-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/22/13 6:44 PM, André Warnier wrote:
> Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> Chris,
>>
>> On 4/20/13 6:08 PM, chris derham wrote:
>>> I think that you have articulated your suggestion very w
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chris,
On 4/20/13 6:08 PM, chris derham wrote:
I think that you have articulated your suggestion very well. I
think you have weighed the pros well and been open to debate.
Personally I just don't think what you propose
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chris,
On 4/20/13 6:08 PM, chris derham wrote:
> I think that you have articulated your suggestion very well. I
> think you have weighed the pros well and been open to debate.
> Personally I just don't think what you propose will have the effect
> t
Leo Donahue - RDSA IT wrote:
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404
also, if an 'ANN' email was sent, where /expert tomcat/ users can
deri
>-Original Message-
>From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
>Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
>HTTP/1.0" 404
>
>
>also, if an 'ANN' email was sent, where /expert tomcat/ users can
>d
chris derham wrote:
But honestly, I am also a bit at a loss now as to how to continue. There is
of course no way for me to prove the validity of the scheme by installing it
on 31 million (20%) of webservers on the Internet and looking at the
resulting bot activity patterns to confirm my suspicio
> But honestly, I am also a bit at a loss now as to how to continue. There is
> of course no way for me to prove the validity of the scheme by installing it
> on 31 million (20%) of webservers on the Internet and looking at the
> resulting bot activity patterns to confirm my suspicions.
Try to en
chris derham wrote:
Let me just summarise my arguments then :
1) These scans are a burden for all webservers, not just for the vulnerable
ones. Whether we want to or not, we currently all have to invest resources
into countering (or simply responding to) these scans. Obviously, just
ignoring th
Esmond Pitt wrote:
The hack attempts that started this thread aren't denial of service attacks
at all.
Who said that they were ?
They are attempted penetration attempts which if successful lead to
installation of a viral servlet.
They were HEAD requests, which just indicate whether this UR
The hack attempts that started this thread aren't denial of service attacks
at all. They are attempted penetration attempts which if successful lead to
installation of a viral servlet. The way I fixed them was to put an Apache
HTTPD in front with a whitelist so that only known management IP address
On Sat, Apr 20, 2013 at 7:22 AM, André Warnier wrote:
>
> 5) if the scheme works, and it does the effect of making this type of
> server-scanning uneconomical, bot developers will look for other ways to
> find vulnerable targets.
>
IMHO, I don't see why bots will get 'turned off' by having to wa
> Let me just summarise my arguments then :
> 1) These scans are a burden for all webservers, not just for the vulnerable
> ones. Whether we want to or not, we currently all have to invest resources
> into countering (or simply responding to) these scans. Obviously, just
> ignoring them doesn't s
On 4/20/2013 7:29 AM, André Warnier wrote:
...
Addendum : actually, as far as 4xx codes go, a bit more discrimination
is needed. A 401 response (Auth required) for example, should not be
slowed down, as it is part of a normal authentication cycle. There may
be others like that.
Well, Java SE
André Warnier wrote:
Mark H. Wood wrote:
On Wed, Apr 17, 2013 at 01:24:04PM -0500, Caldarale, Charles R wrote:
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Tomcat access log reveals hack attempt: "HEAD
/manager/html HTTP/1.0" 404
So you are saying i
] Subject: Re: Tomcat access log reveals
hack attempt: "HEAD /manager/html HTTP/1.0" 404
That's the idea. That is one reason why I brought this
discussion here : to check if, if the default factory setting
was for example 1000 ms delay for each 404 answer, could anyone
think of a severe d
Mark H. Wood wrote:
On Wed, Apr 17, 2013 at 01:24:04PM -0500, Caldarale, Charles R wrote:
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
So you are saying it could be possible
On Wed, Apr 17, 2013 at 01:24:04PM -0500, Caldarale, Charles R wrote:
> > From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
> > Subject: RE: Tomcat access log reveals hack attempt: "HEAD /manager/html
> > HTTP/1.0" 404
>
> > So you are s
arnier
> >>> [mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals
> >>> hack attempt: "HEAD /manager/html HTTP/1.0" 404
> >>>
> >>>
> >>> That's the idea. That is one reason why I brought this
> >>> d
On Thu, Apr 18, 2013 at 12:26 PM, André Warnier wrote:
>
> My contention is that this would be self-defeating for the bots.
>
>
> 91.121.172.164 - - [03/Apr/2013:08:19:50 +0200] "GET /robots.txt HTTP/1.1"
> 404 360 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
>
>
I definitely
chris derham wrote:
Hi.
Long and thoughtful post. Thanks.
just hope it helps move the discussion forward
Say you have a botnet composed of 100 bots, and you want (collectively) to
have them scan 100,000 hosts in total, each one for 30 known "buggy" URLs.
These 30 URLs are unrelated to eachoth
> Hi.
> Long and thoughtful post. Thanks.
just hope it helps move the discussion forward
> Say you have a botnet composed of 100 bots, and you want (collectively) to
> have them scan 100,000 hosts in total, each one for 30 known "buggy" URLs.
> These 30 URLs are unrelated to eachother; each one o
On Wed, Apr 17, 2013 at 3:45 PM, Leo Donahue - RDSA IT <
leodona...@mail.maricopa.gov> wrote:
>
> Not knowing anything about the history of the HTTP 404 method, if a server
> does not find a matching request URI, why was it decided that the protocol
> would even respond at all? Seems like the req
On Wed, Apr 17, 2013 at 2:39 PM, André Warnier wrote:
>
> Some other calculations :
> According to the same Netcraft site, of the 600 million websites, 60% are
> "Apache" (I guess that this includes httpd and Tomcat (or else Tomcat is in
> "others").
