This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.
Hi Kent, It seems highly likely the suspicious .war files you found were uploaded and started through the Tomcat manager app (which is found in the webapps/manager/ directory). The manager app is NOT enabled by default in a Tomcat installation. If you are going to run it, you should definitely make sure it is locked down. We have some information on doing so here https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html#manager On our production servers, we pretty much limit the contents of the tomcat/webapps directory to 1) the ROOT/ directory (which contains our own content, not the content that comes with a Tomcat installation) 2) the manager/ directory (which is locked down pretty much as described at the URL above) 3) the thredds.war file and the thredds/ directory Did you change the passwords for the Tomcat manager app role/users? Some details at the URL above. Though details will depend on the version of Tomcat you are running, so you should check out the Tomcat manager app documentation as well: http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html Hope that helps, Ethan > Hi Ethan, > > > There were several .war files and their directories (e.g., 1x.war, > 7777.war, 8888.war, lxplxy.war) in the tomcat/webapps directory that > were suspicious . We are not sure how they were uploaded. We've > removed the files and changed the tomcat password. We'll continue to > research the problem and monitor the system. > > > For a tomcat/ thredds installation do you have a typical directory > list of what should be in webapps? > > > Thanks for the URL. > > > -Kent > > > -------------------------------- > Kent Gardner > SMAST - UMass Dartmouth > -------------------------------- > > ----- Original Message ----- > Sent: Tuesday, April 22, 2014 1:26:41 PM > > Do you know how this file was uploaded to Tomcat and then run? Is it a > .war file that was installed through the Tomcat manager app? Or did it > get uploaded in some other way and run in some other way? > > If the first, is the Tomcat manager available only through SSL and only > to a restricted set of IP addresses? There's a section on doing that in > this Security page in the TDS tutorials: > > https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html > > Ethan > > > Hi All, > > > > I just talked to Kent and Mike. They are working very hard on fixing > > this issue. Based on my understanding from Kent, he is cleaning the > > unknown files in Tomcat. He said he will restart Tomcat in about one > > hour, and monitor its performance. Kent found some unknown files > > that was uploaded in Tomcat which is continuously running. It seems > > like virus file from China. We need to find a way to stop anyone > > to upload the program to Tomcat. > > > > Regards, > > > > Chen Ticket Details =================== Ticket ID: IXX-362335 Department: Support THREDDS Priority: Normal Status: Open