Win a copy of Microservices Testing (Live Project) this week in the Spring forum!

Haris Hasan

Greenhorn
+ Follow
since Feb 06, 2014
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
2
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Haris Hasan

ok, here is what works...

I have a user X. In home directory of X I have JDK(with jre inside), tomcat and some other things. I have a tomcat user. If I give tomcat user '5/rx' permission on home directory of X everything seem to work fine.
8 years ago
I manually downloaded and setup the JDK from Oracle site. I am not sure if tomcat user even needs access to java,jre and javac. But even if I specify root user(for testing purpose) while launching jsvc I get the same error. I have tried almost everything not sure whats wrong.

I really appreciate your help.
8 years ago
While trying to do what you suggested I found that following commands are not accessible to tomcat user while they are to root

java, javac, jar

I simply get command not found when I run jar from tomcat user
8 years ago
I am afraid it didn't change anything. And the volume is not read only
8 years ago
I noticed this too. In order to make sure its the rights issue I have set right = 777 (temporarily) for whole tomcat folder. But still I get this error which doesn't make any sense
8 years ago
I am trying to run Tomcat via daemon but I am getting this error. Any ideas what might cause this?

OS
CentOS 64Bit

Error Log

Switching umask back to 022 from 077
user changed to 'tomcat'
Using default JVM in /home/pwp-admin/jdk1.7.0_55/jre/lib/amd64/server/libjvm.so
Attemtping to load library /home/pwp-admin/jdk1.7.0_55/jre/lib/amd64/server/libjvm.so
JVM library /home/pwp-admin/jdk1.7.0_55/jre/lib/amd64/server/libjvm.so loaded
JVM library entry point found (0x36F687C0)
+-- DUMPING JAVA VM CREATION ARGUMENTS -----------------
| Version: 0x010004
| Ignore Unrecognized Arguments: False
| Extra options: 5
| "-Djava.class.path=/home/pwp-admin/apache-tomcat/bin/bootstrap.jar:/home/pwp-admin/apache-tomcat/bin/tomcat-juli.jar" (0x00000000)
| "-Dcatalina.home=/home/pwp-admin/apache-tomcat" (0x00000000)
| "-Dcatalina.base=/home/pwp-admin/apache-tomcat" (0x00000000)
| "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager" (0x00000000)
| "-Djava.util.logging.config.file=/home/pwp-admin/apache-tomcat/conf/logging.properties" (0x00000000)
+-------------------------------------------------------
| Internal options: 4
| "-Dcommons.daemon.process.id=3292" (0x00000000)
| "-Dcommons.daemon.process.parent=3291" (0x00000000)
| "-Dcommons.daemon.version=1.0.10" (0x00000000)
| "abort" (0x00405c50)
+-------------------------------------------------------
Java VM created successfully
Class org/apache/commons/daemon/support/DaemonLoader found
Native methods registered
java_init done
Daemon loading...
Apr 22, 2014 2:27:09 AM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/home/pwp-admin/apache-tomcat/lib], exists: [true], isDirectory: [true], canRead: [false]
Apr 22, 2014 2:27:09 AM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/home/pwp-admin/apache-tomcat/lib], exists: [true], isDirectory: [true], canRead: [false]
Apr 22, 2014 2:27:09 AM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/home/pwp-admin/apache-tomcat/lib], exists: [true], isDirectory: [true], canRead: [false]
Apr 22, 2014 2:27:09 AM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/home/pwp-admin/apache-tomcat/lib], exists: [true], isDirectory: [true], canRead: [false]
java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:308)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.commons.daemon.support.DaemonLoader.load(DaemonLoader.java:212)
Cannot load daemon
java_load failed
Service exit with a return value of 3
8 years ago
Can you kindly shed some light on "unsecured security Realms floating around". I am new to linux and security world.
i really appreciate your help
8 years ago
We have removed all the websites like manager except our own which is under ROOT. We are deploying without manager any ways. I believe it should fix the issue
8 years ago
Thank for the reply. (I have removed the post from stackoverflow)

If I understand you correctly, you are saying that it cannot be concluded from the access log I posted that attacker used Tomcat Manager only for the attack? We are not using tomcat manager for deployment and the IPs in the access log are not one of ours.

