Nick Knol wrote: > First post, sorry if I'm breaking protocol. I could really use help > tightening up security with the tomcat web server I'm running. A hacker got > in and trashed a bunch of files and I'm scared to death it will happen > again. I've been setting up a tomcat web server with the native apr > library on a linux box and it looks like I got hacked through it. I've been > using iptable, ssh, and vncserver to login to the box and have been as > careful as I know how to be with security in that regard (although its quite > possible I've made a mistake there, I have reason to believe that the fault > lies w/ tomcat as you'll see).
I've read your e-mail and I don't see. What makes you think Tomcat is the source of the infection? > Tomcat Version: Apache Tomcat/6.0.14 See http://tomcat.apache.org/security-6.html for a host of very good reasons to upgrade to 6.0.20 asap. > OS Name: Linux > OS Version: 2.6.18-128.1.6.el5xen > OS Architecture: amd64 > JVM Version: 1.6.0_14-b08 > > JVM Vendor: Sun Microsystems Inc. > > One thing that I definitely was not careful about was file permissions w/ > regard to my home database and $CATALINA_HOME, so that's probably how the > hacker managed to screw around with my files. I'm starting tomcat through > jsvc using the following script in init.d: Your files are very hard to read with lots of extra * characters and odd line breaks. > - $CATALINA_HOME/conf/server.xml was changed to this: > > *<!--<Valve > className="org.apache.catalina.valves.RequestDumperValve"/>-->LS""TLS"/>"443" > />-->->* That makes no sense. I don't think Tomcat would even start if that was what is really in that file. Any chance of a cleaner copy? > Does anyone recognize these symptoms and could possibly point me to a fix? > Thanks a million. It doesn't match any of the infection patterns that I am aware of. Those nearly always come down to manager apps with very weak passwords. Since the config files don't make much sense, it is hard to see what the attacker was trying to do. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
