Chanaka,
On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
I'm using Tomcat 7.0.40 for hosted application. I have not configured any
user accounts for tomcat (admin, manager, user etc.). Recently my deployed
web application was damaged. Restarting tomcat recovered it back.
But it seems someone tried to access my tomcat and delete some files(I
guess class file of index.jsp as mentioned in the log). I have added my log
files [0], [1], [2] and [3]. Currently I have my jsp directory outside the
WEB-INF directory (yes, it's bad practice and I'll correct it).
Tomcat is complaining that it is not able to read class files of
compiled JSPs (index.jsp, and 401.jsp). It is not clear how are those
class files deleted -- was it through application security breach,
Tomcat, OS or local user accidentally deleted them, or changed access
privileges. From the log files I am unable to tell that.
Keep in mind that if the attacker was able to modify Tomcat's work
directory he was most certainly able to modify logs directory as well,
so there is a possibility that log files are altered.
1. Do you see any issues after looking my log files ? May be due to a bad
configuration/practice etc.
For start, remove ALL web applications you don't need -- probably
everything except your own application. If you don't use manager
application, remove it. If you do need it, configure manager application
to accept connections only from trusted IP addresses, use unexpected
username (something different from "manager", "admin" or "tomcat"), and
use strong password.
Run Tomcat service always as unprivileged user (e.g. tomcat, not root).
Start reading and practicing what is written here:
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
2. And can someone delete files if there are no user accounts for tomcat ?
Tomcat process must be able to modify work, logs and temp directories,
in order to work properly. Therefore, poorly written webapp, or (less
likely) bug in Tomcat, may allow remote attacker to modify or delete
files at least in those three directories. If other Tomcat directories
are writable by user running Tomcat, attacker may also do other nasty
things (alter JSPs, install new webapps and so on). In worst case, if
you run your Tomcat service as user root, a bug in your webapp might
allow attacker to take full control over your server.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
