detriment of other services, you will > miss critical forensic evidence. The tomcat user account may have just > had a weeker password or been the victim of chance. > Somethings to consider: Do you or any of your users use the tomcat > credentials over the network (via fileshare, ftp, weblogin, etc., ...)? > Is the connection used in such login encrypted? > Also, what other services will accept the tomcat user account as a valid > login? > > Lastly, most servers can be configured not to accept certain account > logins over the network. This may be a way to improve your security for > the future. Tomcat by default does not use it's credentials over the > network. It just uses those credentials to run itself and access files on > the local system. > > --David > > hv @ Fashion Content wrote: > >>I had an incident on my server the other day where someone had succesfully >>broken into the server to execute a port scanner. >> >>The port scanner was running under the tomcat process so I assume the >>breakin was done by getting through the Tomcat manager app. >> >>At first I feared that I had made a blunder and left the standard tomcat >>user as manager, but that wasn't the case. Actually while the UserDatabase >>is defined in the setup it isn't used as I use a JNDIReam pointing to >>OpenLDAP where only one manager account is defined. >> >>So did they just use brute force, or might there be another way they could >>have gotten in? >> >>Henrik >>http://www.blingon.com >> >> >> >>--------------------------------------------------------------------- >>To start a new topic, e-mail: users@tomcat.apache.org >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
