You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Pier P. Fumagalli" <pi...@betaversion.org> on 2001/05/24 12:18:01 UTC
FW: question
Here's what it seems they did with the exploit... Rerolling the binaries
*balls of Tomcat putting a new index.htm...
I'm downloading the supposedly wrong binary as we speak, but it's kinda slow
from my 56kbps connection...
Fuck shit...
Pier
------ Forwarded Message
From: "casper"<wu...@kimo.com.tw>
Reply-To: "casper"<wu...@kimo.com.tw>
Date: Thu, 24 May 2001 14:07:14 +0800
To: "webmaster @ jakarta . apache . org" <we...@jakarta.apache.org>
Subject: question
Hi
I download tomcat3.2.1 version software but when i to set my file in the
\webapps .I find one file and file name is index.htm and this file is from
china.
i send this file to you,pls to check your server is okay and i have check my
server is no any hacker.
I download file date is 2001/05/23.
If it's right pls send mail to me.
thanks
Casper
--------------------------------------------------------------------
??????·????? http://mail.kimo.com.tw
< ? ? ? ?·? ? ? ? > http://www.kimo.com.tw
------ End of Forwarded Message
Re: question
Posted by Brian Behlendorf <br...@collab.net>.
On Thu, 24 May 2001, Jon Stevens wrote:
> WHAT?? I don't think that there should be .sea files there!
>
> .sea is a MacOS Stuffit Archive.
To be clear, I'm talking about the .sea and .sea.hqx files found at
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/bin/
They were created (ostensibly) on Jan 9th by Pier. Pier, do you recall
putting them there? These are separate files, *not* within the .tar.gz or
.zip distributions. I seem to recall people talking about running tomcat
on MacOS9, so I'm not tempted to automatically state they're a problem,
but please tell me if they are.
> Also, the .war files are == .jar files which are equal to .zip files. They
> are auto "uncompressed" by the servlet engine when it starts up. So, the
> file will probably be located in the ROOT.war.
OK, I unzipped the ROOT.war file, and the index.html file in that dir
looks "normal" (i.e., not that index.htm file that person claimed was
there), as do the rest of the files that get unzipped. I also looked at
all the other .war files, and none of them have that file.
So it seems OK.
Brian
Re: Signing releases [was Re: question]
Posted by Ben Hyde <bh...@pobox.com>.
Marc Saegesser wrote:
> Regarding signing the releases. Could someone describe the procedures use
> by other Apache projects for signing their releases? Tomcat 3.2.2 will
> going out in the near future and I would like to have a signing mechanism in
> place prior to that.
Step #16 in http://dev.apache.org/how-to-release.html
Signing releases [was Re: question]
Posted by Marc Saegesser <ma...@apropos.com>.
I've checked the Tomcat 3.2.2b5 distribution and it looks OK.
Regarding signing the releases. Could someone describe the procedures use
by other Apache projects for signing their releases? Tomcat 3.2.2 will
going out in the near future and I would like to have a signing mechanism in
place prior to that.
> -----Original Message-----
> From: Pier P. Fumagalli [mailto:pier@betaversion.org]
> Sent: Thursday, May 24, 2001 11:20 AM
> To: Jon Stevens; Brian Behlendorf
> Cc: committers@apache.org; tomcat-dev
> Subject: Re: question
>
>
> Jon Stevens at jon@latchkey.com wrote:
> >
> > WHAT?? I don't think that there should be .sea files there!
> >
> > .sea is a MacOS Stuffit Archive.
> >
> > Also, the .war files are == .jar files which are equal to .zip
> files. They
> > are auto "uncompressed" by the servlet engine when it starts up. So, the
> > file will probably be located in the ROOT.war.
> >
> > We really should take all of our distributions offline ASAP.
>
> Hold it hold it hold it... I made the SEA of Tomcat 3.2.1 to work with
> Apple's MRJ on MacOS 8.6-9.1... (And it works!)
>
> >> This *looks* like a false alarm. Ask him for an md5 of the tarball he
> >> downloaded, as well as where he downloaded it from. You guys
> might want
> >> to consider signing your releases at some point, too.
> >
> > This is a project by project thing to do. Most of the projects do it
> > correctly.
>
> Might want to enforce it from a PMC standpoint?? :)
>
> Pier
Re: question
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Jon Stevens at jon@latchkey.com wrote:
>
> WHAT?? I don't think that there should be .sea files there!
>
> .sea is a MacOS Stuffit Archive.
