-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ismael,
On 1/15/19 05:24, Ismael López Quintero wrote: > Sorry by the late to answer but I've been ill. > > The system were down on 2018/11/28 at night. It seems that is was a > Chinese attack (by the logged ips). Now I will show them... > > These lines are from localhost_access_log_2018_11_28.txt > > 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET > /api/webapi/chatucp/historicchats?idUser=4&idCustomer=1 HTTP/1.1" > 200 656 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET > /api/webapi/usersextcontact?idUser=4&idCustomer=1 HTTP/1.1" 200 > 477 85.137.148.55 - - [28/Nov/2018:22:38:44 +0000] "GET > /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - // Last known IP The above are all from Spain. > 177.66.148.196 - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" > 200 11452 // Chinesse IP No, this is Brazil. > 180.97.106.164 - - [28/Nov/2018:22:45:30 +0000] "-" 400 - // > Chinesse IP 60.217.72.12 - - [28/Nov/2018:23:48:30 +0000] "GET / > HTTP/1.1" 200 11452 // Chinesse IP These are from China. A request for "-"? Odd, but it was refused so that's good, right? I wouldn't call this an "attack". People from Brazil and China were making requests to your web server. Presumably, you put it on the internet so users could make web requests, right? > In catalina.out for that day, I can find this crash: > > 28-Nov-2018 22:45:30.227 INFO [http-nio-80-exec-149] > org.apache.coyote.http11.AbstractHttp11Processor.process Error > parsing HTTP request header Note: further occurrences of HTTP > header parsing errors will be logged at DEBUG level. > java.lang.IllegalArgumentException: Invalid character found in > method name. HTTP method names must be tokens at > org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(Abstr actNioInputBuffer.java:233) > > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11P rocessor.java:1045) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(A bstractProtocol.java:684) > > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint .java:1539) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint .java:1495) > > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.jav a:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java:624) > > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThrea d.java:61) > at java.lang.Thread.run(Thread.java:748) > > It seems that call "-" is not well parsed (obviously). Right. > I can't find any info for syslog for that crash in those days. Nothing crashed. > Do you have any idea of the problem? It seems that Tomcat can > crash when no GET, POST, PUT, DELETE... request is done. The "-" > request seems to take Tomcat down. ORLY? What evidence do you have of Tomcat being brought down by the simplest of requests? Your own log file shows that Tomcat served a request *after* the request for "-", so there is actually evidence that Tomcat *survived* the "attack". > In have created a cron recurrent service to check if Tomcat is > listening in port 443, but I would like to solve this issue. Something else is definitely going on. Search your system logs for "oom". Or reboots for that matter. - -chris > -----Mensaje original----- De: Ismael López Quintero > [mailto:ilopezqu...@gmail.com] Enviado el: miércoles, 12 de > diciembre de 2018 10:32 Para: 'Tomcat Users List' > <users@tomcat.apache.org> Asunto: RE: Tomcat 8.0.46 > > Great! I will give more info. Please, forgive me by the content > shape faults. I'm new to this mail list. > > I'll write ASAP. > > Thank you! > > PD: My system is Debian 8. > > -- Fdo.: Ismael López Quintero. Ingeniero de Software. Correo > electrónico: ilopezqu...@gmail.com. Sitio Web: > http://www.desarrolladorsoftware.com/ Huelva. España. > > -----Mensaje original----- De: Christopher Schultz > [mailto:ch...@christopherschultz.net] Enviado el: miércoles, 12 de > diciembre de 2018 5:07 Para: users@tomcat.apache.org Asunto: Re: > Tomcat 8.0.46 > > Ismael, > > On 12/11/18 08:45, Ismael López Quintero wrote: >> Hello! Crash: stop working. Process running and listenning in net >> ports 80 and 443 (SSL). After crashing, no process exist. > > So... nothing in the Tomcat logs that says the process is going > down? For example, usually Java OOME will show in catalina.out, but > the JVM will not actually terminate. > > My guess is Linux OOME killer (or similar). Check your syslog for > "oome" (lowercase) if you are on Linux. > > If you are *not* on Linux, that would seem to be very important > information is you want to get some help. > > Your original post was of the form "it didn't work; what went > wrong?". We need much more information if we are going to be able > to help you. > > -chris > >> -----Mensaje original----- De: Mark Thomas >> [mailto:ma...@apache.org] Enviado el: martes, 11 de diciembre de >> 2018 14:05 Para: users@tomcat.apache.org Asunto: Re: Tomcat >> 8.0.46 > >> On 11/12/2018 12:38, Ismael López Quintero wrote: >>> Hello! >>> >>> >>> >>> My Tomcat installation crashed some days ago. It is deployed >>> to serve a REST API using Jersey. Looking at >>> localhost_access_log daily file, just before crashing it >>> received the next requests… >>> >>> >>> >>> X.X.X.X - - [28/Nov/2018:22:38:44 +0000] "GET >>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - ß- >>> This is the last known call before crashing >>> >>> X.X.X.X - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200 >>> 11452 >>> >>> X.X.X.X - - [28/Nov/2018:22:45:30 +0000] "-" 400 - >>> >>> X.X.X.X - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200 >>> 11452 >>> >>> >>> >>> Crashed. >>> >>> >>> >>> IP addresses are named X.X.X.X to protect callers privacy, but >>> it seems that the last three ones are owned by attackers (IPs >>> are geolocated in China). If you want I can give them (IPs). >>> >>> >>> >>> Everything is going ok in Tomcat, but this. >>> >>> >>> >>> Have you got any idea? > >> Define "crashed". > >> Mark > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlw97FcACgkQHPApP6U8 pFhUkxAAiD3/ajJ8u06YF9bVPIPYDyLh+Hz4AkMTq+x7eiNxszVeaohEyqFzfIBq vFl/xnd923cZSAU34QT7LJALo8JQiP/J1rvE/HH5xCKkclAPZKkUs11palDohTpV /19oWWhS2CXsEbdhrDCAI8zWMEQx46reyzrMwYWfERE8ET3g48scZTCvHWVhSMo+ GgbRY3EMlk4vUfm3ProgTN9AY3qCxgZJJ5XknGlvlJQKeoJaqCbO9NQ3FSjFdrwH e4vvHx3fzl6+jtDQbCqiaPEzTTOlyGm+gf0cfbNRUCJbK0yLtI8fUT4PJYT0gLwu 6iAkFVaayL/4iDtbLujYhqOkGsjfaw4RONu7+9iA60jdZLvcRyfRcyT0CGndozhh CID7enVVA8NksVUMSKTHv6nNf+yRdDmO1SdFvrLkRqUwI49ZDrzfjvHd7UVQh7bu dDRVMVuSf1NSHG2kHjlbHn/dBCQ5BCCinLMyNxZkuhRV9JzbRYszWjLozZ3e7R6g BlDbHcw1aeYwFTS+frYxpsPHeoPnkkMs513xLFHbGHI5aii54lYJcVkDRXzcTzTF 7sAR3fU6l/ltjp8OXwK+XeAkrZ0wISJQfxk8q3SjerEacZ1cDH1beXA4jXXl5fh3 Jul1lIDTixtEdeNud4zxYugjWiRNDIh16nAOrUvbqePLVtU2P5E= =dlgM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
