We have noticed a couple of people running older tomcat 5.5 installs, and these are being exploited . The main thing we noticed were slowdowns on bandwidth as well as CPU along with a few odd other things running as tomcat user
www-data 20654 0.0 0.6 38616 8004 ? S 21:26 0:00 \_ /usr/sbin/apache2 -k start
www-data 20655 0.0 0.5 38468 7488 ? S 21:26 0:00 \_ /usr/sbin/apache2 -k start
www-data 20696 0.0 0.5 38468 6952 ? S 21:43 0:00 \_ /usr/sbin/apache2 -k start
tomcat55 18323 66.6 0.1 349368 1432 ? Ssl 10:53 448:28 ./gg
doing an lsof -p pid shows
root@prod-web1:~# lsof -p 18323
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
gg 18323 tomcat55 cwd DIR 202,1 4096 492548 /var/lib/tomcat5.5/webapps
gg 18323 tomcat55 rtd DIR 202,1 4096 2 /
gg 18323 tomcat55 txt REG 202,1 1415201 498584 /var/lib/tomcat5.5/webapps/gg
gg 18323 tomcat55 mem REG 202,1 109152 311967 /lib/ld-2.7.so
gg 18323 tomcat55 mem REG 202,1 1274092 312131 /lib/libc-2.7.so
gg 18323 tomcat55 mem REG 202,1 38412 312185 /lib/libnss_files-2.7.so
gg 18323 tomcat55 mem REG 202,1 286 247821 /usr/lib/locale/en_US.utf8/LC_MONETARY
gg 18323 tomcat55 mem REG 202,1 52 247733 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
gg 18323 tomcat55 mem REG 202,1 34 247754 /usr/lib/locale/en_US.utf8/LC_PAPER
gg 18323 tomcat55 mem REG 202,1 77 247771 /usr/lib/locale/en_US.utf8/LC_NAME
gg 18323 tomcat55 mem REG 202,1 155 247823 /usr/lib/locale/en_US.utf8/LC_ADDRESS
gg 18323 tomcat55 mem REG 202,1 59 247824 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
gg 18323 tomcat55 mem REG 202,1 23 247825 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
gg 18323 tomcat55 mem REG 202,1 25700 219280 /usr/lib/gconv/gconv-modules.cache
gg 18323 tomcat55 mem REG 202,1 373 247826 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
gg 18323 tomcat55 0u CHR 1,3 309 /dev/null
gg 18323 tomcat55 1u CHR 1,3 309 /dev/null
gg 18323 tomcat55 2u CHR 1,3 309 /dev/null
gg 18323 tomcat55 3u IPv4 178006 TCP yourhost.com:46579->220.127.116.11:10993 (ESTABLISHED)
New files we found included
/var/lib/tomcat5.5# find ./ -mtime 0
Its safe to say, if you see this on your own server, you need to stop the processes and tomcat, and upgrade immediately. Check all applications carefully before re-deploying for extra files or backdoors.
Often when people switch servers, or move to new providers, transferring email can be problematic. If you are using POP3, the email is already on your personal computer, however if you are using IMAP then you are stuck trying to add a second account and drag and drop for each user, or similar.
Never fear,there are tools around that help migrate things for you. Here i will explain the basics of imapsync which appears to be one of the better ones.
Happy birthday to us! RimuHosting has now been providing VPS hosting for 10 years.
Let's do some fun things to celebrate. First up a sale! We will add a $100 credit to your account when you order a new server with us.
This offer applies to new VPS, VPS-on-dedicated and regular dedicated servers. Pricing starts at around $16/m.
Our VPS plans are very flexible. You select the memory, disk space and data transfer allowance you need. You do not pay for resources you are not going to use.
The VPSs are powerful, fast Xen virtual machines. You have root SSH access. You can add in a control panel (like Virtualmin or Plesk or cPanel) to help you manage the server. Plus our sysadmins are available 24x7 to help install, troubleshoot and help out with your server.
So take take the hassle out of your hosting and sign up for a new server with us today. Grab us on Live Chat if you had any quick questions. Or email us an enquiry.
The fine print:
- You will need to sign up between now and the end of June (or whenever we cut off the offer before then). If you happened to have already ordered with us in the previous month or so then good news! You'll still get a (partial) credit.
