Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker container tomcat:8-jre8 hacked? #39

Closed
bresche opened this issue Aug 10, 2016 · 3 comments
Closed

docker container tomcat:8-jre8 hacked? #39

bresche opened this issue Aug 10, 2016 · 3 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@bresche
Copy link

bresche commented Aug 10, 2016

I hosted a web-app on jelastic (dogado) as a docker container. After 2 week I get an email:

--- email ---
Dear Jelastic customer,
there was a process of the command "/usr/local/tomcat/3333" which was sending massive packets to different targets this morning. The symptoms look like the docker instance has a security hole and was used in an DDoS attack or part of a botnet.

The top command showed this process:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
334 root 20 0 104900 968 456 S 99.2 0.1 280:51.95 3333

root@node0815-somename:/# ls -al /proc/334
...
lrwxrwxrwx 1 root root 0 Jul 26 08:16 cwd -> /usr/local/tomcat
lrwxrwxrwx 1 root root 0 Jul 26 08:16 exe -> /usr/local/tomcat/3333

We have killed the process and changed the permissions of the file:
root@node0815-somename:/# kill 334
root@node0815-somename:/# chmod 000 /usr/local/tomcat/3333

Please investigate or use a more security hardenend docker template.

---email---

Has anyone encountered the same or a similar problem before? Is it possible that the container was hacked?
@edwardotis
Copy link

edwardotis commented Oct 7, 2016
edited
Loading

The official docker tomcat repo leaves several default tomcat apps in the webapps directory. .

"Tomcat ships with a number of web applications that are enabled by default. Vulnerabilities have been discovered in these applications in the past. Applications that are not required should be removed so the system will not be at risk if another vulnerability is discovered."
https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Default_web_applications

root@6a8fd300896f:/usr/local/tomcat# ls -l webapps/
total 20
drwxr-xr-x 3 root root 4096 Sep 23 23:55 ROOT
drwxr-xr-x 14 root root 4096 Sep 23 23:55 docs
drwxr-xr-x 6 root root 4096 Sep 23 23:55 examples
drwxr-xr-x 5 root root 4096 Sep 23 23:55 host-manager
drwxr-xr-x 5 root root 4096 Sep 23 23:55 manager

Perhaps there was an exploit available through one of these in the version you deployed?

Before you deploy your own webapp, you should probably remove all these apps in your dockerfile like so:

`FROM tomcat:8.0.37-jre8

RUN rm -rf /usr/local/tomcat/webapps/`

@macropin
Copy link

Related #14

@benformosa benformosa mentioned this issue Jun 13, 2017
Open
@wglambert wglambert added Issue question Usability question, not directly related to an error with the image and removed Issue labels Apr 24, 2018
@wglambert
Copy link

The official images are kept as close to upstream as possible, users should be familiar with maintainership of the software just as would be required outside of a container environment.

Closing to redirect to the request over at #14

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@macropin @edwardotis @bresche @wglambert