We help IT Professionals succeed at work.

my Jakarta-Tomcat Apache server got hacked !!!

chrome2000
chrome2000 asked
on
1,778 Views
Last Modified: 2013-12-04
hi everyone:

i am running an Apache Web Server (more specifically a Jakarta-Tomcat sever). today when i got back at work and i look at the web server screen (you have to be familiar with Jakarta-Tomcat to understand what i mean), i found that someone had left me a very nice message there. it is impossible that anyone other than the intruder left that message because no one can type on this screen + no one could have logged on it during the weekend.

this is my configuration:

- i am running windows 2000 server
- i am running jakarta-tomcat in a port (2020) that is not the default  port (80, 8080)
- i am also running a mysql database
- i am running an ftp server
- i am behind a very simple LinkSys router (there is only one another computer behind this router as well). i am forwarding any requests to port 2020 and 21 to my box.

i am considering to install a firewall but i am concern about the fact that requests to the pages that are hosted in my server are going to be comming from all over the world so i am not sure if this is a good idea. in addtion if i get a firewall, should i only authorize requests comming from the router that is in front of me ?????? i have never deal with firewalls and my knowledge about them is limited. here are are my questions :

1- should i install a firewall and if so, please give me a suggestion
2- should i limit the trafic to my box to the IP of the router in front of me or should i limit it to the ports that i am planing to leave open.  
3- how can i limit the number of request comming from one IP in an Jakarta-Tomcat  Apache Server (i know that this can be done in an IIS server.

any suggestions will be appreciated,

thanks,

rene


 
 
Comment
Watch Question

Commented:
Just installing a firewall will not prevent an attacker from repeating the attack which penetrated your system already.  The Linksys router is a 'circuit-level' firewall, already.  I'd be curious to know which ftp server package you are running, and whether you have installed an antivirus software package.  It sounds likely that you were either already infected with something that provided remote access to your server, when you installed the server software - or your ftp server may have been the entry path.

If you install another firewall, you'll want to block outgoing UDP and outgoing TCP connection traffic from the server to the open Internet, in all likelihood.  It would help a great deal if you could isolate what specific protocols were used to gain access to your system.  Without that information, you will be forced to guess at what needs to be restricted in the firewall configuration.

You should also probably set up a clean server configuration, since you have no way of knowing in what ways the server may have been compromised for future attacks.

I'll reiterate that you probably do not need another firewall - just a clean server intallation, patched up-to-date, with antivirus software installed, and server software that does not have known open exploits on it.  If I knew what ftp server software you were running, I might be able to pursue that avenue as a possible route for exploitation.  As it is, I can only assume that, or assume that your patching or virus-protection signature database was not up-to-date.  To be useful, a new firewall installation would still require thatb these other things be taken care of, plus you'd need to configure the firewall appropriately to your situation.

Author

Commented:
thanks MrYowler:

here are some comments about your questions:

Just installing a firewall will not prevent an attacker from repeating the attack which penetrated your system already /*well at least i will know that there is in fact such a case*/ .  The Linksys router is a 'circuit-level' firewall, already.  I'd be curious to know which ftp server package you are running /* Cerberus FTP Server */, and whether you have installed an antivirus software package /*Norton Enterprise Edition*/. It sounds likely that you were either already infected with something that provided remote access to your server /* ????? */ , when you installed the server software - or your ftp server may have been the entry path /* ????? */ .

If you install another firewall, you'll want to block outgoing UDP and outgoing TCP connection traffic from the server to the open Internet /* well if i do that how will my server be able to send the code that is on my jsp pages to the clients ???? */ , in all likelihood.  It would help a great deal if you could isolate what specific protocols were used to gain access to your system /* Well whatever it was, it went thru ports 80, 2020, 21 */ .  Without that information, you will be forced to guess at what needs to be restricted in the firewall configuration.

You should also probably set up a clean server configuration, since you have no way of knowing in what ways the server may have been compromised for future attacks /* very good suggestion */.

I'll reiterate that you probably do not need another firewall - just a clean server intallation, patched up-to-date, with antivirus software installed, and server software that does not have known open exploits on it.  If I knew what ftp server software you were running, I might be able to pursue that avenue as a possible route for exploitation.  As it is, I can only assume that, or assume that your patching or virus-protection signature database was not up-to-date.  To be useful, a new firewall installation would still require thatb these other things be taken care of, plus you'd need to configure the firewall appropriately to your situation.

Commented:
Hmm...  how to draw your attention to the key points here...

Point #1)  Your current configuration blocks *incoming* TCP connections, and perhaps UDP traffic, on all ports except 2020 and 21, based upon your description.  I did not see where you were blocking any sort of *outgoing* traffic.

Point #2)  That you block outgoing TCP *connection attempts* on port 80, does not mean that you need to block outgoing data on *established TCP connections*, on port 2020 (where your web server is running, according to what I gathered from your initial question).  Your server probably does not need to be able to browse the web, or otherwise engage in any network or Internet client access activities, so it should probably be restricted from doing so, as a matter of prudent policy.  It is possible, if your server were infected with something, that it may have attempted to grant access to the attacker, through an outgoing client connection attempt, instead of an incoming one - and since you seemingly do not currently block outgoing connections, such an intrusion need not have occured on ports 21, 80, or 2020.  If you do install a firewall, it should at least be capable of "Stateful Packet Inspection", to be able to determine the difference between an established TCP connection, and a new connection attempt - otherwise you have not improved anything over your current situation, by getting a firewall.

Point #3)  To accurately determine whether there are any open issues with your current configuration, I'd need to know when the last time was that you updated your Windows software patching, your Norton virus database, and what specific versions of the FTP server, Windows, and Norton software, you are currently running.  You can actually do these searches, yourself, as well, if you have this specific core information, to work with.

I hope that this helps to clear things up...  :)

Did you scan your computer for nimda? you can connect to a infected nimda computer by just using the unc path of the computer over the internet. Nimda does attack computers with IIS, you say the person left you a nice message? Something like your computer has a virus?
If your computer has something like nimda it is also attacking other computers on the internet, which is how they know you are out there by reading their log files.

http://search.symantec.com/custom/us/query.html

http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.nimda.e@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html
http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.nimda.e@mm.removal.tool.html
Hey this could be it as well, this was just on the news
Computer Infection Snarls Global Networks
The virus-like worm, dubbed ``LovSan'' or ``blaster,'' snarled corporate networks with an inundation of data packets and frustrated home computer users unversed in techie triage.

By ANICK JESDANUN
.c The Associated Press

NEW YORK (AP) - The latest Internet attack on Microsoft operating systems by rogue software disabled tens of thousands of computers worldwide on Tuesday, though a fix had been available for nearly a month.


It forced Maryland's motor vehicle agency to close for the day and kicked Swedish Internet users offline as it spread, the worm triggering Windows computers to shut down and restart.

Security experts said the world was lucky this time around because LovSan is comparatively mild and doesn't destroy files. They worry that a subsequent attack exploiting the same flaw - one of the most severe to afflict Windows - could be much more damaging.

``We think we're going to be dealing with it for quite some time,'' said Dan Ingevaldson, engineering manager at Internet Security Systems Inc. in Atlanta.

Although LovSan did not appear to do any permanent damage, Ingevaldson said instructions to do just that could easily be written into a worm that propagates in the same way.

On July 16, Microsoft Corp. posted on its Web site a free patch that prevents LovSan and similar infections. The underlying flaw affects nearly all versions of the software giant's flagship Windows operating system.

Notwithstanding high-profile alerts issued by Microsoft and the Department of Homeland Security, many businesses did not install the patches and scrambled Tuesday to shore up their computers.

Security experts say patches often stay on ``to do'' lists until outbreaks occur.

``You're looking at 70 new vulnerabilities every week,'' said Sharon Ruckman, senior director at the research lab for anti-virus vendor Symantec Corp. ``It's more than a full-time job trying to make sure you are up to date.''

Microsoft spokesman Sean Sundwall acknowledged that the blame does not really lie with customers.

``Ultimately, it's a flaw in our software,'' he said.

The latest infection was dubbed ``LovSan'' because of a love note left behind on vulnerable computers: ``I just want to say LOVE YOU SAN!''

Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''

Tracing its origins will be difficult because the worm left few clues in the form of hidden greetings to friends, said Marc Maiffret, co-founder of eEye Digital Security. The worm appeared based on code released earlier by a Chinese research group that goes by Xfocus, Maiffret said.

Non-Microsoft systems were not vulnerable, though some may have had trouble connecting with Web sites, e-mail and other servers that run on Windows.

Symantec's probes detected more than 125,000 infected computers worldwide.

The worm exploits a flaw in Windows used to share data files across computer networks. It was first reported in the United States on Monday and spread across the globe as businesses opened Tuesday and workers logged on.

Additional U.S. computers were hit Tuesday, and Maryland's Motor Vehicle Administration shut all its offices at noon.

``There's no telephone service right now. There's no online service right now. There's no kiosk or express office service,'' spokeswoman Cheron Wicker said. ``We are currently working on a fix and expect to be operational again in the morning.''

In Sweden, Internet provider TeliaSonera said about 20,000 of its customers were affected after the infection clogged 40 servers that handled Internet traffic.

Among companies affected in Germany was automaker BMW, said spokesman Eckhard Vannieck. He said the problems did not affect production.

Symantec, F-Secure Corp. and other anti-virus companies have free tools for removing the worm.

All Windows users, whether their computers were infected or not, were encouraged to obtain a fix from Microsoft's Web site. Anti-virus and firewall products should also be updated, security experts say.

Larger companies typically have firewalls that can stem attacks, but once a worm gets inside a firewall, unprotected computers are vulnerable.

Employees connecting from home or taking infected laptops to the office can allow the worm to easily penetrate a company's defenses, said Russ Cooper, a senior researcher at TruSecure Corp.

