tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: tomcat pausing and process killed
Date Wed, 09 May 2012 15:00:47 GMT
Hi.

Miguel Gonzalez wrote:
> Dear all,
> 
>   I have tomcat 5.5.27 and jdk 1.5.0_17

That's all quite old,and you should probably upgrade.

> 
>   As someone suggested to the list I enabled HeapDumpOnOutOfMemoryError. I have javamelody
running to monitor tomcat. The only thing that I see is that memory use increases just before
the system crashed.
> 
> 
>   The system has crashed only showing this in the catalina.log:
> 
>   May 8, 2012 12:03:48 PM org.apache.tomcat.util.http.Parameters processParameters
> WARNING: Parameters: Character decoding failed. Parameter skipped.
> java.io.CharConversionException: isHexDigit
...

> 
> 
> Many entries like: May 8, 2012 12:03:48 PM org.apache.tomcat.util.http.Parameters processParameters
> WARNING: Parameters: Invalid chunk ignored.

Ther above seems to indicate that your server receives requests with URLs that are not 
properly URL-encoded.  In a URL, roughly-speaking, any character (in fact, any byte) that

is not a printable US-ASCII character must be encoded as a "%xy" hex sequence, where "xy"

is the hexadecimal value of the character.
The4 above error seems to indicate that you are receiving request URLs which contain 
sequences like "%xy" where "xy" are not valid hexadecimal digits.
In consequence, the URL-decoding part of Tomcat cannot decode these URLs properly, and 
complains.

> 
> until I get :
> 
> May 8, 2012 1:50:41 PM org.apache.coyote.http11.Http11BaseProtocol pause
> INFO: Pausing Coyote HTTP/1.1 on http-80
> May 8, 2012 1:50:41 PM org.apache.coyote.http11.Http11BaseProtocol pause
> INFO: Pausing Coyote HTTP/1.1 on http-443
> 
...

Now this seems to be a normal Tomcat shutdown, following a received shutdown command.
But it could be the result of running out of memory for example.

I do not know if the two are related or not.  But in my suspicious mind, I would try to 
examine which request URLs are the badly-encoded ones, and try to find out where these 
requests come from.  That is because they could very well be attempts to break your server

(if it is connected to the Internet e.g.).  And maybe your unexplained shutdowns are due 
to a succesful break-in, or a succesful DOS attack ?

> 
> 
> Not sure if the  isHexDigit exception is causing this. but it happens 2 hours before
the system breaks.
> 

Maybe an attacker is trying a series of URLs in a row, and finally they manage one that 
finds a weakness in your very very old Tomcat.

> I really don't know what to enable to get to know what is causing Tomcat to crash
> 
Enabling the AccessLog Valve may enable you to see the bad request URLs.
If they do not show up in the Access log (unlikely, since Tomcat apparently continues to 
run), you may want to set up an Apache httpd front-end to your Tomcat, and log the 
accesses there.


Searching Google for "tomcat isHexDigit attack" provides some links you might want to look
at.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message