Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] jetty keeps getting hacked
more info: the conf.n file is just a small binary file (69 bytes) which is probably a marker of infection. It does create malware executable in /tmp with names like "L26_123_web", which is detected as backdoors by https://www.virustotal.com:

Avast ELF:Elknot-AE [Trj] 20140730
DrWeb Linux.BackDoor.Gates.6 20140730
Kaspersky Backdoor.Linux.Ganiw.a 20140730
Sophos Linux/DDoS-BD 20140730



On Sat, Aug 2, 2014 at 10:02 AM, Kent Tong <kent.tong.mo@xxxxxxxxx> wrote:
Hi all,

thanks for the help!

> File and directory permissions too permissive, maybe?

the directory (and everything inside) is owned and writable by the "jetty" user only.

> Which user is jetty running as?

it is run as jetty on port 8080.

> What's in conf.n? (details please)

it is malware. The "file" command says it is data. Scanning it with online virus detection would say that it is some kind of backdoor malware.

> What do you have in your webapp? (be detailed)

it is an in-house developed webapp. I am going to replace it with a simple webapp to see if it is really the culprit.

> How do you start Jetty? (your command line *AND* your start.ini and
> start.d/ contents)

I start it with "sudo -u jetty /opt/jetty/bin/jetty.sh".

start.ini is:

etc/jetty.xml
etc/jetty-annotations.xml
etc/jetty-ssl.xml
etc/jetty-deploy.xml
etc/jetty-contexts.xml

no change has been made to those .xml files (except the SSL key and cert) and start.d contents.

>  Do you customize anything in ${jetty.home}? (like lib or xml files)

no.

> Do you run elasticsearch on your machine?

no.


--
Kent Tong
IT author and consultant, child education coach



--
Kent Tong
IT author and consultant, child education coach

Back to the top