tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DIGLLOYD INC <digllo...@diglloyd.com>
Subject Re: hackers sending long URLs to probe site?
Date Thu, 24 Apr 2008 17:35:53 GMT
Christopher,

Thank you.  This is helpful.  Sorry about the "hijacked thread", I  
didn't think of that.

Yes, I've double-checked that my site isn't generating the bad links.  
It's all static HTML and I've searched for any duplications, "../../"  
type things, etc. I don't currently generate any URLs, and the sheer  
length of the duplication rules out any basic mistakes in static html.

I have directory indexes turned off, confirmed by seeing 404 codes on  
certain directories in which I don't have index files (intentionally).

Lloyd


On Apr 24, 2008, at 10:12 AM, Christopher Schultz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lloyd,
>
> For future reference, please don't "hijack" a thread. You replied to
> another message on the list to ask this one. In the future, please
> create a brand new message.
>
> DIGLLOYD INC wrote:
> | But I see tons of 404 errors, with someone/thing from 62.42.21.210
> | (ono.com) doing:
> |
> | http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
> |
> http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
>
>
> Are you sure this isn't a problem with your own site accidentally
> generating URLs that are double- or triple-length? You should record  
> the
> "referer" (sic) header to see where the links are coming from. If
> they're coming from your site, you might want to check your own  
> software.
>
> | I also see illegal requests like this from several sites:
> |
> | /diglloyd/blog-images/?S=A
>
> That looks like a URL generated by Apache httpd's "index" feature.  
> I've
> never used Tomcat's DefaultServlet to serve directory indexes (so I'm
> not sure if it uses the same URL syntax for file sorting, etc.), but  
> is
> it possible that you are serving directory indexes from Tomcat? If so,
> then this looks like a legitimate request.
>
> | Is there a weakness in Tomcat being probed here?
>
> Perhaps. But I don't believe there are any known weaknesses around  
> this
> part of the code. I wouldn't worry about it.
>
> | What is the best way to block such things?
>
> You could write a filter that checks for certain URL patterns and
> replies with a 403 (Forbidden) response code.
>
> | Ignore them since they just return 404 error anyway?
>
> That's what I would do.
>
> | Write a filter to insert a long delay for blatantly wrong requests?
>
> Definitely don't do that -- you'd be creating a DOS vector. :(
>
> | I'm not sure if that ono.com represents a single user or an entire  
> ISP,
> | so I'm loathe to block it entirely.
>
> Lessee...
>
> $ nslookup 62.42.21.210
> Server:         192.168.1.40
> Address:        192.168.1.40#53
>
> Non-authoritative answer:
> 210.21.42.62.in-addr.arpa       name = 62.42.21.210.dyn.user.ono.com.
>
> Authoritative answers can be found from:
> 21.42.62.in-addr.arpa   nameserver = dns03.ono.com.
> 21.42.62.in-addr.arpa   nameserver = dns01.ono.com.
> 21.42.62.in-addr.arpa   nameserver = dns02.ono.com.
>
> Looks like an ISP. You are probably being visited (or scanned?) by
> someone within their network. They probably own a whole class B  
> network
> or more, so you would go crazy blocking IPs individually.
>
> I would just ignore them unless they start to be a significant portion
> of your traffic.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6
> r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn
> =xv8f
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message