In the meanhile I would strongly suggest you run locally so you can control the environment-

Martin --
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed.  If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy.  Thank you.

----- Original Message ----- From: "Leon Rosenberg" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Sunday, June 11, 2006 3:56 AM
Subject: Re: a compromised tomcat server


On 6/10/06, hv @ Fashion Content <[EMAIL PROTECTED]> wrote:
I had an incident on my server the other day where someone had succesfully
broken into the server to execute a port scanner.

do you have any kind of logs?


The port scanner was running under the tomcat process so I assume the
breakin was done by getting through the Tomcat manager app.

When you say under the tomcat process, what do you mean:
same process id as java org.apache.catalina.startup.Bootstrap start ?
or same a child process of the tomcat process, or just the same userid?

regards
Leon


At first I feared that I had made a blunder and left the standard tomcat
user as manager, but that wasn't the case. Actually while the UserDatabase
is defined in the setup it isn't used as I use a JNDIReam pointing to
OpenLDAP where only one manager account is defined.

So did they just use brute force, or might there be another way they could
have gotten in?

Henrik
http://www.blingon.com




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to