Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Is this an attack?

 
Dave Brown
Ranch Hand
Posts: 301
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there,

Just recently a very disgruntled forum user of one of the charity organisations I'm involved with launched an all out attack on our server, this matter is now being dealt with by the police but today on a different forum, I had a member asking if anything had changed as the forum was acting weird.. Anyway to get to the point I've been looking at logs etc, can't see anything new in the logs whihc point to an attack but I noticed one particular Java process was taking quite a bit of CPU time, when I looked what the process was I saw this:

www-data 4488 8.8 0.7 470844 60480 ? Sl 11:56 6:05 /var/tmp/.tmp/java/jdk1.5.0_13/bin/java -Dlog4j.configuration=file:conf/log4j-default.properties -Xms3m -Xmx128m -Djava.library.path=lib -classpath lib/wrapper.jar:lib/log4j-1.2.8.jar:lib/slave.jar:lib/oro.jar -Dwrapper.key=_Kfnq7zqj5s4Sc6A -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.disable_console_input=TRUE -Dwrapper.pid=6521 -Dwrapper.version=3.4.1 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.disable_shutdown_hook=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=20 org.tanukisoftware.wrapper.WrapperSimpleApp org.drftpd.slave.Slave


I can't recall every seeing that before so I'm trying to determine whether the people who attacked before are still at it and if this is some backdoor process they've launched..

If anyone can give me any information on that java lib I'd really appreciate it, must admit although I am very confortable around linux & programming, being the victim of an attack has left me feeling somewhat ignorant in the security field.

Thanks

 
Lester Burnham
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Looks like it's an FTP server of some kind. If it's taking up a lot of CPU time that may be an indication it's serving a lot of files. Regardless, if it's not supposed to be running, you should shut it down. Also check the dates on the files it uses, those might give a clue as to when it got installed or (re)configured.
 
Dave Brown
Ranch Hand
Posts: 301
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good job I looked closer, somehow they'd installed the thing to /var/tmp/.tmp

Inside were all sorts of files they were sharing filling up the HD.

Not sure how they got in either but I think I'll do some googling now on security and try learn a bit more.
 
Salt Hogn
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
I need help as soon as possible.
I have the same issue on my server. Lots of files being shared.
The process is run from /var/tmp/.tmp
I want to find out how they got into the server and how to stop this from happening again.

Thanks for the help.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic