0

After Tomcat installation, before I even changed the default Tomcat Manager password, the attacker used Tomcat Manager to deploy his own software. Probably some DDOS tools and a file manager.

I've already removed the suspected java software, changed all user passwords. Root login via ssh was not permitted.

How do I act now to ensure the server is secure?
What do I need to check? How to trace any other suspected activity?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Sfisioza
  • 592
  • 2
  • 7
  • 18

1 Answers1

3

I will answer your first question:

How do I act now to ensure the server is secure?

Don't even try to clean it up if you can help it. Just reinstall the OS and this time setup firewall rules that block access to the Tomcat manager except from your current IP address. Even better just block everything except SSH and tunnel into the server then access the Tomcat Manager via the tunnel.

I think you should also read through the documentation for Tomcat Manager Setup.

Joseph Kern
  • 9,809
  • 3
  • 31
  • 55
  • I dont know if the tunnel is better or not ... I probably wouldnt set it up that way .... But i will let the answer stand. – Joseph Kern Aug 06 '14 at 05:12