just a quick shot. Have you run your tomcat as root and what is your
kernel version?
If you don't run your tomcat as root and have a more or less uptodate
kernel without local root exploits, its highly unprobable that
you got hacked via tomcat.
Do you have anything that proves it anyway? :-)
best regards
Leon
On Tue, Aug 18, 2009 at 3:45 PM, Nick Knol<nickk...@gmail.com> wrote:
> First post, sorry if I'm breaking protocol. I could really use help
> tightening up security with the tomcat web server I'm running. A hacker got
> in and trashed a bunch of files and I'm scared to death it will happen
> again. I've been setting up a tomcat web server with the native apr
> library on a linux box and it looks like I got hacked through it. I've been
> using iptable, ssh, and vncserver to login to the box and have been as
> careful as I know how to be with security in that regard (although its quite
> possible I've made a mistake there, I have reason to believe that the fault
> lies w/ tomcat as you'll see). Here is the server info:
>
> Tomcat Version: Apache Tomcat/6.0.14
> OS Name: Linux
> OS Version: 2.6.18-128.1.6.el5xen
> OS Architecture: amd64
> JVM Version: 1.6.0_14-b08
>
> JVM Vendor: Sun Microsystems Inc.
>
> One thing that I definitely was not careful about was file permissions w/
> regard to my home database and $CATALINA_HOME, so that's probably how the
> hacker managed to screw around with my files. I'm starting tomcat through
> jsvc using the following script in init.d:
>
> *#!/bin/sh*
> *#*
> *# Startup script for Tomcat*
> *#*
> *# chkconfig: - 2345 86 15*
> *# description: Tomcat is a JSP server.*
> *# processname: tomcat*
> *# pidfile: /var/run/jsvc.pid*
> *
> *
> *. /etc/init.d/functions*
> *
> *
> *JAVA_HOME=/usr/java/latest*
> *CATALINA_HOME=/opt/tomcatus/tomcat*
> *CATALINA_BASE=/opt/tomcatus/tomcat*
> *DAEMON_HOME=$CATALINA_HOME/bin*
> *TOMCAT_USER=tomcat*
> *
> *
> *TMP_DIR=/var/tmp*
> *PID_FILE=/var/run/jsvc.pid*
> *
> *
> *CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"*
> *JAVA_OPTS="-Xms256m -Xmx512m
> -Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m"*
> *SECURITY_OPTS="-Djava.security.manager
> -Djava.security.policy==$CATALINA_BASE/conf/catalina.policy"*
> *
> CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar
> *
> *
> *
> *
> *
> *start() {*
> * # Start Tomcat*
> * echo "Starting Tomcat"*
> * rm -f $CATALINA_HOME/logs/catalina.out*
> * $DAEMON_HOME/jsvc \*
> * -user $TOMCAT_USER \*
> * -home $JAVA_HOME \*
> * -Dcatalina.home=$CATALINA_HOME \*
> * -Dcatalina.base=$CATALINA_BASE \*
> * -Djava.io.tmpdir=$TMP_DIR \*
> * -wait 10 \*
> * -pidfile $PID_FILE \*
> * -outfile $CATALINA_HOME/logs/catalina.out \*
> * -errfile '&1' \*
> * $CATALINA_OPTS \*
> * $JAVA_OPTS \*
> * $SECURITY_OPTS \*
> * -cp $CLASSPATH \*
> * org.apache.catalina.startup.Bootstrap*
> *} *
> *case "$1" in*
> * start)*
> * start*
> * ;;*
> * *)*
> * echo "Usage $0 (start|stop|status|restart|log)"*
> * exit 1;;*
> *
> *
> *esac*
> * *
> *exit $?*
>
>
>
> Here are the following things that's been messed up on the machine:
>
> -My user account was deleted
>
>
> -/etc/ssh/ssh_host_key.pub file was modified (one key added, another
> deleted)
>
>
> -my user home directory was added to
> $CATALINA_HOME/webapps/<app_name>/META-INF/<username>
>
>
> - $CATALINA_HOME/conf/server.xml was changed to this:
>
> *<!--<Valve
> className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443"
> />-->->*
> * <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" *
> * <Alias>analysisfactory.biz</Alias>Aware="false">"
> unpackWARs="true" autoDeploy="false"sword" *
> *
> *
> *
> *
> * <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" *
> * ** ** prefix="localhost." pattern="common"
> resolveHosts="false"/>*
> *
> *
> *
> *
> * ** <!-- <Valve
> className="org.apache.catalina.valves.RequestDumperValve"/> -->*
> *</Server>ce>>> ntext path="/forecasterDemo" docBase="ForecasterDemo"/>>ROOT
> *
>
>
>
> -file $CATALINA_HOME/conf/server.xml~ was added:
>
> * <Engine name="Catalina"
> defaultHost="www.analysisfactory.biz">/>em"/>l="TLS""TLS"/>"443"
> />-->->*
> * <Alias>analysisfactory.biz</Alias>Aware="false">"
> unpackWARs="true" autoDeploy="false"sword" *
> *
> *
> *
> *
> * <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" *
> * ** ** prefix="localhost." pattern="common"
> resolveHosts="false"/>*
> *
> *
> *
> *
> * ** <!-- <Valve
> className="org.apache.catalina.valves.RequestDumperValve"/> -->*
> *</Server>ce>>ame="org.apache.catalina.valves.RequestDumperValve"/>o"/>>ROOT
> *
>
>
>
>
> Does anyone recognize these symptoms and could possibly point me to a fix?
> Thanks a million.
>
> -Nick
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
