tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Mon, 22 Apr 2013 22:44:33 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Chris,
> 
> On 4/20/13 6:08 PM, chris derham wrote:
>> I think that you have articulated your suggestion very well. I
>> think you have weighed the pros well and been open to debate.
>> Personally I just don't think what you propose will have the effect
>> that you desire.
> 
> I agree. Most of these scanners only scan a few URLs every few seconds
> in order to avoid being branded as vulnerability-scanners, so adding a
> delay to them won't really change anything.
> 
Chris,
with respect, I believe that you are mistaken.  My own server logs, over a quite long 
period of time, show that the majority of these scans happen according to a rather 
systematic pattern like the one I posted earlier in this thread, with a relevant portion 
re-posted below.

That is :
- one origin IP per scan
- approximately 3-4 requests per second
- 10 to 30 URLs per "session"

The particular scan shown below started at 00:52:32 and ended at 00:52:49, after scanning
36 different URLs.  In elapsed time, including the pauses that it undeniably makes, that 
is 17 seconds.  The server in question normally responds to such requests in less that 10

ms.  Excluding the pauses thus, it took this bot 36 x 10 ms = 0.36 s "real time" to scan 
the 36 URLs (excluding network latency, which is probably about 50 ms per URL).
If the server added an average 1 s pause to each 404 response, it would have taken the bot

36 seconds "real time" to make the same scan.  That is 100 times more.

Now, no matter how smart the bot is in doing this kind of scan, if the 404's are delayed,

the fact of the matter is that it will always cost the bot these extra 36 seconds to 
finish the same job.

For example, the probability is high that the bot pauses between URLs, so that as you say

it will not be locked-out or detected by some kinds of tools.
If it is smart, it could use the pauses between scans on this server, to scan several 
other ones at the same time, in an interleaved fashion, so that on none of the scanned 
servers it will be issuing more than 3-4 requests per second, but in total it will be 
issuing many more.
Well, no matter how you put this, if some relatively small proportion of these servers 
delay their 404 responses, the bot will still experience a dramatic slowdown in scanning 
any given number of URLs on any given number of servers.

Unless the bot is really smart enough to detect in advance that this server is going to 
artificially slow down its 404 responses, and in consequence avoids scanning it, I do not

see how it could possibly avoid this slowdown, if scanning URLs is what it does.
So, there are 2 possibilities :
- if the bot is not so smart and scans nevertheless, then within any given period of time,

it will be able to scan only a small fraction of the URLs that it was planning to scan. In

which case the WWW at large benefits.
- if the bot is so smart and avoids scanning my server, then the WWW at large does not 
benefit, but my server does.

Please, prove to me that I am wrong. It would at least save me the energy to continue 
trying to convince people to try this out.

Access log sample :

209.212.145.91 - - [03/Apr/2013:00:52:32 +0200] "GET /muieblackcat HTTP/1.1" 404 362 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:36 +0200] "GET //admin/index.php HTTP/1.1" 404 365 
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:36 +0200] "GET //admin/pma/index.php HTTP/1.1" 404 
369 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:36 +0200] "GET //admin/phpmyadmin/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //db/index.php HTTP/1.1" 404 362 "-"
"-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //dbadmin/index.php HTTP/1.1" 404 367

"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //myadmin/index.php HTTP/1.1" 404 367

"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //mysql/index.php HTTP/1.1" 404 365 
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:38 +0200] "GET //mysqladmin/index.php HTTP/1.1" 404

370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:38 +0200] "GET //typo3/phpmyadmin/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:38 +0200] "GET //phpadmin/index.php HTTP/1.1" 404 
368 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:39 +0200] "GET //phpMyAdmin/index.php HTTP/1.1" 404

370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:39 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404

370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:39 +0200] "GET //phpmyadmin1/index.php HTTP/1.1" 404

371 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //phpmyadmin2/index.php HTTP/1.1" 404

371 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //pma/index.php HTTP/1.1" 404 363 "-"
"-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //web/phpMyAdmin/index.php HTTP/1.1"

404 374 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //xampp/phpmyadmin/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:44 +0200] "GET //php-my-admin/index.php HTTP/1.1" 
404 372 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:44 +0200] "GET //websql/index.php HTTP/1.1" 404 366

"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:44 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404

370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:45 +0200] "GET //phpMyAdmin/index.php HTTP/1.1" 404

370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:45 +0200] "GET //phpMyAdmin-2/index.php HTTP/1.1" 
404 372 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:45 +0200] "GET //php-my-admin/index.php HTTP/1.1" 
404 372 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:46 +0200] "GET //phpMyAdmin-2.2.3/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:46 +0200] "GET //phpMyAdmin-2.2.6/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:46 +0200] "GET //phpMyAdmin-2.5.1/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.4/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.5-rc1/index.php 
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.5-rc2/index.php 
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.5/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:48 +0200] "GET //phpMyAdmin-2.5.5-pl1/index.php 
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:48 +0200] "GET //phpMyAdmin-2.5.6-rc1/index.php 
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:48 +0200] "GET //phpMyAdmin-2.5.6-rc2/index.php 
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:49 +0200] "GET //phpMyAdmin-2.5.6/index.php 
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:49 +0200] "GET //phpMyAdmin-2.5.7/index.php 
HTTP/1.1" 404 376 "-" "-"

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message