Return-Path: 
 <users-return-241205-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 63C75FE03
	for <apmail-tomcat-users-archive@www.apache.org>;
 Mon, 15 Apr 2013 17:40:24 +0000 (UTC)
Received: (qmail 26361 invoked by uid 500); 15 Apr 2013 17:40:20 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 26265 invoked by uid 500); 15 Apr 2013 17:40:20 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 26256 invoked by uid 99); 15 Apr 2013 17:40:20 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Apr 2013 17:40:20 +0000
X-ASF-Spam-Status: No, hits=1.0 required=5.0
	tests=FORGED_YAHOO_RCVD,RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [98.139.213.161] (HELO nm24-vm0.bullet.mail.bf1.yahoo.com)
 (98.139.213.161)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Apr 2013 17:40:13 +0000
Received: from [98.139.212.151] by nm24.bullet.mail.bf1.yahoo.com with NNFMP;
 15 Apr 2013 17:39:52 -0000
Received: from [98.139.213.4] by tm8.bullet.mail.bf1.yahoo.com with NNFMP;
 15 Apr 2013 17:39:52 -0000
Received: from [127.0.0.1] by smtp104.mail.bf1.yahoo.com with NNFMP;
 15 Apr 2013 17:39:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
 t=1366047592; bh=83TJd1HyS9wynTgPMjmDfXlaonZGZRBSCjoi7YSiqnQ=;
 h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-Antivirus:X-Antivirus-Status;
 b=M4YL4uwAJ5TehwWvDTzeIa51mB46vPyV8upYn5k3RMa4nxyeBLXwhApXf8fKxKhpD4Cwj9jlk9zWMhtXHMHzH+vZpdqbYuiYGL3pq8sqU7urd0Rx3Lxp/7OzdJhWkggGlanstUaV/dSmXj4LjpDHXLKEYR2f1kPbXiww7oXtKAY=
X-Yahoo-Newman-Id: 27771.19475.bm@smtp104.mail.bf1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: nZW43MkVM1kVJ30viWzjpTSZyzKG7qsDaXu_NKqdPDRDDn3
 NVIJAdXIu5nPrEaVnPfJjmY1aAOe7Zoqs65vFHKIorwT6BC3yFspGJHYF4sr
 M3OS39CFPK7kbYCEavU5k2cLbv1NCZvKRF6gvVpdOntidWpcaiGTVIeYE6k5
 TZi9VnW.OnRPEQO9SpDrXVhrvM2Set0Ka7ZGRuU5uITzbBC_tYmyduVYWcbT
 pH9BVqpcm6nBuIPyWNdgpkcqY4lePqeUTcXG7H3hUDM8_xybLKHkNyZr8UUQ
 iDHCSTGsM57Xfp2XpepmM_TS6jYvby11N0QIAmJwPamSO_wgqlt2KnK6ESGw
 MOdOIhaTq11abwv6fQmGunwVzv6lDorf4JHN7SC_CE5Q5Lcq0_RUpu1FZSHe
 ATW5RLWWzjZyR1YWHjiQfUMGgLOWGwGu7TLc89Up_1_ILmhnE.jOqGIcY1CH
 yXs5B9wUbxRsVfxVe6fMZtcdpVpjb1Xb70vkGvy1LbV6_unDdJ9UdlIVaUYz
 inL058U8MtCg7lB88AKeQ3Thj2la8Y9PTmejbqJWpau9Cv29JHZ9w8AAIecy
 qV910BlW2dEVeprA.B5A_s.pxmQyYb32A65gk5vu50kh0bDy2MSN9T3JWxKV
 qAWiQwbtUhdUH
X-Yahoo-SMTP: PKuT8k2swBCeFOHzkGy5rTOUTa2hBxlR
X-Rocket-Received: from [127.0.0.1] (its_toasted@76.175.11.19 with )
        by smtp104.mail.bf1.yahoo.com with SMTP;
 15 Apr 2013 10:39:51 -0700 PDT
Message-ID: <516C3B4C.5000608@yahoo.com>
Date: Mon, 15 Apr 2013 10:39:24 -0700
From: Mark Eggers <its_toasted@yahoo.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: users@tomcat.apache.org
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
 HTTP/1.0"
 404
References: <70C3D7FF9B194C1587F273ADE1623698@HP6910P>
 <-8374468888202311141@unknownmsgid>
 <A11B65D6015C49A0832B6AD82B735E7A@HP6910P> <516BD58F.2060207@pidster.com>
 <2AFD2E9D75D24E1FB992619D3549F388@HP6910P> <516BE951.7000106@pidster.com>
 <516C2133.8090703@ice-sa.com> <516C262F.6040007@ice-sa.com>
 <CAHjMPQzf=rBtjPSeo1+6KBv+sMGdQ9eW0c7m0ki3COvO6TrXmQ@mail.gmail.com>
 <516C359F.4030506@ice-sa.com>
In-Reply-To: <516C359F.4030506@ice-sa.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Antivirus: avast! (VPS 130415-0, 04/15/2013), Outbound message
X-Antivirus-Status: Clean
X-Virus-Checked: Checked by ClamAV on apache.org

On 4/15/2013 10:15 AM, Andr� Warnier wrote:
> Neven Cvetkovic wrote:
>> How about creating a fake manager application :)))
>>
>> That takes X minutes/seconds to get back a 404 ;)))
>>
>
> Just for the sake of the discussion :
> - a fake manager application would apply to just the /manager webapp,
> not to other potential hacking targets, no ? (or you would have to "map"
> it to any potential hacking URL, which may be inconvenient).  Also,
> you'd have to duplicate this webapp in any configured <Host>.
> - the fact that it is a genuine webapp would mean that during the delay
> before the 404 response, at least one tomcat thread remains blocked
> executing that application, for each such request.  I was thinking more
> in the direction of off-loading such 404 responses to some specialised
> lightweight thread, using as little resources as possible.  It wouldn't
> really matter if there is a queue of such responses waiting to happen,
> as they just delay the eventual response to the (miscreant) client(s).
>
> More ideas ?
>
> P.S. I'd love to see this as a standard Tomcat feature, because it would
> mean that within a certain time period, thousands and thousands of
> Tomcat servers on the Internet would become annoying for these hacking
> programs.  If it was a webapp that everyone has to deploy on individual
> tomcat servers optionally, it would be much less effective, I think.
>
> Of course at the moment I am just fishing here for potential negative
> side-effects.
>
> Provided the idea makes sense however, I believe that I would also post
> it on the Apache httpd list.  If it was adopted there also somehow, that
> could have quite a global impact.
>
>
> One potential negative side-effect that I can see, is on one of my own
> programs (or similar ones) : for some customers, I created a "URL
> checker" program, which goes through their databases looking for
> third-party links, and gives them a list of the ones that are not
> working (so that they can correct their data).  Of course if all
> webservers on the web implemented my idea, then it would take much
> longer for this genuine utility program to run, because it would
> experience an extra delay for each incorrect URL (in case the host is
> correct, but the URL on that server is not).
> I'm also quite sure that Google won't really like the idea..

Google mod_security honeypot for ideas similar to this.

Couple that with a mod_security exec to add IP addresses to firewalls or 
iptables, and I think you have a real chance at being annoying to many 
script-driven attacks.

The cracking / botnet tools used today are really quite sophisticated. 
Here's an article touching the edge of what's going on:

http://arstechnica.com/security/2013/04/a-beginners-guide-to-building-botnets-with-little-assembly-required/

Fun and games.

. . . . just my two cents.
/mde/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org