- After you order you'll need to pay the invoices created in the first 30 days (hosting fees and any setup fees). You'll also need to have any other balance owing on your account paid.
- After the server has been up and running for a 30 days, go add the credit to your account at http://rimuhosting.com/cp/coupons.jsp
- The offer excludes additional VPSs on multi-VPS-on-ded servers.
- The coupon must be applied before the end of August.
Image credit: aih
We’re happy to announce the availability of Debian 7.0 (release notes) and Ubuntu 13.04 (release notes) images for new VPS installations.
Both releases are pretty stable and there is not much to report.
It seems that the biggest news (for Ubuntu) is the shorter life cycle for non-lts versions, and longer cycle (5 years!) for LTS. So the 13.04 release of Ubuntu (Raring Ringtail) will be supported until January of 2014, while 12.04 LTS support extends until April 2017.
Given the relatively minor changes in this release, we would recommend users select Ubuntu 12.04 LTS over Ubuntu 13.04.
Most of the Debian packages get a minor version update from the previous version Debian 6/Squeeze. None are too notable. Examples: MySQL 5.1=>5.5 and PHP 5.3=>5.4.
If you already have a running server and need to upgrade (without reinstalling), see our notes on distribution upgrades please see the following pages for Ubuntu and Debian. Or put in a ticket and let us help you with that.
I have been seeing a few people unsure what to do when they lose or forget their root password. Some are resorting to reinstalling their server thinking this is the only option, however there is another option with Rimuhosting. Continue reading
I have made posts before regarding how to find exploits, and what to do about those previously, however it has come to my attention that some people are not even realizing what the basics are to look for. In this post i will give you ideas on what to look for, how to identify exploits and similar.
A vast majority of exploits are web based, and only impact the web user. They are usually from an insecure CMS like wordpress, joomla, or drupal, and almost always PHP based, with the odd perl ones thrown in. If you run these CMS, make sure you update whenever there is a new version of the CMS, as well as plugins - this is vital to staying secure.
Signs and Symptoms of being exploited:
A customer came to us with a problem copying one database to another, and requested we do it for him. Once we logged in we saw the error fairly quickly
~# mysqldump -uadmin -p`cat /root/.mysqlpass` database >dbdump.sql
mysqldump: Got error: 29: File './database/tablename.MYD' not found (Errcode: 24) when using LOCK TABLES
It can be fairly easy to work out what the error message means using something called perror
~# perror 24
OS error code 24: Too many open files
Once you know the error, you can add the work around that fixes it. In this case make it do a single transaction to dump the large database.
~# mysqldump --single-transaction -uadmin -p`cat /root/.mysqlpass` database >dbdump.sql
If you ever have a problem similar, and need a hand with that, just let us know.
If you are running a DNS server, then you need to check it is not being co-opted into 'DNS amplification attacks'.
Random nasty servers (typically part of virus created bot-nets) send your DNS server a short request but use a fake source IP address. Your DNS server then sends a (typically) long reply back to that fake source IP address.
The fake source IP address gets a lot of traffic from your DNS server. You get abuse complaints. Your server uses a ton of bandwidth.
Why do the 'nasty servers' do this?
First, their involvement is hidden. The target IP is getting traffic from your server responding to the fake source IP. And you cannot easily tell where the traffic is really coming from. Typically the requests are fire-and-forget UDP requests.
Thank you to all our wonderful customers for your business in 2012.
A number of our staff are taking a break over Christmas and the New Year to be with friends and family. And to take advantage of this beautiful kiwi summer. Sometimes downtime really is a good thing.
So we will be operating with a reduced support crew for a while.
If you have non-URGENT requests, questions and comments then just forget about them for a bit and instead just enjoy the holidays.
We are still 'all go' for any emergencies or urgent issues.
We will be back up to regular staffing levels from about 3 January. And our rested staff will back to their keen, prompt and helpful selves.
We are proud to announce the release of the new installer images for Ubuntu 12.10 Quantal Quetzal Server Edition. It is available as an reinstall option for existing servers, or in the new servers orders page
The version is intended for those looking at getting newer versions of the packages for the 12.04 LTS (long term support) image. The trade off is that it is not LTS, having only 18 months of package updates from Ubuntu.
On the server-side there is not too much new or remarkable in the 12.10 image. Most packages get minor updates. We have provided a new kernel 3.6.4 for these images. The install comes with a refreshed Python 3.2.