Yes, you should remove all other webapps ("manager", "examples", etc.)
You can remove ROOT too, unless you've put files in there that you
need to serve.
--
Len
On Thu, Jan 22, 2009 at 14:50, Toby Kurien <tobyis7...@gmail.com> wrote:
> Yea, I rebuild server from scratch. Fortunately, we have virtual
> machines so we can revert to a factory build by just reverting to a
> snapshot. That is same as moving to a fresh OS without anything
> installed.
>
> Moving servers mean we moved it physically from one box to another. IP
> and DNS stays the same when we move.
> Btw: Can I take off all the apps from webapps, except ROOT and myApp?
> Hacker or virus is probably exploiting some vulnerability in them. As
> of now, tomcat is running after restarting the whole box, but I am
> afraid if it will shutdown or crash.
>
> Thanks to all who are contributing.
>
> On Thu, Jan 22, 2009 at 12:14 PM, Gregor Schneider
> <rc4...@googlemail.com> wrote:
>> Toby,
>>
>> On Thu, Jan 22, 2009 at 5:27 PM, Toby Kurien <tobyis7...@gmail.com> wrote:
>>> Thanks Gregor. We are looking at setting up in Linux, but that is
>>> going to take longer to get a LIVE environment up and running. I have
>>> in the past already setup Tomcat from scratch 2-3 times and the
>>> infection just keeps coming. Only open port is 80 and network access
>>> is disabled.
>>>
>>
>> Did you setup Tomcat only or did you setup the complete server incl.
>> the OS (Windows)?
>>
>> I know setting up the server from scratch is a PITA, however, I
>> believe you don't have any other choice.
>>
>> In Windows, the virus usually will reside somewhere outside from Tomcat.
>>
>> Therefore, you should set up the OS first (preferably from CD/DVD)
>> then a fresh JDK download, then a fresh Tomcat-Download.
>> You shoudl also check the integrity of the downloads, FOr Tomcat,
>> that's pretty easy (see http://tomcat.apache.org/download-60.cgi,
>> "Release Integrity"), for the JDK, however, I'm not aware of any
>> integrity-check.
>>
>>> In fact, one of my previous builds on another machine
>>> that was similarly infected, now stops showing signs of it after we
>>> moved the server. So it seems the DNS (url) is compromised and only
>>> that machine is hacked/infected into.
>>>
>>
>> What exactly do you mean by "moved the server"? Did you assign a different
>> IP?
>>
>> Gregor
>> --
>> just because your paranoid, doesn't mean they're not after you...
>> gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
>> gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
