Yea, I rebuild server from scratch. Fortunately, we have virtual machines so we can revert to a factory build by just reverting to a snapshot. That is same as moving to a fresh OS without anything installed.
Moving servers mean we moved it physically from one box to another. IP and DNS stays the same when we move. Btw: Can I take off all the apps from webapps, except ROOT and myApp? Hacker or virus is probably exploiting some vulnerability in them. As of now, tomcat is running after restarting the whole box, but I am afraid if it will shutdown or crash. Thanks to all who are contributing. On Thu, Jan 22, 2009 at 12:14 PM, Gregor Schneider <rc4...@googlemail.com> wrote: > Toby, > > On Thu, Jan 22, 2009 at 5:27 PM, Toby Kurien <tobyis7...@gmail.com> wrote: >> Thanks Gregor. We are looking at setting up in Linux, but that is >> going to take longer to get a LIVE environment up and running. I have >> in the past already setup Tomcat from scratch 2-3 times and the >> infection just keeps coming. Only open port is 80 and network access >> is disabled. >> > > Did you setup Tomcat only or did you setup the complete server incl. > the OS (Windows)? > > I know setting up the server from scratch is a PITA, however, I > believe you don't have any other choice. > > In Windows, the virus usually will reside somewhere outside from Tomcat. > > Therefore, you should set up the OS first (preferably from CD/DVD) > then a fresh JDK download, then a fresh Tomcat-Download. > You shoudl also check the integrity of the downloads, FOr Tomcat, > that's pretty easy (see http://tomcat.apache.org/download-60.cgi, > "Release Integrity"), for the JDK, however, I'm not aware of any > integrity-check. > >> In fact, one of my previous builds on another machine >> that was similarly infected, now stops showing signs of it after we >> moved the server. So it seems the DNS (url) is compromised and only >> that machine is hacked/infected into. >> > > What exactly do you mean by "moved the server"? Did you assign a different IP? > > Gregor > -- > just because your paranoid, doesn't mean they're not after you... > gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 > gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
