[LinuxUsers] Could use some help please,

[Chris Thomas]

I agree with Chris about checking the log files. When you first found the program, you didn't know when it got installed on your box. Was it installed a week, month, year ago? So, searching the logs would probably be useless for that attack. Since you deleted the app and it came back, you have an appox. time, so you only have a little bit of logs to look through.

Chris


----- Original Message ----
From: Chris Penn <cantormath at gmail.com>
To: roger.rustad at gmail.com; SoCal LUG Users List <linuxusers at socallinux.org>
Sent: Wednesday, August 20, 2008 3:41:55 AM
Subject: Re: [LinuxUsers] Could use some help please,

<snip>

You definitely want to check security settings and logs. chkrootkit
and lynis are pretty neat.  What version of Tomcat?

Chris...

On Wed, Aug 20, 2008 at 1:25 AM, Roger E. Rustad, Jr
<roger.rustad at gmail.com> wrote:
> Ann Richmond wrote:
>> Hi, its Ann Richmond.
>> A few weeks ago we found some applications had been installed under
>> tomcat on a few servers.  The war file was there as well as the expanded
>> apps.
>
> I'll bet you've got pwned.
>
> Perhaps someone else has answered this, but I would recommend googling
> some of the security websites and seeing if there is anything (default
> security settings, easy passwords, etc) that kiddie scripters are taking
> advantage of.
>
> Also, have you checked out chkrootkit?
>
> http://www.chkrootkit.org/
>
> What user is Tomcat running under?  Maybe someone got root access quite
> easily that way...
> _______________________________________________
> LinuxUsers mailing list
> LinuxUsers at socallinux.org
> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
>



-- 
"As we open our newspapers or watch our television screens, we seem to
be continually assaulted by the fruits of Mankind's stupidity."
-Roger Penrose
_______________________________________________
LinuxUsers mailing list
LinuxUsers at socallinux.org
http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers