0

I was hoping someone could point me in the right direction.

I have a server which is hosting a client's website and they run a Vulnerability scan every so often to see everything's in working order. Recently there's been a problem. 'Apache Tomcat directory listing and file disclosure problem - Severity 5! - and the solution was to upgrade Tomcat to a newer version.

Strange thing was Tomcat wasn't even installed on the server. Port 8080 has been blocked so I'm not sure what's going on. I installed tomcat6, but the scan problem is still showing..

I'm new to this, so hopefully that made sense. Cheers

williamsowen
  • 1,167
  • 3
  • 16
  • 25
  • So a scan says that Tomcat is vulnerable to something on a server where Tomcat is not installed... That alone should tell you how useless this "vulnerability" scan is. – Sebastiano Pilla Jul 04 '11 at 20:17
  • tomcat may have been installed in an embedded mode by some other server software (e.g. alfresco) – sayeed Jul 05 '11 at 11:28

3 Answers3

0

I think you need to provide additional details like OS, web server software being used and what applications are running on this server for someone to have a stab at the answer.

sayeed
  • 394
  • 3
  • 8
0

Step 0:

Uninstall that tomcat6 package you installed.

Step 1:

Verify tomcat is running somewhere by running a port scan on your server.

nmap -sV servername

Step 2:

Now that you have the port, use lsof -i :portnumber to find out which nefarious process is giving you grief.

Step 3:

Use the PID from lsof to find the exe and how it was run:

readlink /proc/PIDNUMBER/exe
cat /proc/PIDNUMBER/cmdline

Step 3.5:

Depending upon OS, check to see which package your exe belongs to. On apt-based (Debian/Ubuntu), that'd be

dpkg-query -S `readlink /proc/PIDNUMBER/exe`

On Gentoo, use

 equery belongs `readlink /proc/PIDNUMBER/exe`

And on rpm-based (Fedora/RHEL/SuSE/whatever)

rpm -qf `readlink /proc/PIDNUMBER/exe`

And if it isn't an OS package and you installed it yourself, hopefully you already know what it is.

Step 4:

Now, armed with the might of cold hard fact, upgrade that package to within an inch of its life! If the scan found a major vulnerability you missed due to a lax security upgrade procedure, fix your update procedure.

And if any of these steps have failed, talk to the (isScannerOpenSource ? community on IRC : support hotline). See if logs can tell you where the scanner went wrong. And possibly get rid of it and try a new one.

Michael Lowman
  • 3,604
  • 20
  • 36
0

Get a copy of the scan report with full details. Some scanners "detect" the presence of an application based on the presence of certain files in available directories. If Tomcat was ever installed on this server, there might be traces left behind that are triggering the scanner.

While the answers above provide very good ideas on finding the errant installation, or proving it isn't installed, the report itself may get you closer to a good starting point to use their suggestions.

Leprechaun65
  • 1