tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <smithh032...@gmail.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 10 Apr 2013 14:58:24 GMT
On Wed, Apr 10, 2013 at 10:35 AM, David kerber <dckerber@verizon.net> wrote:

> On 4/10/2013 10:24 AM, Howard W. Smith, Jr. wrote:
>
>> On Wed, Apr 10, 2013 at 9:44 AM, David kerber<dckerber@verizon.net>
>>  wrote:
>>
>>  On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
>>>
>>>  On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
>>>> Chuck.Caldarale@unisys.com>   wrote:
>>>>
>>>>   From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com****]
>>>>
>>>>> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
>>>>>>
>>>>>>  HTTP/1.0" 404
>>>>>
>>>>>   a few minutes ago, I saw the following in the log:
>>>>>
>>>>>>
>>>>>>
>>>>>   113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>>>>>
>>>>>>
>>>>>>  HTTP/1.0" 404 -
>>>>>
>>>>>   This is an unfamiliar ip address to me
>>>>>
>>>>>>
>>>>>>
>>>>>   Can someone please give/share some background on this type of attack?
>>>>>
>>>>>>
>>>>>>
>>>>> Another one from China.  GIYF.
>>>>>
>>>>>
>>>>> http://www.economist.com/news/****leaders/21572200-if-china-**<http://www.economist.com/news/**leaders/21572200-if-china-**>
>>>>> wants-respect-abroad-it-must-****rein-its-hackers-getting-**ugly<
>>>>> http://www.economist.com/**news/leaders/21572200-if-**
>>>>> china-wants-respect-abroad-it-**must-rein-its-hackers-getting-**ugly<http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly>
>>>>> >
>>>>>
>>>>>    - Chuck
>>>>>
>>>>>
>>>>>   Thanks Chuck.
>>>>>
>>>>
>>>> I kinda thought that was the reason for the attack, especially, when I
>>>> went
>>>> to https://ipdb.at/, and did a lookup of the IP address. Also, I just
>>>> used
>>>> TextPad (text editor) to do a couple of multiple file searches to see
>>>> how
>>>> often these type of attacks have been occurring in the past.
>>>>
>>>> I mentioned earlier that I removed the manager apps. The server is
>>>> behind
>>>> a
>>>> firewall router, port 8080 is port-forwarded from the router to the
>>>> server,
>>>> the web app has login page (and login servlet/filter in place), but SSL
>>>> is
>>>> not configured just yet. That is definitely on my to-do list to
>>>> complete,
>>>> ASAP, as the CEO has given me the go-ahead.
>>>>
>>>> Is it (very) possible that any of these hackers are sniffing-or-snooping
>>>> any of the web app's HTTP requests/responses?
>>>>
>>>>
>>> Very unlikely.  Sniffing/snooping requires that they have some kind of
>>> visibility into the link between the client and the server, so they'd
>>> either have to have a piece of malware installed in one of the ISPs
>>> between
>>> your client and your server (extremely difficult), or in your network or
>>> server, or the client's machines or network (not as difficult, but
>>> probably
>>> still unlikely).  And if they had that, why would they call attention to
>>> themselves by letting their bot do automated searching for a manager app?
>>>
>>>
>>>  Wow, good (and funny) question, David, and thanks for the info/response!
>>
>> I have actually seen some malware installed on the Windows Server 2003 R2,
>> that I was using to host the web-app months ago; IIRC, the malware
>> recorded
>> keystrokes; i think I caught that in the C:\Temp folder or something like
>> that, and I think I deleted the file(s) related to that on that server; i
>> think i scanned the list of processes as well via Task manager, and
>> searched the internet for processes that were listed in task manager, to
>> see if any of the processes were malware.
>>
>> Also, the CEO of my organization is somewhat concerned about some of the
>> personnel that may access that Windows Server 2003 R2, because he feels
>> that they browse the internet often and may have been infected on their
>> computers and/or mobile devices. :)
>>
>
> That's my biggest concern about my network security too.  I'm under no
> illusions about my network not being hackable from outside by a determined
> attacker, but that's not as big of a concern to me as my users getting
> infected from their internet browsing habits and that infection spreading
> to my servers.  I do have one advantage in that my users are few in number
> and are quite sharp, so it's easy to do training and to explain to them
> what kinds of behaviors are risky.  I have already convinced them to only
> use IE as a last resort if none of the standard browsers work for what
> they're doing.
>
>
Interesting. Training (via email) is what I revert to as well, as I have a
small number of endusers accessing the app, and I need to take it a step
further, and warn them about risky (browsing) behavior. We already have our
email discussions about Google/Android products/releases/software-updates,
and I have asked them all to use Google Chrome when accessing the app (even
Google Chrome for iPad).  :)



>
>
>
>> The servers have been accessed, by trusted-and-a-very-limited-**number-of
>> personnel, via Remote Desktop, in the past, but that server is rarely
>> accessed anymore. I am the only one that access the new Windows Server
>> 2008
>> R2 64bit server (opened a 'different' port in router, which is forwarded
>> to
>> remote desktop port of the server), and I have did some checking around on
>> the server for malware (possibly installed) and netstat, to ensure myself
>> and personnel are the only people connecting to the server. The tomcat
>> localhost access log files are now the only resource I check to see if
>> anyone is trying to hack the server/tomcat/web-app.
>>
>>
>>
>>
>>>
>>>
>>>  Honestly, based on the list of access log search results below (all are
>>>> unfamiliar/unwanted ip addresses), it doesn't seem as though my
>>>> server/tomcat/webapp is all that 'popular', but I am waiting to be
>>>> corrected. :)
>>>>
>>>>
>>>> Searching for: HEAD /manager/html
>>>> 151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html
>>>> HTTP/1.0"
>>>> 404 -
>>>> 141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>>>> HTTP/1.0" 404 -
>>>> Found 29 occurrence(s) in 23 file(s)
>>>>
>>>> Searching for: HEAD /
>>>> 62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
>>>> 68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
>>>> 75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
>>>> 198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
>>>> 188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
>>>> 50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
>>>> 137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
>>>> 200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
>>>> 128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
>>>> 200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
>>>> 84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 -
>>>> Found 11 occurrence(s) in 11 file(s)
>>>>
>>>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message