Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of dckerber@verizon.net
 designates 206.46.173.11 as permitted sender)
Message-id: <51656CCD.7010003@verizon.net>
Date: Wed, 10 Apr 2013 09:44:45 -0400
From: David kerber <dckerber@verizon.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428
 Thunderbird/12.0.1
MIME-version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat access log reveals hack attempt:
 "HEAD /manager/html HTTP/1.0" 404
References: 
 <CAGV1rDL1c5xPvK5Ysevr1ZB4mn0F3qv_DYfrkS3MDF=jhj+gXQ@mail.gmail.com>
 <99C8B2929B39C24493377AC7A121E21FC4A7CE620C@USEA-EXCH8.na.uis.unisys.com>
 <CAGV1rD+ufB6dvprgKwk7=-6yObG1FmUscoGJUkv=muLkh3nqbA@mail.gmail.com>
In-reply-to: 
 <CAGV1rD+ufB6dvprgKwk7=-6yObG1FmUscoGJUkv=muLkh3nqbA@mail.gmail.com>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit

On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
> Chuck.Caldarale@unisys.com>  wrote:
>
>>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
>>> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
>> HTTP/1.0" 404
>>
>>> a few minutes ago, I saw the following in the log:
>>
>>> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>> HTTP/1.0" 404 -
>>
>>> This is an unfamiliar ip address to me
>>
>>> Can someone please give/share some background on this type of attack?
>>
>> Another one from China.  GIYF.
>>
>>
>> http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly
>>
>>   - Chuck
>>
>>
> Thanks Chuck.
>
> I kinda thought that was the reason for the attack, especially, when I went
> to https://ipdb.at/, and did a lookup of the IP address. Also, I just used
> TextPad (text editor) to do a couple of multiple file searches to see how
> often these type of attacks have been occurring in the past.
>
> I mentioned earlier that I removed the manager apps. The server is behind a
> firewall router, port 8080 is port-forwarded from the router to the server,
> the web app has login page (and login servlet/filter in place), but SSL is
> not configured just yet. That is definitely on my to-do list to complete,
> ASAP, as the CEO has given me the go-ahead.
>
> Is it (very) possible that any of these hackers are sniffing-or-snooping
> any of the web app's HTTP requests/responses?

Very unlikely.  Sniffing/snooping requires that they have some kind of 
visibility into the link between the client and the server, so they'd 
either have to have a piece of malware installed in one of the ISPs 
between your client and your server (extremely difficult), or in your 
network or server, or the client's machines or network (not as 
difficult, but probably still unlikely).  And if they had that, why 
would they call attention to themselves by letting their bot do 
automated searching for a manager app?


>
> Honestly, based on the list of access log search results below (all are
> unfamiliar/unwanted ip addresses), it doesn't seem as though my
> server/tomcat/webapp is all that 'popular', but I am waiting to be
> corrected. :)
>
>
> Searching for: HEAD /manager/html
> 151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html HTTP/1.0"
> 404 -
> 82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
> HTTP/1.0" 404 -
> 184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html HTTP/1.0"
> 404 -
> 141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
> HTTP/1.0" 404 -
> Found 29 occurrence(s) in 23 file(s)
>
> Searching for: HEAD /
> 62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
> 68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
> 75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
> 198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
> 188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
> 50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
> 137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
> 200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
> 128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
> 200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
> 84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 -
> Found 11 occurrence(s) in 11 file(s)
>
>
>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org