I believed it was done through Tomcat Manager

180.140.25.158 - - [05/Feb/2014:15:51:14 +0000] "POST /hosts-manager/ HTTP/1.1" 200 6405
180.140.25.158 - - [05/Feb/2014:15:51:16 +0000] "GET /hosts-manager/?action=command HTTP/1.1" 200 2687
180.140.25.158 - - [05/Feb/2014:15:51:18 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2720
180.140.25.158 - - [05/Feb/2014:15:52:08 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2732
180.140.25.158 - - [05/Feb/2014:15:53:24 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2709
180.140.25.158 - - [05/Feb/2014:15:53:28 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2704
180.140.25.158 - - [05/Feb/2014:15:53:52 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2736
180.140.25.158 - - [05/Feb/2014:15:53:56 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 4765

We had already disabled password based authentication and we only use SSH for login.

Furthermore, we found that attacker was able to launch a process named "nodewx" and it was sending the out bound traffic. This process was launched by user "Tomcat", which is our dedicated user for handling tomcat. Plus the /tmp directory contained the nodewx file along with fake.cfg. To me all these pieces hints that Tomcat was used for the attack.
8 years ago
So it seems like Tomcat Manager is being used by the attacker. First step for me would be to remove the tomcat manager from web apps
8 years ago
Hi,

We are using a Amazon EC2 instance for a Java and Tomcat based web application. Recently we noticed a sudden spike in out bound traffic and it was being generated from a process named "nodewx" which resided in "/tmp" directory. Same directory also contained "fake.cfg" file. On googling around I found out there is a known vulnerability in older tomcat versions which is associated with fake.cfg file.

We are using Java 1.7 update 51 and Apache Tomcat/7.0.27. We have created a separate tomcat user and launching tomcat through JSVC.

I would like to know what should I do to protect tomcat and my Server in order to avoid this issue again?

