Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of dckerber@verizon.net designates
 206.46.173.13 as permitted sender)
Message-id: <516578A6.7000104@verizon.net>
Date: Wed, 10 Apr 2013 10:35:18 -0400
From: David kerber <dckerber@verizon.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428
 Thunderbird/12.0.1
MIME-version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat access log reveals hack attempt:
 "HEAD /manager/html HTTP/1.0" 404
References: 
 <CAGV1rDL1c5xPvK5Ysevr1ZB4mn0F3qv_DYfrkS3MDF=jhj+gXQ@mail.gmail.com>
 <99C8B2929B39C24493377AC7A121E21FC4A7CE620C@USEA-EXCH8.na.uis.unisys.com>
 <CAGV1rD+ufB6dvprgKwk7=-6yObG1FmUscoGJUkv=muLkh3nqbA@mail.gmail.com>
 <51656CCD.7010003@verizon.net>
 <CAGV1rDJqu8KPPD3puFHhfz9Egwb=QEvXq-fyFAvvi1=HeKkvZA@mail.gmail.com>
In-reply-to: 
 <CAGV1rDJqu8KPPD3puFHhfz9Egwb=QEvXq-fyFAvvi1=HeKkvZA@mail.gmail.com>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit

On 4/10/2013 10:24 AM, Howard W. Smith, Jr. wrote:
> On Wed, Apr 10, 2013 at 9:44 AM, David kerber<dckerber@verizon.net>  wrote:
>
>> On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
>>
>>> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
>>> Chuck.Caldarale@unisys.com>   wrote:
>>>
>>>   From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com**]
>>>>> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
>>>>>
>>>> HTTP/1.0" 404
>>>>
>>>>   a few minutes ago, I saw the following in the log:
>>>>>
>>>>
>>>>   113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>>>>>
>>>> HTTP/1.0" 404 -
>>>>
>>>>   This is an unfamiliar ip address to me
>>>>>
>>>>
>>>>   Can someone please give/share some background on this type of attack?
>>>>>
>>>>
>>>> Another one from China.  GIYF.
>>>>
>>>>
>>>> http://www.economist.com/news/**leaders/21572200-if-china-**
>>>> wants-respect-abroad-it-must-**rein-its-hackers-getting-ugly<http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly>
>>>>
>>>>    - Chuck
>>>>
>>>>
>>>>   Thanks Chuck.
>>>
>>> I kinda thought that was the reason for the attack, especially, when I
>>> went
>>> to https://ipdb.at/, and did a lookup of the IP address. Also, I just
>>> used
>>> TextPad (text editor) to do a couple of multiple file searches to see how
>>> often these type of attacks have been occurring in the past.
>>>
>>> I mentioned earlier that I removed the manager apps. The server is behind
>>> a
>>> firewall router, port 8080 is port-forwarded from the router to the
>>> server,
>>> the web app has login page (and login servlet/filter in place), but SSL is
>>> not configured just yet. That is definitely on my to-do list to complete,
>>> ASAP, as the CEO has given me the go-ahead.
>>>
>>> Is it (very) possible that any of these hackers are sniffing-or-snooping
>>> any of the web app's HTTP requests/responses?
>>>
>>
>> Very unlikely.  Sniffing/snooping requires that they have some kind of
>> visibility into the link between the client and the server, so they'd
>> either have to have a piece of malware installed in one of the ISPs between
>> your client and your server (extremely difficult), or in your network or
>> server, or the client's machines or network (not as difficult, but probably
>> still unlikely).  And if they had that, why would they call attention to
>> themselves by letting their bot do automated searching for a manager app?
>>
>>
> Wow, good (and funny) question, David, and thanks for the info/response!
>
> I have actually seen some malware installed on the Windows Server 2003 R2,
> that I was using to host the web-app months ago; IIRC, the malware recorded
> keystrokes; i think I caught that in the C:\Temp folder or something like
> that, and I think I deleted the file(s) related to that on that server; i
> think i scanned the list of processes as well via Task manager, and
> searched the internet for processes that were listed in task manager, to
> see if any of the processes were malware.
>
> Also, the CEO of my organization is somewhat concerned about some of the
> personnel that may access that Windows Server 2003 R2, because he feels
> that they browse the internet often and may have been infected on their
> computers and/or mobile devices. :)

That's my biggest concern about my network security too.  I'm under no 
illusions about my network not being hackable from outside by a 
determined attacker, but that's not as big of a concern to me as my 
users getting infected from their internet browsing habits and that 
infection spreading to my servers.  I do have one advantage in that my 
users are few in number and are quite sharp, so it's easy to do training 
and to explain to them what kinds of behaviors are risky.  I have 
already convinced them to only use IE as a last resort if none of the 
standard browsers work for what they're doing.


>
> The servers have been accessed, by trusted-and-a-very-limited-number-of
> personnel, via Remote Desktop, in the past, but that server is rarely
> accessed anymore. I am the only one that access the new Windows Server 2008
> R2 64bit server (opened a 'different' port in router, which is forwarded to
> remote desktop port of the server), and I have did some checking around on
> the server for malware (possibly installed) and netstat, to ensure myself
> and personnel are the only people connecting to the server. The tomcat
> localhost access log files are now the only resource I check to see if
> anyone is trying to hack the server/tomcat/web-app.
>
>
>
>>
>>
>>
>>> Honestly, based on the list of access log search results below (all are
>>> unfamiliar/unwanted ip addresses), it doesn't seem as though my
>>> server/tomcat/webapp is all that 'popular', but I am waiting to be
>>> corrected. :)
>>>
>>>
>>> Searching for: HEAD /manager/html
>>> 151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html
>>> HTTP/1.0"
>>> 404 -
>>> 54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0"
>>> 404 -
>>> 184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0"
>>> 404 -
>>> 72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html
>>> HTTP/1.0"
>>> 404 -
>>> 176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html
>>> HTTP/1.0"
>>> 404 -
>>> 65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0"
>>> 404 -
>>> 177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html
>>> HTTP/1.0"
>>> 404 -
>>> 50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html
>>> HTTP/1.0"
>>> 404 -
>>> 122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html
>>> HTTP/1.0"
>>> 404 -
>>> 82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html HTTP/1.0"
>>> 404 -
>>> 141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
>>> HTTP/1.0" 404 -
>>> Found 29 occurrence(s) in 23 file(s)
>>>
>>> Searching for: HEAD /
>>> 62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
>>> 68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
>>> 75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
>>> 198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
>>> 188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
>>> 50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
>>> 137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
>>> 200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
>>> 128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
>>> 200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
>>> 84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 -
>>> Found 11 occurrence(s) in 11 file(s)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org