• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Is this an attack?

 
Ranch Hand
Posts: 301
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,

Just recently a very disgruntled forum user of one of the charity organisations I'm involved with launched an all out attack on our server, this matter is now being dealt with by the police but today on a different forum, I had a member asking if anything had changed as the forum was acting weird.. Anyway to get to the point I've been looking at logs etc, can't see anything new in the logs whihc point to an attack but I noticed one particular Java process was taking quite a bit of CPU time, when I looked what the process was I saw this:

www-data 4488 8.8 0.7 470844 60480 ? Sl 11:56 6:05 /var/tmp/.tmp/java/jdk1.5.0_13/bin/java -Dlog4j.configuration=file:conf/log4j-default.properties -Xms3m -Xmx128m -Djava.library.path=lib -classpath lib/wrapper.jar:lib/log4j-1.2.8.jar:lib/slave.jar:lib/oro.jar -Dwrapper.key=_Kfnq7zqj5s4Sc6A -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.disable_console_input=TRUE -Dwrapper.pid=6521 -Dwrapper.version=3.4.1 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.disable_shutdown_hook=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=20 org.tanukisoftware.wrapper.WrapperSimpleApp org.drftpd.slave.Slave


I can't recall every seeing that before so I'm trying to determine whether the people who attacked before are still at it and if this is some backdoor process they've launched..

If anyone can give me any information on that java lib I'd really appreciate it, must admit although I am very confortable around linux & programming, being the victim of an attack has left me feeling somewhat ignorant in the security field.

Thanks

 
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Looks like it's an FTP server of some kind. If it's taking up a lot of CPU time that may be an indication it's serving a lot of files. Regardless, if it's not supposed to be running, you should shut it down. Also check the dates on the files it uses, those might give a clue as to when it got installed or (re)configured.
 
Dave Brown
Ranch Hand
Posts: 301
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Good job I looked closer, somehow they'd installed the thing to /var/tmp/.tmp

Inside were all sorts of files they were sharing filling up the HD.

Not sure how they got in either but I think I'll do some googling now on security and try learn a bit more.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,
I need help as soon as possible.
I have the same issue on my server. Lots of files being shared.
The process is run from /var/tmp/.tmp
I want to find out how they got into the server and how to stop this from happening again.

Thanks for the help.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic