I believe that I was hacked two times the past two days. First time I reformatted the server completely.
Then today, it happened again. The html output is being modified. In my application I use request.getRequestURL() which when hacked returns a baidu related host url.
I have all security stuff set up on my server and I have boiled it down to tomcat.
When I now restart tomcat server, request.getRequestURL() returns my url correctly. However, I believe it is a matter of time before I get hacked again. The hack seems not to survive restarts and is possibly stored in application memory.
For instance, I've noticed a couple of logged attempts of accessing: http://...:8080/manager which shows the login for Tomcat Manager Application.
Somehow I believe they are able to login here and alter the hostname.
Can someone shed some light on why this is happening? Why does tomcat come with some stupid defaults that allow for this happen? I haven't configured tomcat at all.
I am starting tomcat using -Xms2048m -Xmx8192m -server flags.
Also, how can I disable manager access completely? Can I setup a tomcat server configuration and point to it somehow?
Edit:
tomcat-8.0.21/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://ift.tt/jtTJvY
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://ift.tt/1ASye9S"
xmlns:xsi="http://ift.tt/ra1lAU"
xsi:schemaLocation="http://ift.tt/1ASye9S tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<!--
NOTE: The sample user and role entries below are wrapped in a comment
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->
</tomcat-users>
Aucun commentaire:
Enregistrer un commentaire