-----
Edit
-----

I just looked at the access logs and they show this story

173.45.75.58 - - [05/Feb/2014:02:26:23 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 952
173.45.75.58 - - [05/Feb/2014:02:26:23 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 952
173.45.75.58 - - [05/Feb/2014:02:26:23 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 952
173.45.75.58 - - [05/Feb/2014:02:26:23 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 952
173.45.75.58 - - [05/Feb/2014:02:26:24 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 952
173.45.75.58 - - [05/Feb/2014:02:26:24 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 952
157.56.93.49 - - [05/Feb/2014:04:21:31 +0000] "GET /robots.txt HTTP/1.1" 404 952
157.56.93.49 - - [05/Feb/2014:04:24:04 +0000] "GET / HTTP/1.1" 200 11264
192.71.151.187 - - [05/Feb/2014:09:17:18 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 952
192.71.151.187 - - [05/Feb/2014:09:17:19 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 952
192.71.151.187 - - [05/Feb/2014:09:17:19 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 952
192.71.151.187 - - [05/Feb/2014:09:17:19 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 952
192.71.151.187 - - [05/Feb/2014:09:17:19 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 952
192.71.151.187 - - [05/Feb/2014:09:17:19 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 952
162.243.231.9 - - [05/Feb/2014:13:14:46 +0000] "HEAD / HTTP/1.1" 200 -
69.90.132.223 - - [05/Feb/2014:14:32:24 +0000] "GET / HTTP/1.1" 200 11264
211.141.27.243 - - [05/Feb/2014:15:17:42 +0000] "GET /manager/html HTTP/1.1" 401 2486
211.141.27.243 - manager [05/Feb/2014:15:17:43 +0000] "GET /manager/html HTTP/1.1" 200 19059
173.244.206.13 - - [05/Feb/2014:15:37:39 +0000] "GET / HTTP/1.0" 200 11244
180.140.25.158 - - [05/Feb/2014:15:50:49 +0000] "GET /manager/html HTTP/1.1" 401 2486
180.140.25.158 - manager [05/Feb/2014:15:50:54 +0000] "GET /manager/html HTTP/1.1" 200 17563
180.140.25.158 - manager [05/Feb/2014:15:50:55 +0000] "GET /manager/images/tomcat.gif HTTP/1.1" 200 2066
180.140.25.158 - manager [05/Feb/2014:15:50:55 +0000] "GET /manager/images/asf-logo.gif HTTP/1.1" 200 7279
180.140.25.158 - - [05/Feb/2014:15:50:59 +0000] "GET /favicon.ico HTTP/1.1" 404 952
180.140.25.158 - - [05/Feb/2014:15:51:00 +0000] "GET /favicon.ico HTTP/1.1" 404 952
180.140.25.158 - manager [05/Feb/2014:15:51:02 +0000] "POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=D55BBC344D43A670EE4D4112C193504B HTTP/1.1" 200 19313
180.140.25.158 - - [05/Feb/2014:15:51:05 +0000] "GET /hosts%2Dmanager HTTP/1.1" 302 -
119.147.146.189 - - [05/Feb/2014:15:51:06 +0000] "GET /hosts-manager HTTP/1.1" 302 -
180.140.25.158 - - [05/Feb/2014:15:51:09 +0000] "GET /hosts-manager/ HTTP/1.1" 200 3310
119.147.146.189 - - [05/Feb/2014:15:51:09 +0000] "GET /hosts-manager/ HTTP/1.1" 200 3310
180.140.25.158 - - [05/Feb/2014:15:51:14 +0000] "POST /hosts-manager/ HTTP/1.1" 200 6405
180.140.25.158 - - [05/Feb/2014:15:51:16 +0000] "GET /hosts-manager/?action=command HTTP/1.1" 200 2687
180.140.25.158 - - [05/Feb/2014:15:51:18 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2720
180.140.25.158 - - [05/Feb/2014:15:52:08 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2732
180.140.25.158 - - [05/Feb/2014:15:53:24 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2709
180.140.25.158 - - [05/Feb/2014:15:53:28 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2704
180.140.25.158 - - [05/Feb/2014:15:53:52 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 2736
180.140.25.158 - - [05/Feb/2014:15:53:56 +0000] "POST /hosts-manager/?action=command HTTP/1.1" 200 4765
101.226.65.104 - - [05/Feb/2014:16:21:05 +0000] "GET /hosts-manager HTTP/1.1" 302 -
101.226.65.104 - - [05/Feb/2014:16:21:06 +0000] "GET /hosts-manager/ HTTP/1.1" 200 3310
157.56.93.84 - - [05/Feb/2014:16:45:23 +0000] "GET /robots.txt HTTP/1.1" 404 952
157.56.93.84 - - [05/Feb/2014:18:05:24 +0000] "GET / HTTP/1.1" 200 11264
220.194.196.102 - - [05/Feb/2014:19:55:53 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 952
220.194.196.102 - - [05/Feb/2014:19:55:54 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 952
220.194.196.102 - - [05/Feb/2014:19:55:55 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 952
220.194.196.102 - - [05/Feb/2014:19:55:55 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 952
220.194.196.102 - - [05/Feb/2014:19:55:56 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 952
220.194.196.102 - - [05/Feb/2014:19:55:57 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 952
209.126.230.78 - - [05/Feb/2014:21:25:35 +0000] "GET / HTTP/1.0" 200 11244
109.68.190.145 - - [05/Feb/2014:22:09:11 +0000] "GET / HTTP/1.0" 200 11244
59.37.154.80 - - [05/Feb/2014:22:24:09 +0000] "GET //cgi-bin/php HTTP/1.1" 404 952
59.37.154.80 - - [05/Feb/2014:22:24:12 +0000] "GET //cgi-bin/php5 HTTP/1.1" 404 952
59.37.154.80 - - [05/Feb/2014:22:24:12 +0000] "GET //cgi-bin/php-cgi HTTP/1.1" 404 952
59.37.154.80 - - [05/Feb/2014:22:24:13 +0000] "GET //cgi-bin/php.cgi HTTP/1.1" 404 952
59.37.154.80 - - [05/Feb/2014:22:24:13 +0000] "GET //cgi-bin/php4 HTTP/1.1" 404 952

Thanks
8 years ago