tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 10 Apr 2013 17:01:13 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Howard,

On 4/10/13 7:32 AM, Howard W. Smith, Jr. wrote:
> Every now and then, I like to review localhost_access_log files,
> just to see who might be trying to access my web app, running on
> TomEE 1.6.0 snapshot (Tomcat 7.0.39). So, a few minutes ago, I saw
> the following in the log:
> 
> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html 
> HTTP/1.0" 404 -
> 
> This is an unfamiliar ip address to me, and I have already prepared
> the app/tomcat for these type of attacks. How? by removing any/all
> tomee/tomcat (manager/web) apps. I did that some time ago, when I
> first migrated from glassfish to tomee/tomcat, and that was the
> best/easiest way I knew how to prevent these type of attacks.
> 
> Can someone please give/share some background on this type of
> attack?

As others have mentioned, I wouldn't give this too much thought:
someone is scanning you for vulnerabilities. I'll bet if you log the
full headers of those requests, you'll see something like
"admin/admin" or "scott/tiger" in the WWW-Authenticate headers. Just
someone knocking on your door to see if the latch works. Can you
mostly ignore them.

On the other hand, I wonder why you are seeing these requests in your
Tomcat logs, since you:

> I mentioned earlier that I removed the manager apps. The server is
> behind a firewall router, port 8080 is port-forwarded from the
> router to the server, the web app has login page (and login
> servlet/filter in place), but SSL is not configured just yet. That
> is definitely on my to-do list to complete, ASAP, as the CEO has
> given me the go-ahead.

Are you not filtering by URL anywhere? I guess it's uncommon to do
content-filtering at the firewall level (unless you are talking about
porno filters or whatever) but there are ways to block these requests
before they even get to your web server.

If you don't expect anyone in Asia to be legitimately accessing your
site, you could do something drastic like close your site to some CIDR
pattern that blocks all that stuff.

Most of the traffic we get from China is of the type you describe:
requests for /manager/html or various commonly poorly-configured PHP
or IIS apps, etc. None of them make any difference to us because they
will all fail. On the other hand, we actually have some customers in
China and blocking them is neither acceptable nor necessary. It's just
log noise.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRZZrYAAoJEBzwKT+lPKRYpS8P/AlNfy7I60ixXNleF3IJGD62
Ey/jRyfOgPnEfS4J/rt8007qhpxTXeuXqmY20nrWr+dIsQVsllXTrhasKqsQR6Ba
CAlSkTUHRFMFjHnFmH/uzGCS/LB0iFqdxWf/2HrGJevinPt10J1O5j1TsmmIIqiK
d6wNpbAh0+jNgTsgKduEvJxNo+7QDWs3qJuAdUFDBeQCGIofpSvfzj68W1mY2kvS
iuZ24MWW+wuU3DgNjAWmnctcC8CDnXHB9YwNoQM5jKzaldelukQ3CFzBCEDa7utp
jVYFAGI16OOjwqV/fbzTcVAqWp4AOjcFhv2u9vAPkJXSZujkbD/9x+5mNwqts6LX
5MoqlFnAatGgOEKKQMa5IWhXlo+kGjR+kIbdPeklTnDSRUpKplpo/NSVLv3TvezZ
t+lz1Ya07/03mMTbiepHTR3PjeXXQP1VNSjdVyyNLirgdmW7pfcXq+uTzw/dJHyQ
WzWtbKz2U1B3kySWx8mNaK5i2T2hr8oN8yCtfoGMlGKJujvUjU9vgVRjRZR4cfCk
BRKhZsJ3nENoixg8FPZNA6jXMI6j8YW/8ZEJYVLe9gL0gHHriZu1xAOYNXNcmpsI
00OffGtR7Cao0Q7kwgVnfPxdUJ/I7PUsJWgFBEzxZ+dUOZUqYI6sik+MsHVlhVoh
gC43QxSpD7NMnqhdC7bU
=WYC0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message