I have a situation where I have had "Kinsing" crypto-mining software get installed twice on a VM that runs Liferay and Tomcat.  Based on what I have read about this cryto-miner, it seems to target Linux VM's running Docker images and/or an open redis port.  I have none of that on this VM.

The VM is running CentOS 8.   The tomcat version I am running is 8.0.32, java openjdk version "1.8.0_252" OpenJDK Runtime Environment (build 1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode).  It is hosting  Liferay 7.0.4 GA5.

The VM running Tomcat/Liferay is served through reverse proxy listening on port 443 and passes traffic back to the Tomcat instance listening on 7080.  The VM has ONLY ports 7080, 7009, and 7005 open (firewalld)  I am trying to sort out how the crypto miner has installed itself.  Originally, I had a CentOS 7 VM but after the first episode, I started from scratch, locked down the VM and re-installed the Liferay bundle with Tomcat 8.0.32.  After about 2 weeks, the miner was back.  I can't figure out how it is installing itself.  I read through the CVE's on this version of Tomcat and nothing jumped out at me.  We don't use JMX or AJP. It's just Tomcat with Liferay.

I am starting here since it's only the TC port that is open and yes, it's possible that Liferay may have a vulnerability.  I just need ideas on where to start looking.  I am going to try to jump to the latest Liferay/Tomcat bundle but it isn't an easy upgrade and may take a bit....

Pete Helgren
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek  IBM_i_Geek

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to