But to expect home users to keep their systems current is unreasonable, said Bruce Schneier, chief technology officer with Counterpane Internet Security Inc. He blames software developers for writing bad software that constantly need ``critical'' patches.

``My mother will never install the patch until I come visit,'' he said. ``I couldn't even call her and walk her through it. The industry is wrong to expect her to do it. The fact that she sends me e-mail is incredible enough.''

On the Net:

Microsoft warning:           http://www.microsoft.com/security/security-bulletins/ms03-026.asp

Advisory and links to removal instructions:

http://www.cert.org/advisories/CA-2003-20.html

Commented:
Indeed...   a similar posting, on a network that I am associated with:

http://www.primecompanies.com/patches/

This isn't as 'new' as it seems; Microsoft announced a patch for the vulnerability, on July 16th.  eEye just picked it up yesterday, however...  So perhaps awareness does not spread so quickly as announcements.  I keep hounding this issue; if you keep your patching up-to-date, these things very rarely rise up to bite you in the ass...

Commented:
While this is a vulnerability more common to *nix servers, have you disabled anonymous logins on your ftp server? I typically get 20-30 attempted logins on my server per day, using anonymous and other guesses. Given that our site is not mainstream and not of interest to most the population, I can only assume that people are trying to access it for less than noble purposes.

Basically, I would look for the easy access points, such as ftp...take a look at your log and see if anything is out of the ordinary. Most hackers are script-kiddies using tried and true methods for accessing and compromising machines. Hopefully this is the case and once they got in, they didn't do much more than leave you the message. You might also check Apache/Tomcat's site to see if there are any vulnerabilities they know about. You can also disable all ports except for your 2020 and 21 in the network properties of your adapter, effectively making your machine an additional firewall for itself. I have had the least amount of problems running an NT/Apache configuration, so I would think you are more protected than most...unless you left an obvious door open.

Author

Commented:
well MrYowler:

someone really wants to put me down. i did a port scan on my box and there were 18 ports open (default  by Billy's Win 2000 Server OS because i am not running any service on those). i did also a port scan on the router that is between my box and the DSL modem, from outside (my home pc) and there were only these ports open: 2020 (Apache), 21(my FTP Server), and 80 (http). that is good, i guess, because it means that although my box has many ports open only those 3 ports are open on the router ????. i also installed a firewall in my pc in order to have a clue about who is actually accessing it thru the open ports. today i got at work and there were 100 requests to my port 21 from 100 consecutive addresses from some ISP in Belguine (information provide by whois) ??? here are couple of questions that i am very interested on knowing the answer.

1-how can i restrict the number of requests to pages in my apache server. sometime these guys make thousands of requests to a page at one time and put the server into a big trouble. i know that it can be done in IIS, so i can take a guess that Apache should also be able to......

2-my ISP also provides me with an e-mail box. the e-mails will go to their e-mail servers. i think that they use ports 110 and 25 for pop and smtp ???. i could still access today my e-mail. how can i access my e-mail thru those ports of they all suppose to be close. is this a two ways thing ???

thanks

rene
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
If there are over one hundred request from the same ISP wouldn't it be possible to just block that whole range of IP address's?

I have a apache server on a linux box that was having trouble with people trying to run scripts designed to crash it. Since nearly all of the request were coming from same ISP 68.x.x.x (Nimda had run wild on that ISP at the time also)I just blocked that whole IP range.

Do you even have any clients in that part of the world anyway :)

Author

Commented:
thank you both ChrisSico and MrYowler. I have to think about this a bit longer + yes i do have clients from there, so it might not be wise to just block and entire range. more importantly i am using that server to run an online quoting system, so it is very important that possible clients do not get rejected from the server.

Commented:
Something that we do at CyberArmy, is that we run server-side scripts which examine system load, on the server, and make decisions about the availability of public (non-administrative) areas of the website, based upon load considerations.  The effect is to keep administrative fuctions available, when the site is under attack, so that we can implement countermeasures - even though the attack may result in a successful denial of services to the other members.  We also set and examine 'cookies' on the user's browsers, and when we see access activity that seems malicious (according to rulesets which we have developed as a result of time and experience), we add the source IP address to a .htaccess 'deny' list, which gets periodically cleared.  Because this happens entirely automatically, we are able to respond swiftly to known attack patterns.  Because we take a layered and policy-based approach to the application of countermeasures, we are able to maintain sufficient control, even during outages, to respond to attacks that we had not planned for (though that happens very rarely, these days).

This might be the right approach for you - or it might not.  At CyberArmy, we fully expect attack activity, based upon the nature of our membership, and so preparing for this type of activity is a prioriry, to which we are prepared to devote significant server resources.  If it is not a serious threat for you, then it may not be wise to devote resources to countermeasures, on the scale that CyberArmy does.  You'll have to assess the risk and the threat, for yourself, to determine to what extent it deserves a response...  :)

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.