[THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS server shut down due to flood of DNS requests
- To: address@hidden
- Subject: [THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS server shut down due to flood of DNS requests
- From: "Unidata THREDDS Support" <address@hidden>
- Date: Tue, 22 Apr 2014 13:12:14 -0600
It seems highly likely the suspicious .war files you found were
uploaded and started through the Tomcat manager app (which is found
in the webapps/manager/ directory). The manager app is NOT enabled by
default in a Tomcat installation. If you are going to run it, you
should definitely make sure it is locked down. We have some
information on doing so here
On our production servers, we pretty much limit the contents of the
tomcat/webapps directory to
1) the ROOT/ directory (which contains our own content, not the
content that comes with a Tomcat installation)
2) the manager/ directory (which is locked down pretty much as
described at the URL above)
3) the thredds.war file and the thredds/ directory
Did you change the passwords for the Tomcat manager app role/users?
Some details at the URL above. Though details will depend on the
version of Tomcat you are running, so you should check out the Tomcat
manager app documentation as well:
Hope that helps,
> Hi Ethan,
> There were several .war files and their directories (e.g., 1x.war,
> 7777.war, 8888.war, lxplxy.war) in the tomcat/webapps directory that
> were suspicious . We are not sure how they were uploaded. We've
> removed the files and changed the tomcat password. We'll continue to
> research the problem and monitor the system.
> For a tomcat/ thredds installation do you have a typical directory
> list of what should be in webapps?
> Thanks for the URL.
> Kent Gardner
> SMAST - UMass Dartmouth
> ----- Original Message -----
> Sent: Tuesday, April 22, 2014 1:26:41 PM
> Do you know how this file was uploaded to Tomcat and then run? Is it a
> .war file that was installed through the Tomcat manager app? Or did it
> get uploaded in some other way and run in some other way?
> If the first, is the Tomcat manager available only through SSL and only
> to a restricted set of IP addresses? There's a section on doing that in
> this Security page in the TDS tutorials:
> > Hi All,
> > I just talked to Kent and Mike. They are working very hard on fixing
> > this issue. Based on my understanding from Kent, he is cleaning the
> > unknown files in Tomcat. He said he will restart Tomcat in about one
> > hour, and monitor its performance. Kent found some unknown files
> > that was uploaded in Tomcat which is continuously running. It seems
> > like virus file from China. We need to find a way to stop anyone
> > to upload the program to Tomcat.
> > Regards,
> > Chen
Ticket ID: IXX-362335
Department: Support THREDDS
NOTE: All email exchanges with Unidata User Support are recorded in the
Unidata inquiry tracking system and then made publicly available
through the web. If you do not want to have your interactions made
available in this way, you must let us know in each email you send to us.