We had lots of these and finally an attack last year on a Tomcat where the manager password somehow hadn't been changed. The attacker installed a viral servlet application that killed the server completely, we had to rebuild it.
We: - Hid the Tomcat behind an Apache HTTPD on port 80. - Closed port 8080, indeed removed all the HTTP Connectors from Tomcat and just used AJP connectors running on 127.0.0.1/2/3/4/..., all on the same port for simplicity, so there is no zero direct access to Tomcat from the outside - Configured Apache HTTPD for LDAP authentication via an OpenLDAP server that in turn is configured via the Password Policy overlay for finite (5 I think) password retries before locking out the account - required a very restricted LDAP group membership for access to /manager (and the other Tomcat builtins). No recurrence, not even an attempt. I think actually closing port 8080 may have played the biggest part in all this. EJP -----Original Message----- From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Sent: Wednesday, 10 April 2013 10:18 PM To: Tomcat Users List Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404 On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: > > From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] > > Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html > HTTP/1.0" 404 > > > a few minutes ago, I saw the following in the log: > > > 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html > HTTP/1.0" 404 - > > > This is an unfamiliar ip address to me > > > Can someone please give/share some background on this type of attack? > > Another one from China. GIYF. > > > http://www.economist.com/news/leaders/21572200-if-china-wants-respect- > abroad-it-must-rein-its-hackers-getting-ugly > > - Chuck > > Thanks Chuck. I kinda thought that was the reason for the attack, especially, when I went to https://ipdb.at/, and did a lookup of the IP address. Also, I just used TextPad (text editor) to do a couple of multiple file searches to see how often these type of attacks have been occurring in the past. I mentioned earlier that I removed the manager apps. The server is behind a firewall router, port 8080 is port-forwarded from the router to the server, the web app has login page (and login servlet/filter in place), but SSL is not configured just yet. That is definitely on my to-do list to complete, ASAP, as the CEO has given me the go-ahead. Is it (very) possible that any of these hackers are sniffing-or-snooping any of the web app's HTTP requests/responses? Honestly, based on the list of access log search results below (all are unfamiliar/unwanted ip addresses), it doesn't seem as though my server/tomcat/webapp is all that 'popular', but I am waiting to be corrected. :) Searching for: HEAD /manager/html 151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html HTTP/1.0" 404 - 54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0" 404 - 184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html HTTP/1.0" 404 - 148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html HTTP/1.0" 404 - 116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0" 404 - 72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html HTTP/1.0" 404 - 176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html HTTP/1.0" 404 - 163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html HTTP/1.0" 404 - 65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html HTTP/1.0" 404 - 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html HTTP/1.0" 404 - 87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html HTTP/1.0" 404 - 31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html HTTP/1.0" 404 - 190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0" 404 - 177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html HTTP/1.0" 404 - 50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html HTTP/1.0" 404 - 117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html HTTP/1.0" 404 - 122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html HTTP/1.0" 404 - 187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html HTTP/1.0" 404 - 192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html HTTP/1.0" 404 - 82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html HTTP/1.0" 404 - 187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html HTTP/1.0" 404 - 122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html HTTP/1.0" 404 - 184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html HTTP/1.0" 404 - 70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html HTTP/1.0" 404 - 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html HTTP/1.0" 404 - 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html HTTP/1.0" 404 - 141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html HTTP/1.0" 404 - 74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html HTTP/1.0" 404 - 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html HTTP/1.0" 404 - Found 29 occurrence(s) in 23 file(s) Searching for: HEAD / 62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 - 68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 - 75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 - 198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 - 188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 - 50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 - 137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 - 200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 - 128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 - 200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 - 84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 - Found 11 occurrence(s) in 11 file(s) > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE > PROPRIETARY MATERIAL and is thus for use only by the intended > recipient. If you received this in error, please contact the sender > and delete the e-mail and its attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