>
> Also, the .war files are == .jar files which are equal to .zip files. They
> are auto "uncompressed" by the servlet engine when it starts up. So, the
> file will probably be located in the ROOT.war.
>
> We really should take all of our distributions offline ASAP.
Hold it hold it hold it... I made the SEA of Tomcat 3.2.1 to work with
Apple's MRJ on MacOS 8.6-9.1... (And it works!)
>> This *looks* like a false alarm. Ask him for an md5 of the tarball he
>> downloaded, as well as where he downloaded it from. You guys might want
>> to consider signing your releases at some point, too.
>
> This is a project by project thing to do. Most of the projects do it
> correctly.
Might want to enforce it from a PMC standpoint?? :)
Pier
Re: question
Posted by Jon Stevens <jo...@latchkey.com>.
on 5/24/01 7:00 AM, "Brian Behlendorf" <br...@collab.net> wrote:
> Hmm; I looked at the following:
>
> http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/bin/jakarta-tom
> cat-3.2.1.tar.gz
> http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/bin/jakarta-tom
> cat-3.2.1.zip
>
> and in both of these, the webapps folder contained four files,
>
> [taz3] 6:54am webapps > ls
> total 1247
> 1024 ROOT.war 7 admin.war 128 examples.war 88 test.war
>
> I didn't look inside the .sea archives, nor did I see a webapps dir in the
> servletapi tarballs. Are there any other tarballs to look at?
WHAT?? I don't think that there should be .sea files there!
.sea is a MacOS Stuffit Archive.
Also, the .war files are == .jar files which are equal to .zip files. They
are auto "uncompressed" by the servlet engine when it starts up. So, the
file will probably be located in the ROOT.war.
We really should take all of our distributions offline ASAP.
> This *looks* like a false alarm. Ask him for an md5 of the tarball he
> downloaded, as well as where he downloaded it from. You guys might want
> to consider signing your releases at some point, too.
This is a project by project thing to do. Most of the projects do it
correctly.
-jon
Re: FW: question
Posted by Brian Behlendorf <br...@collab.net>.
Hmm; I looked at the following:
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/bin/jakarta-tomcat-3.2.1.tar.gz
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/bin/jakarta-tomcat-3.2.1.zip
and in both of these, the webapps folder contained four files,
[taz3] 6:54am webapps > ls
total 1247
1024 ROOT.war 7 admin.war 128 examples.war 88 test.war
I didn't look inside the .sea archives, nor did I see a webapps dir in the
servletapi tarballs. Are there any other tarballs to look at?
This *looks* like a false alarm. Ask him for an md5 of the tarball he
downloaded, as well as where he downloaded it from. You guys might want
to consider signing your releases at some point, too.
Brian
On Thu, 24 May 2001, Pier P. Fumagalli wrote:
> Here's what it seems they did with the exploit... Rerolling the binaries
> *balls of Tomcat putting a new index.htm...
>
> I'm downloading the supposedly wrong binary as we speak, but it's kinda slow
> from my 56kbps connection...
>
> Fuck shit...
>
> Pier
>
> ------ Forwarded Message
> From: "casper"<wu...@kimo.com.tw>
> Reply-To: "casper"<wu...@kimo.com.tw>
> Date: Thu, 24 May 2001 14:07:14 +0800
> To: "webmaster @ jakarta . apache . org" <we...@jakarta.apache.org>
> Subject: question
>
> Hi
>
> I download tomcat3.2.1 version software but when i to set my file in the
> \webapps .I find one file and file name is index.htm and this file is from
> china.
> i send this file to you,pls to check your server is okay and i have check my
> server is no any hacker.
> I download file date is 2001/05/23.
> If it's right pls send mail to me.
>
> thanks
> Casper
>
>
> --------------------------------------------------------------------
> ??????·????? http://mail.kimo.com.tw
> < ? ? ? ?·? ? ? ? > http://www.kimo.com.tw
>
>
>
> ------ End of Forwarded Message
>
>
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
CollabNet | open source | do what's right | now hiring
Re: question
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
DO NOT (I repeat) DO NOT OPEN the index.htm file I sent in my previous
post... It's infected with a copy of SunOS/BoxPoison.worm AND it seems it's
coming from one of our distributions of Tomcat 3.2.x...
I'm still digging thru it...
Pier
Pier P. Fumagalli at pier@betaversion.org wrote:
> Here's what it seems they did with the exploit... Rerolling the binaries
> *balls of Tomcat putting a new index.htm...
>
> I'm downloading the supposedly wrong binary as we speak, but it's kinda slow
> from my 56kbps connection...
>
> Fuck shit...
>
> Pier