tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <smithh032...@gmail.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 10 Apr 2013 14:24:51 GMT
On Wed, Apr 10, 2013 at 9:44 AM, David kerber <dckerber@verizon.net> wrote:

> On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
>
>> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
>> Chuck.Caldarale@unisys.com>  wrote:
>>
>>  From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com**]
>>>> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
>>>>
>>> HTTP/1.0" 404
>>>
>>>  a few minutes ago, I saw the following in the log:
>>>>
>>>
>>>  113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>>>>
>>> HTTP/1.0" 404 -
>>>
>>>  This is an unfamiliar ip address to me
>>>>
>>>
>>>  Can someone please give/share some background on this type of attack?
>>>>
>>>
>>> Another one from China.  GIYF.
>>>
>>>
>>> http://www.economist.com/news/**leaders/21572200-if-china-**
>>> wants-respect-abroad-it-must-**rein-its-hackers-getting-ugly<http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly>
>>>
>>>   - Chuck
>>>
>>>
>>>  Thanks Chuck.
>>
>> I kinda thought that was the reason for the attack, especially, when I
>> went
>> to https://ipdb.at/, and did a lookup of the IP address. Also, I just
>> used
>> TextPad (text editor) to do a couple of multiple file searches to see how
>> often these type of attacks have been occurring in the past.
>>
>> I mentioned earlier that I removed the manager apps. The server is behind
>> a
>> firewall router, port 8080 is port-forwarded from the router to the
>> server,
>> the web app has login page (and login servlet/filter in place), but SSL is
>> not configured just yet. That is definitely on my to-do list to complete,
>> ASAP, as the CEO has given me the go-ahead.
>>
>> Is it (very) possible that any of these hackers are sniffing-or-snooping
>> any of the web app's HTTP requests/responses?
>>
>
> Very unlikely.  Sniffing/snooping requires that they have some kind of
> visibility into the link between the client and the server, so they'd
> either have to have a piece of malware installed in one of the ISPs between
> your client and your server (extremely difficult), or in your network or
> server, or the client's machines or network (not as difficult, but probably
> still unlikely).  And if they had that, why would they call attention to
> themselves by letting their bot do automated searching for a manager app?
>
>
Wow, good (and funny) question, David, and thanks for the info/response!

I have actually seen some malware installed on the Windows Server 2003 R2,
that I was using to host the web-app months ago; IIRC, the malware recorded
keystrokes; i think I caught that in the C:\Temp folder or something like
that, and I think I deleted the file(s) related to that on that server; i
think i scanned the list of processes as well via Task manager, and
searched the internet for processes that were listed in task manager, to
see if any of the processes were malware.

Also, the CEO of my organization is somewhat concerned about some of the
personnel that may access that Windows Server 2003 R2, because he feels
that they browse the internet often and may have been infected on their
computers and/or mobile devices. :)

The servers have been accessed, by trusted-and-a-very-limited-number-of
personnel, via Remote Desktop, in the past, but that server is rarely
accessed anymore. I am the only one that access the new Windows Server 2008
R2 64bit server (opened a 'different' port in router, which is forwarded to
remote desktop port of the server), and I have did some checking around on
the server for malware (possibly installed) and netstat, to ensure myself
and personnel are the only people connecting to the server. The tomcat
localhost access log files are now the only resource I check to see if
anyone is trying to hack the server/tomcat/web-app.



>
>
>
>> Honestly, based on the list of access log search results below (all are
>> unfamiliar/unwanted ip addresses), it doesn't seem as though my
>> server/tomcat/webapp is all that 'popular', but I am waiting to be
>> corrected. :)
>>
>>
>> Searching for: HEAD /manager/html
>> 151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html
>> HTTP/1.0"
>> 404 -
>> 54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0"
>> 404 -
>> 184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0"
>> 404 -
>> 72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html
>> HTTP/1.0"
>> 404 -
>> 176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html
>> HTTP/1.0"
>> 404 -
>> 65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0"
>> 404 -
>> 177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html
>> HTTP/1.0"
>> 404 -
>> 50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html
>> HTTP/1.0"
>> 404 -
>> 122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html
>> HTTP/1.0"
>> 404 -
>> 82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html HTTP/1.0"
>> 404 -
>> 141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>> Found 29 occurrence(s) in 23 file(s)
>>
>> Searching for: HEAD /
>> 62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
>> 68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
>> 75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
>> 198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
>> 188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
>> 50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
>> 137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
>> 200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
>> 128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
>> 200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
>> 84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 -
>> Found 11 occurrence(s) in 11 file(s)
>>
>>
>>
>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>>> MATERIAL and is thus for use only by the intended recipient. If you
>>> received this in error, please contact the sender and delete the e-mail
>>> and
>>> its attachments from all computers.
>>>
>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message