Hi, At approximately 0530Z on Saturday 28th September an alert was received regarding anomalous bandwidth usage. On further investigation a customer's VPS was found emitting around 80-100Mbit/s of small UDP packets destined for port 80 of three different remote hosts. There being no likely legitimate reason for this activity, the customer's networking was disabled and they were contacted. The customer discovered that their (not updated) install of Tomcat was running a instance of JSPSpy¹ that they had not put there themselves, so a root-level compromise was indicated. Unfortunately the exact means of initial compromise is not known for certain but is thought to be Tomcat. A reinstall of the customer's VPS is now required. The three target IPs have no reverse DNS so it is difficult to speculate what they may host. Two of them are in China and one in Korea, if WHOIS records are to be trusted. About this email: https://tools.bitfolk.com/wiki/Security_incident_postings Cheers, Andy ¹ http://www.malos-ojos.com/?p=672 -- http://bitfolk.com/ -- No-nonsense VPS hosting Provides seating. — Andy Davidson