Ping a Specific Port

Question

Sfisioza

Asked: 2014-06-18 14:54:27 +0800 CST2014-06-18 14:54:27 +0800 CST 2014-06-18 14:54:27 +0800 CST

Debian hacked via Tomcat Manager [duplicate]

772

After Tomcat installation, before I even changed the default Tomcat Manager password, the attacker used Tomcat Manager to deploy his own software. Probably some DDOS tools and a file manager.

I've already removed the suspected java software, changed all user passwords. Root login via ssh was not permitted.

How do I act now to ensure the server is secure?
What do I need to check? How to trace any other suspected activity?

1 Answers

Voted

Joseph Kern · Answer 1 · 2014-06-18T15:08:50+08:00

Best Answer

Joseph Kern

2014-06-18T15:08:50+08:002014-06-18T15:08:50+08:00

I will answer your first question:

How do I act now to ensure the server is secure?

Don't even try to clean it up if you can help it. Just reinstall the OS and this time setup firewall rules that block access to the Tomcat manager except from your current IP address. Even better just block everything except SSH and tunnel into the server then access the Tomcat Manager via the tunnel.

I think you should also read through the documentation for Tomcat Manager Setup.

3

Debian hacked via Tomcat Manager [duplicate]

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?