> From: Leon Rosenberg [mailto:rosenberg.l...@googlemail.com] > Subject: Re: tomcat server hacked > > Have you run your tomcat as root and what is your > kernel version?
According to the first post, Tomcat runs via jsvc with the userid Tomcat. > If you don't run your tomcat as root and have a more or > less uptodate kernel without local root exploits, its > highly unprobable that you got hacked via tomcat. Agreed. Certainly looks like the Tomcat files have been hacked, but nothing presented so far indicates the hacking was done through Tomcat; rather, the hacking appears to have been done via some typical interactive mechanism such as telnet, SSH, or VNC. I can't think of any mechanism within Tomcat that would permit such file changes to be made. The presence of conf/server.xml~ indicates some standard text editor was used, which is obviously not possible via Tomcat. Note that Tomcat itself *never* writes server.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
