tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Esmond Pitt" <esmond.p...@bigpond.com>
Subject RE: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 00:21:28 GMT
We had lots of these and finally an attack last year on a Tomcat where the
manager password somehow hadn't been changed. The attacker installed a viral
servlet application that killed the server completely, we had to rebuild it.

We:

- Hid the Tomcat behind an Apache HTTPD on port 80.
- Closed port 8080, indeed removed all the HTTP Connectors from Tomcat and
just used AJP connectors running on 127.0.0.1/2/3/4/..., all on the same
port for simplicity, so there is no zero direct access to Tomcat from the
outside
- Configured Apache HTTPD for LDAP authentication via an OpenLDAP server
that in turn is configured via the Password Policy overlay for finite (5 I
think) password retries before locking out the account
- required a very restricted LDAP group membership for access to /manager
(and the other Tomcat builtins).

No recurrence, not even an attempt. I think actually closing port 8080 may
have played the biggest part in all this.

EJP

-----Original Message-----
From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com] 
Sent: Wednesday, 10 April 2013 10:18 PM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404

On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:

> > From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> > Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
> HTTP/1.0" 404
>
> > a few minutes ago, I saw the following in the log:
>
> > 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
>
> > This is an unfamiliar ip address to me
>
> > Can someone please give/share some background on this type of attack?
>
> Another one from China.  GIYF.
>
>
> http://www.economist.com/news/leaders/21572200-if-china-wants-respect-
> abroad-it-must-rein-its-hackers-getting-ugly
>
>  - Chuck
>
>
Thanks Chuck.

I kinda thought that was the reason for the attack, especially, when I went
to https://ipdb.at/, and did a lookup of the IP address. Also, I just used
TextPad (text editor) to do a couple of multiple file searches to see how
often these type of attacks have been occurring in the past.

I mentioned earlier that I removed the manager apps. The server is behind a
firewall router, port 8080 is port-forwarded from the router to the server,
the web app has login page (and login servlet/filter in place), but SSL is
not configured just yet. That is definitely on my to-do list to complete,
ASAP, as the CEO has given me the go-ahead.

Is it (very) possible that any of these hackers are sniffing-or-snooping any
of the web app's HTTP requests/responses?

Honestly, based on the list of access log search results below (all are
unfamiliar/unwanted ip addresses), it doesn't seem as though my
server/tomcat/webapp is all that 'popular', but I am waiting to be
corrected. :)


Searching for: HEAD /manager/html
151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html HTTP/1.0"
404 -
54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0"
404 -
184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html HTTP/1.0"
404 -
148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0"
404 -
72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html HTTP/1.0"
404 -
176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html HTTP/1.0"
404 -
65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html HTTP/1.0"
404 - 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html HTTP/1.0"
404 -
31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html HTTP/1.0"
404 -
190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0"
404 -
177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html HTTP/1.0"
404 -
50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html HTTP/1.0"
404 -
117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html HTTP/1.0"
404 -
122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html HTTP/1.0"
404 -
82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html HTTP/1.0"
404 - 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
HTTP/1.0" 404 - 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD
/manager/html HTTP/1.0"
404 -
141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html HTTP/1.0"
404 -
74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html HTTP/1.0"
404 - 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
HTTP/1.0" 404 - Found 29 occurrence(s) in 23 file(s)

Searching for: HEAD /
62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 - Found
11 occurrence(s) in 11 file(s)



>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
> PROPRIETARY MATERIAL and is thus for use only by the intended 
> recipient. If you received this in error, please contact the sender 
> and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message