wood burning stoves 2.0*
The moose likes Linux / UNIX and the fly likes Is this an attack? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Engineering » Linux / UNIX
Bookmark "Is this an attack?" Watch "Is this an attack?" New topic
Author

Is this an attack?

Dave Brown
Ranch Hand

Joined: Mar 08, 2005
Posts: 301
Hi there,

Just recently a very disgruntled forum user of one of the charity organisations I'm involved with launched an all out attack on our server, this matter is now being dealt with by the police but today on a different forum, I had a member asking if anything had changed as the forum was acting weird.. Anyway to get to the point I've been looking at logs etc, can't see anything new in the logs whihc point to an attack but I noticed one particular Java process was taking quite a bit of CPU time, when I looked what the process was I saw this:

www-data 4488 8.8 0.7 470844 60480 ? Sl 11:56 6:05 /var/tmp/.tmp/java/jdk1.5.0_13/bin/java -Dlog4j.configuration=file:conf/log4j-default.properties -Xms3m -Xmx128m -Djava.library.path=lib -classpath lib/wrapper.jar:lib/log4j-1.2.8.jar:lib/slave.jar:lib/oro.jar -Dwrapper.key=_Kfnq7zqj5s4Sc6A -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.disable_console_input=TRUE -Dwrapper.pid=6521 -Dwrapper.version=3.4.1 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.disable_shutdown_hook=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=20 org.tanukisoftware.wrapper.WrapperSimpleApp org.drftpd.slave.Slave


I can't recall every seeing that before so I'm trying to determine whether the people who attacked before are still at it and if this is some backdoor process they've launched..

If anyone can give me any information on that java lib I'd really appreciate it, must admit although I am very confortable around linux & programming, being the victim of an attack has left me feeling somewhat ignorant in the security field.

Thanks


Regards, Dave Brown
SCJP 6 - [url]http://www.dbws.net/[/url] - Check out Grails Forum
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
Looks like it's an FTP server of some kind. If it's taking up a lot of CPU time that may be an indication it's serving a lot of files. Regardless, if it's not supposed to be running, you should shut it down. Also check the dates on the files it uses, those might give a clue as to when it got installed or (re)configured.
Dave Brown
Ranch Hand

Joined: Mar 08, 2005
Posts: 301
Good job I looked closer, somehow they'd installed the thing to /var/tmp/.tmp

Inside were all sorts of files they were sharing filling up the HD.

Not sure how they got in either but I think I'll do some googling now on security and try learn a bit more.
Salt Hogn
Greenhorn

Joined: Feb 19, 2011
Posts: 1
Hello,
I need help as soon as possible.
I have the same issue on my server. Lots of files being shared.
The process is run from /var/tmp/.tmp
I want to find out how they got into the server and how to stop this from happening again.

Thanks for the help.
 
 
subject: Is this an attack?