tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 10 Apr 2013 17:01:13 GMT
Hash: SHA256


On 4/10/13 7:32 AM, Howard W. Smith, Jr. wrote:
> Every now and then, I like to review localhost_access_log files,
> just to see who might be trying to access my web app, running on
> TomEE 1.6.0 snapshot (Tomcat 7.0.39). So, a few minutes ago, I saw
> the following in the log:
> - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html 
> HTTP/1.0" 404 -
> This is an unfamiliar ip address to me, and I have already prepared
> the app/tomcat for these type of attacks. How? by removing any/all
> tomee/tomcat (manager/web) apps. I did that some time ago, when I
> first migrated from glassfish to tomee/tomcat, and that was the
> best/easiest way I knew how to prevent these type of attacks.
> Can someone please give/share some background on this type of
> attack?

As others have mentioned, I wouldn't give this too much thought:
someone is scanning you for vulnerabilities. I'll bet if you log the
full headers of those requests, you'll see something like
"admin/admin" or "scott/tiger" in the WWW-Authenticate headers. Just
someone knocking on your door to see if the latch works. Can you
mostly ignore them.

On the other hand, I wonder why you are seeing these requests in your
Tomcat logs, since you:

> I mentioned earlier that I removed the manager apps. The server is
> behind a firewall router, port 8080 is port-forwarded from the
> router to the server, the web app has login page (and login
> servlet/filter in place), but SSL is not configured just yet. That
> is definitely on my to-do list to complete, ASAP, as the CEO has
> given me the go-ahead.

Are you not filtering by URL anywhere? I guess it's uncommon to do
content-filtering at the firewall level (unless you are talking about
porno filters or whatever) but there are ways to block these requests
before they even get to your web server.

If you don't expect anyone in Asia to be legitimately accessing your
site, you could do something drastic like close your site to some CIDR
pattern that blocks all that stuff.

Most of the traffic we get from China is of the type you describe:
requests for /manager/html or various commonly poorly-configured PHP
or IIS apps, etc. None of them make any difference to us because they
will all fail. On the other hand, we actually have some customers in
China and blocking them is neither acceptable nor necessary. It's just
log noise.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message