On 5/16/2018 11:13 AM, Kiran Badi wrote: > Yes tomcat is not starting up. I am also suspecting that EC2 instance was > > probably compromised. Not sure as how but I see some rogue programs were > running under tomcat user. I use putty with private keys to login and those > keys are not in public view for sure. > > These program were talking to some servers based out of China,Russia and > Germany with tcp,http and stratrum-tcp protocol with jsonp as data exchange > formt. I am not sure as how they got access to my ec2 instance and got > themselves installed. > > I did some initial analysis on this one and have put those files in my g > drive which I have made public. I suspect either they have used tomcat to > gain access or they might have used yum updates for getting access to ec2 > instance. Because the evil software is/was running as the tomcat user, it is likely that a vulnerability in Tomcat or a vulnerability in the application(s) you're running in tomcat was the entry point. Your logs may provide clues, but it's also possible that information about exactly how they broke in isn't available.
Information in the jwzckuz.cf file you provided indicates that this is a crypto-mining program for the monero crypto-currency. They're using your system resources to mine currency for themselves. The Java Hotspot warning you received during startup indicates that Java was not able to allocate memory from the operating system. The information in the hotspot error log (near the end, from /proc/meminfo) says that this machine only has 1GB of total memory, and that at the time of the crash, 899240KB of that was actively being used. There wasn't enough memory for Java to allocate what it was being asked to allocate. Depending on how much memory the programs added by the attacker are using, killing them might allow Tomcat to start up. Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
