[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS server shut down due to flood of DNS requests



Hi Kent,

For tomcat/thredds, the webapps directory only needs the thredds.war.  
You should see the manager app in there too, but we're not putting it 
there.  My local webapps directory looks like this:

madry@MENDAX ~/apache-tomcat-7.0.53/webapps
$ ls
ROOT  docs  examples  host-manager  manager  thredds  thredds.war

-Lansing

On 4/22/2014 11:43 AM, Kent Gardner wrote:
> New Client Reply: Urgent: UMASS Production Tomcat/THREDDS server shut down 
> due to flood of DNS requests
>
> Hi Ethan,
>
>
> There were several .war files and their directories (e.g., 1x.war, 7777.war, 
> 8888.war, lxplxy.war) in the tomcat/webapps directory that were suspicious . 
> We are not sure how they were uploaded. We've removed the files and changed 
> the tomcat password. We'll continue to research the problem and monitor the 
> system.
>
>
> For a tomcat/ thredds installation do you have a typical directory list of 
> what should be in webapps?
>
>
> Thanks for the URL.
>
>
> -Kent
>
>
> --------------------------------
> Kent Gardner
> SMAST - UMass Dartmouth
> 200 Mill Road, Suite 325
> Fairhaven, MA 02719
>
> Phone: 508-910-9027
> Email: address@hidden
> --------------------------------
>
> ----- Original Message -----
>
> From: "Unidata THREDDS Support" <address@hidden>
> To: address@hidden
> Cc: address@hidden, address@hidden, address@hidden, address@hidden, "kent 
> gardner" <address@hidden>, address@hidden, "michael deignan" 
> <address@hidden>, address@hidden, address@hidden, address@hidden, "ru 
> morrison" <address@hidden>
> Sent: Tuesday, April 22, 2014 1:26:41 PM
> Subject: [THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS 
> server shut down due to flood of DNS requests
>
> Do you know how this file was uploaded to Tomcat and then run? Is it a .war 
> file that was installed through the Tomcat manager app? Or did it get 
> uploaded in some other way and run in some other way?
>
> If the first, is the Tomcat manager available only through SSL and only to a 
> restricted set of IP addresses? There's a section on doing that in this 
> Security page in the TDS tutorials:
>
> https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html
>
> Ethan
>
>> Hi All,
>>
>> I just talked to Kent and Mike. They are working very hard on fixing
>> this issue. Based on my understanding from Kent, he is cleaning the
>> unknown files in Tomcat. He said he will restart Tomcat in about one
>> hour, and monitor its performance. Kent found some unknown files
>> that was uploaded in Tomcat which is continuously running. It seems
>> like virus file from China. We need to find a way to stop anyone
>> to upload the program to Tomcat.
>>
>> Regards,
>>
>> Chen
>
> Ticket Details
> ===================
> Ticket ID: IXX-362335
> Department: Support THREDDS
> Priority: Normal
> Status: Open
>
>
>
>
>
> Ticket Details
> ===================
> Ticket ID: IXX-362335
> Department: Support THREDDS
> Priority: Normal
> Status: Open
> Link:  
> https://www.unidata.ucar.edu/esupport/staff/index.php?_m=tickets&_a=viewticket&ticketid=23815



Ticket Details
===================
Ticket ID: IXX-362335
Department: Support THREDDS
Priority: Normal
Status: Open