[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS server shut down due to flood of DNS requests



Hi Kent,

For tomcat/thredds, the webapps directory only needs the thredds.war.  
You should see the manager app in there too, but we're not putting it 
there.  My local webapps directory looks like this:

address@hidden ~/apache-tomcat-7.0.53/webapps
$ ls
ROOT  docs  examples  host-manager  manager  thredds  thredds.war

-Lansing

On 4/22/2014 11:43 AM, Kent Gardner wrote:
> New Client Reply: Urgent: UMASS Production Tomcat/THREDDS server shut down 
> due to flood of DNS requests
>
> Hi Ethan,
>
>
> There were several .war files and their directories (e.g., 1x.war, 7777.war, 
> 8888.war, lxplxy.war) in the tomcat/webapps directory that were suspicious . 
> We are not sure how they were uploaded. We've removed the files and changed 
> the tomcat password. We'll continue to research the problem and monitor the 
> system.
>
>
> For a tomcat/ thredds installation do you have a typical directory list of 
> what should be in webapps?
>
>
> Thanks for the URL.
>
>
> -Kent
>
>
> --------------------------------
> Kent Gardner
> SMAST - UMass Dartmouth
> 200 Mill Road, Suite 325
> Fairhaven, MA 02719
>
> Phone: 508-910-9027
> Email: address@hidden
> --------------------------------
>
> ----- Original Message -----
>
> From: "Unidata THREDDS Support" <address@hidden>
> To: address@hidden
> Cc: address@hidden, address@hidden, address@hidden, address@hidden, "kent 
> gardner" <address@hidden>, address@hidden, "michael deignan" 
> <address@hidden>, address@hidden, address@hidden, address@hidden, "ru 
> morrison" <address@hidden>
> Sent: Tuesday, April 22, 2014 1:26:41 PM
> Subject: [THREDDS #IXX-362335]: Urgent: UMASS Production Tomcat/THREDDS 
> server shut down due to flood of DNS requests
>
> Do you know how this file was uploaded to Tomcat and then run? Is it a .war 
> file that was installed through the Tomcat manager app? Or did it get 
> uploaded in some other way and run in some other way?
>
> If the first, is the Tomcat manager available only through SSL and only to a 
> restricted set of IP addresses? There's a section on doing that in this 
> Security page in the TDS tutorials:
>
> https://www.unidata.ucar.edu/software/thredds/current/tds/tds4.3/tutorial/Security.html
>
> Ethan
>
>> Hi All,
>>
>> I just talked to Kent and Mike. They are working very hard on fixing
>> this issue. Based on my understanding from Kent, he is cleaning the
>> unknown files in Tomcat. He said he will restart Tomcat in about one
>> hour, and monitor its performance. Kent found some unknown files
>> that was uploaded in Tomcat which is continuously running. It seems
>> like virus file from China. We need to find a way to stop anyone
>> to upload the program to Tomcat.
>>
>> Regards,
>>
>> Chen
>
> Ticket Details
> ===================
> Ticket ID: IXX-362335
> Department: Support THREDDS
> Priority: Normal
> Status: Open
>
>
>
>
>
> Ticket Details
> ===================
> Ticket ID: IXX-362335
> Department: Support THREDDS
> Priority: Normal
> Status: Open
> Link:  
> https://www.unidata.ucar.edu/esupport/staff/index.php?_m=tickets&_a=viewticket&ticketid=23815



Ticket Details
===================
Ticket ID: IXX-362335
Department: Support THREDDS
Priority: Normal
Status: Open


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.