[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS server shut down due to flood of DNS requests



Hi Kent,

It seems highly likely the suspicious .war files you found were
uploaded and started through the Tomcat manager app (which is found
in the webapps/manager/ directory). The manager app is NOT enabled by
default in a Tomcat installation. If you are going to run it, you
should definitely make sure it is locked down. We have some
information on doing so here

https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html#manager

On our production servers, we pretty much limit the contents of the
tomcat/webapps directory to

1) the ROOT/ directory (which contains our own content, not the
   content that comes with a Tomcat installation)

2) the manager/ directory (which is locked down pretty much as
   described at the URL above)

3) the thredds.war file and the thredds/ directory

Did you change the passwords for the Tomcat manager app role/users?
Some details at the URL above. Though details will depend on the
version of Tomcat you are running, so you should check out the Tomcat
manager app documentation as well:

http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

Hope that helps,

Ethan

> Hi Ethan,
> 
> 
> There were several .war files and their directories (e.g., 1x.war,
> 7777.war, 8888.war, lxplxy.war) in the tomcat/webapps directory that
> were suspicious . We are not sure how they were uploaded. We've
> removed the files and changed the tomcat password. We'll continue to
> research the problem and monitor the system.
> 
> 
> For a tomcat/ thredds installation do you have a typical directory
> list of what should be in webapps?
> 
> 
> Thanks for the URL.
> 
> 
> -Kent
> 
> 
> --------------------------------
> Kent Gardner
> SMAST - UMass Dartmouth
> --------------------------------
> 
> ----- Original Message -----
> Sent: Tuesday, April 22, 2014 1:26:41 PM
> 
> Do you know how this file was uploaded to Tomcat and then run? Is it a
> .war file that was installed through the Tomcat manager app? Or did it
> get uploaded in some other way and run in some other way?
> 
> If the first, is the Tomcat manager available only through SSL and only
> to a restricted set of IP addresses? There's a section on doing that in
> this Security page in the TDS tutorials:
> 
> https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html
> 
> Ethan
> 
> > Hi All,
> >
> > I just talked to Kent and Mike. They are working very hard on fixing
> > this issue. Based on my understanding from Kent, he is cleaning the
> > unknown files in Tomcat. He said he will restart Tomcat in about one
> > hour, and monitor its performance. Kent found some unknown files
> > that was uploaded in Tomcat which is continuously running. It seems
> > like virus file from China. We need to find a way to stop anyone
> > to upload the program to Tomcat.
> >
> > Regards,
> >
> > Chen


Ticket Details
===================
Ticket ID: IXX-362335
Department: Support THREDDS
Priority: Normal
Status: Open