On an AWS EC2 instance, I noticed two processes named hfxpo and zgalps which were high CPU utilisation. They were running under the user ID tomcat (apache tomcat is running on the server).
What are these processes hfxpo and zgalps? I can't find anything online about these.
I also could not find and files on my filesystem matching hfxpo and zgalps - so does anyone have any idea what these are?
I restarted tomcat and these processes have not reappeared (so I can't get any info out of /proc).
I do not know if it is related, but I have noticed an unauthorised pair of JSP files in a directory dr - these seem to have come from a dr.war which was not present (one of the jsp's removes it). One of the files attempts to curl scripts from an IP address in Germany but it does contain some messages in Chinese (which sadly I seem to have deleted apart from one in a function that translates to "start download"). Basically the script does some copies of a file "tomcat.jsp" into ROOT, manager and docs (i.e. within CATALINA_HOME/webapps). Then prints a success/fail message to the browser.
What I've done so far is to remove the docs and manager webapps (to different paths so they have non standard URLs).
Any thoughts?
[link] [comments]
from hacking: security in practice https://ift.tt/ypXbfo6
Comments
Post a Comment