just a quick shot. Have you run your tomcat as root and what is your kernel version?
If you don't run your tomcat as root and have a more or less uptodate kernel without local root exploits, its highly unprobable that you got hacked via tomcat. Do you have anything that proves it anyway? :-) best regards Leon On Tue, Aug 18, 2009 at 3:45 PM, Nick Knol<nickk...@gmail.com> wrote: > First post, sorry if I'm breaking protocol. I could really use help > tightening up security with the tomcat web server I'm running. A hacker got > in and trashed a bunch of files and I'm scared to death it will happen > again. I've been setting up a tomcat web server with the native apr > library on a linux box and it looks like I got hacked through it. I've been > using iptable, ssh, and vncserver to login to the box and have been as > careful as I know how to be with security in that regard (although its quite > possible I've made a mistake there, I have reason to believe that the fault > lies w/ tomcat as you'll see). Here is the server info: > > Tomcat Version: Apache Tomcat/6.0.14 > OS Name: Linux > OS Version: 2.6.18-128.1.6.el5xen > OS Architecture: amd64 > JVM Version: 1.6.0_14-b08 > > JVM Vendor: Sun Microsystems Inc. > > One thing that I definitely was not careful about was file permissions w/ > regard to my home database and $CATALINA_HOME, so that's probably how the > hacker managed to screw around with my files. I'm starting tomcat through > jsvc using the following script in init.d: > > *#!/bin/sh* > *#* > *# Startup script for Tomcat* > *#* > *# chkconfig: - 2345 86 15* > *# description: Tomcat is a JSP server.* > *# processname: tomcat* > *# pidfile: /var/run/jsvc.pid* > * > * > *. /etc/init.d/functions* > * > * > *JAVA_HOME=/usr/java/latest* > *CATALINA_HOME=/opt/tomcatus/tomcat* > *CATALINA_BASE=/opt/tomcatus/tomcat* > *DAEMON_HOME=$CATALINA_HOME/bin* > *TOMCAT_USER=tomcat* > * > * > *TMP_DIR=/var/tmp* > *PID_FILE=/var/run/jsvc.pid* > * > * > *CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"* > *JAVA_OPTS="-Xms256m -Xmx512m > -Dhttp.nonProxyHosts=localhost|127.0.0.1|forecaster -XX:MaxPermSize=256m"* > *SECURITY_OPTS="-Djava.security.manager > -Djava.security.policy==$CATALINA_BASE/conf/catalina.policy"* > * > CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar > * > * > * > * > * > *start() {* > * # Start Tomcat* > * echo "Starting Tomcat"* > * rm -f $CATALINA_HOME/logs/catalina.out* > * $DAEMON_HOME/jsvc \* > * -user $TOMCAT_USER \* > * -home $JAVA_HOME \* > * -Dcatalina.home=$CATALINA_HOME \* > * -Dcatalina.base=$CATALINA_BASE \* > * -Djava.io.tmpdir=$TMP_DIR \* > * -wait 10 \* > * -pidfile $PID_FILE \* > * -outfile $CATALINA_HOME/logs/catalina.out \* > * -errfile '&1' \* > * $CATALINA_OPTS \* > * $JAVA_OPTS \* > * $SECURITY_OPTS \* > * -cp $CLASSPATH \* > * org.apache.catalina.startup.Bootstrap* > *} * > *case "$1" in* > * start)* > * start* > * ;;* > * *)* > * echo "Usage $0 (start|stop|status|restart|log)"* > * exit 1;;* > * > * > *esac* > * * > *exit $?* > > > > Here are the following things that's been messed up on the machine: > > -My user account was deleted > > > -/etc/ssh/ssh_host_key.pub file was modified (one key added, another > deleted) > > > -my user home directory was added to > $CATALINA_HOME/webapps/<app_name>/META-INF/<username> > > > - $CATALINA_HOME/conf/server.xml was changed to this: > > *<!--<Valve > className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443" > />-->->* > * <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" * > * <Alias>analysisfactory.biz</Alias>Aware="false">" > unpackWARs="true" autoDeploy="false"sword" * > * > * > * > * > * <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" * > * ** ** prefix="localhost." pattern="common" > resolveHosts="false"/>* > * > * > * > * > * ** <!-- <Valve > className="org.apache.catalina.valves.RequestDumperValve"/> -->* > *</Server>ce>>> ntext path="/forecasterDemo" docBase="ForecasterDemo"/>>ROOT > * > > > > -file $CATALINA_HOME/conf/server.xml~ was added: > > * <Engine name="Catalina" > defaultHost="www.analysisfactory.biz">/>em"/>l="TLS""TLS"/>"443" > />-->->* > * <Alias>analysisfactory.biz</Alias>Aware="false">" > unpackWARs="true" autoDeploy="false"sword" * > * > * > * > * > * <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" * > * ** ** prefix="localhost." pattern="common" > resolveHosts="false"/>* > * > * > * > * > * ** <!-- <Valve > className="org.apache.catalina.valves.RequestDumperValve"/> -->* > *</Server>ce>>ame="org.apache.catalina.valves.RequestDumperValve"/>o"/>>ROOT > * > > > > > Does anyone recognize these symptoms and could possibly point me to a fix? > Thanks a million. > > -Nick > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org