[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS server shut down due to flood of DNS requests

This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.

  • Subject: [THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS server shut down due to flood of DNS requests
  • Date: Tue, 22 Apr 2014 13:12:14 -0600
Hi Kent,

It seems highly likely the suspicious .war files you found were
uploaded and started through the Tomcat manager app (which is found
in the webapps/manager/ directory). The manager app is NOT enabled by
default in a Tomcat installation. If you are going to run it, you
should definitely make sure it is locked down. We have some
information on doing so here

https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html#manager

On our production servers, we pretty much limit the contents of the
tomcat/webapps directory to

1) the ROOT/ directory (which contains our own content, not the
   content that comes with a Tomcat installation)

2) the manager/ directory (which is locked down pretty much as
   described at the URL above)

3) the thredds.war file and the thredds/ directory

Did you change the passwords for the Tomcat manager app role/users?
Some details at the URL above. Though details will depend on the
version of Tomcat you are running, so you should check out the Tomcat
manager app documentation as well:

http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

Hope that helps,

Ethan

> Hi Ethan,
> 
> 
> There were several .war files and their directories (e.g., 1x.war,
> 7777.war, 8888.war, lxplxy.war) in the tomcat/webapps directory that
> were suspicious . We are not sure how they were uploaded. We've
> removed the files and changed the tomcat password. We'll continue to
> research the problem and monitor the system.
> 
> 
> For a tomcat/ thredds installation do you have a typical directory
> list of what should be in webapps?
> 
> 
> Thanks for the URL.
> 
> 
> -Kent
> 
> 
> --------------------------------
> Kent Gardner
> SMAST - UMass Dartmouth
> --------------------------------
> 
> ----- Original Message -----
> Sent: Tuesday, April 22, 2014 1:26:41 PM
> 
> Do you know how this file was uploaded to Tomcat and then run? Is it a
> .war file that was installed through the Tomcat manager app? Or did it
> get uploaded in some other way and run in some other way?
> 
> If the first, is the Tomcat manager available only through SSL and only
> to a restricted set of IP addresses? There's a section on doing that in
> this Security page in the TDS tutorials:
> 
> https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html
> 
> Ethan
> 
> > Hi All,
> >
> > I just talked to Kent and Mike. They are working very hard on fixing
> > this issue. Based on my understanding from Kent, he is cleaning the
> > unknown files in Tomcat. He said he will restart Tomcat in about one
> > hour, and monitor its performance. Kent found some unknown files
> > that was uploaded in Tomcat which is continuously running. It seems
> > like virus file from China. We need to find a way to stop anyone
> > to upload the program to Tomcat.
> >
> > Regards,
> >
> > Chen


Ticket Details
===================
Ticket ID: IXX-362335
Department: Support THREDDS
Priority: Normal
Status: Open