tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@vmware.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 10 Apr 2013 12:48:14 GMT
On Apr 10, 2013, at 8:17 AM, Howard W. Smith, Jr. wrote:

> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R <
> Chuck.Caldarale@unisys.com> wrote:
> 
>>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
>>> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
>> HTTP/1.0" 404
>> 
>>> a few minutes ago, I saw the following in the log:
>> 
>>> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 
>>> This is an unfamiliar ip address to me
>> 
>>> Can someone please give/share some background on this type of attack?
>> 
>> Another one from China.  GIYF.
>> 
>> 
>> http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly
>> 
>> - Chuck
>> 
>> 
> Thanks Chuck.
> 
> I kinda thought that was the reason for the attack, especially, when I went
> to https://ipdb.at/, and did a lookup of the IP address. Also, I just used
> TextPad (text editor) to do a couple of multiple file searches to see how
> often these type of attacks have been occurring in the past.

This looks like a bot or automated script, checking to see if the Manager app is available.
 If it found the app, you'd probably see it try some exploit.  Since you've removed it, there
shouldn't be anything to worry about.  

Dan

> 
> I mentioned earlier that I removed the manager apps. The server is behind a
> firewall router, port 8080 is port-forwarded from the router to the server,
> the web app has login page (and login servlet/filter in place), but SSL is
> not configured just yet. That is definitely on my to-do list to complete,
> ASAP, as the CEO has given me the go-ahead.
> 
> Is it (very) possible that any of these hackers are sniffing-or-snooping
> any of the web app's HTTP requests/responses?
> 
> Honestly, based on the list of access log search results below (all are
> unfamiliar/unwanted ip addresses), it doesn't seem as though my
> server/tomcat/webapp is all that 'popular', but I am waiting to be
> corrected. :)
> 
> 
> Searching for: HEAD /manager/html
> 151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html HTTP/1.0"
> 404 -
> 141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> Found 29 occurrence(s) in 23 file(s)
> 
> Searching for: HEAD /
> 62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
> 68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
> 75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
> 198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
> 188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
> 50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
> 137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
> 200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
> 128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
> 200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
> 84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 -
> Found 11 occurrence(s) in 11 file(s)
> 
> 
> 
>> 
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message