>
>
This is good to know, and honestly, I'm gl
On Wed, Apr 17, 2013 at 1:59 PM, Leo Donahue - RDSA IT <
leodona...@mail.maricopa.gov> wrote:
> >-Original Message-
> >From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> >Subject: Re: Tomcat access log reveals hack attempt: "HEAD /
On Wed, Apr 17, 2013 at 10:45 AM, chris derham wrote:
> The OWASP recommendations for securing tomcat suggest removing all items
> under
> catalina_home/webapps as a first step. Just a thought.
>
> The first step an attacker performs when conducting a focused attack,
> is to map out the server. T
Leo Donahue - RDSA IT wrote:
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404
So you are saying it could be possible to know in advance that certain
requests are for repeate
>-Original Message-
>From: André Warnier [mailto:a...@ice-sa.com]
>Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
>HTTP/1.0" 404
>
>>
>> So you are saying it could be possible to know in advance that certain
>requests are f
Konstantin Kolinko wrote:
2013/4/10 Howard W. Smith, Jr. :
Every now and then, I like to review localhost_access_log files, just to
see who might be trying to access my web app, running on TomEE 1.6.0
snapshot (Tomcat 7.0.39). So, a few minutes ago, I saw the following in the
log:
113.11.200.30
Leo Donahue - RDSA IT wrote:
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Wednesday, April 17, 2013 10:28 AM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404
Leo Donahue - RDSA IT wrote:
---
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/17/13 1:27 PM, André Warnier wrote:
Leo Donahue - RDSA IT wrote:
-Original Message- From: André Warnier
[mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals
hack attempt: "HEAD /ma
2013/4/10 Howard W. Smith, Jr. :
> Every now and then, I like to review localhost_access_log files, just to
> see who might be trying to access my web app, running on TomEE 1.6.0
> snapshot (Tomcat 7.0.39). So, a few minutes ago, I saw the following in the
> log:
>
> 113.11.200.30 - - [09/Apr/2013:
chris derham wrote:
Yes. But someone *does* own the botted computers, and their own
operations are slightly affected. I have wondered if there is some
way to make a bot so intrusive that many more owners will ask
themselves, "why is my computer so slow/weird/whatever? I'd better
get it looked
> From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
> Subject: RE: Tomcat access log reveals hack attempt: "HEAD /manager/html
> HTTP/1.0" 404
> So you are saying it could be possible to know in advance that certain
> requests are for repeated requests
>-Original Message-
>From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
>HTTP/1.0" 404
>
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Mark,
>
>On 4/17/1
>-Original Message-
>From: André Warnier [mailto:a...@ice-sa.com]
>Sent: Wednesday, April 17, 2013 10:28 AM
>To: Tomcat Users List
>Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
>HTTP/1.0" 404
>
>Leo Donahue - RDSA I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 4/17/13 8:49 AM, Mark H. Wood wrote:
> Yes. But someone *does* own the botted computers, and their own
> operations are slightly affected. I have wondered if there is
> some way to make a bot so intrusive that many more owners will ask
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/17/13 1:27 PM, André Warnier wrote:
> Leo Donahue - RDSA IT wrote:
>>> -Original Message- From: André Warnier
>>> [mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals
>>> hack attempt
Leo Donahue - RDSA IT wrote:
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404
That's the idea. That is one reason why I brought this discussion here : to
check if,
> Yes. But someone *does* own the botted computers, and their own
> operations are slightly affected. I have wondered if there is some
> way to make a bot so intrusive that many more owners will ask
> themselves, "why is my computer so slow/weird/whatever? I'd better
> get it looked at. Maybe I
>-Original Message-
>From: André Warnier [mailto:a...@ice-sa.com]
>Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
>HTTP/1.0" 404
>
>
>That's the idea. That is one reason why I brought this discussion here : to
>check if,
On Tue, Apr 16, 2013 at 01:57:55PM -0300, chris derham wrote:
> > Or, another way of looking at this would be that for every 40 servers
> > scanned without a 404 delay, the same bot infrastructure within the same
> > time would only be able to scan 1 server if a 1 s 404 delay was implemented
> > by
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
David,
On 4/16/13 2:53 PM, David kerber wrote:
On 4/16/2013 2:26 PM, André Warnier wrote:
...
The trick is to make the vaccine cheap enough and easy enough to
administer, so that there will be a significant enough pr
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/16/13 2:37 PM, André Warnier wrote:
Say that it would be easy to implement this in Tomcat, and that we
do not collectively find good reasons not to do so, and that it
does get implemented.
Then I pledge tha
Pïd stèr wrote:
On 16 Apr 2013, at 19:38, "André Warnier" wrote:
Pïd stèr wrote:
On 16 Apr 2013, at 17:58, chris derham wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
David,
On 4/16/13 2:53 PM, David kerber wrote:
> On 4/16/2013 2:26 PM, André Warnier wrote:
>
> ...
>
>> The trick is to make the vaccine cheap enough and easy enough to
>> administer, so that there will be a significant enough proportion
>> of "
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/16/13 2:37 PM, André Warnier wrote:
> Say that it would be easy to implement this in Tomcat, and that we
> do not collectively find good reasons not to do so, and that it
> does get implemented.
>
> Then I pledge that my next move would
On 4/16/2013 2:26 PM, André Warnier wrote:
...
The trick is to make the vaccine cheap enough and easy enough to
administer, so that there will be a significant enough proportion of
"vaccinated servers" to make the virus statistically ineffective.
Maybe if we find a simple patch to Tomcat to int
On 16 Apr 2013, at 19:38, "André Warnier" wrote:
> Pïd stèr wrote:
>> On 16 Apr 2013, at 17:58, chris derham wrote:
>>
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be
Pïd stèr wrote:
On 16 Apr 2013, at 17:58, chris derham wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of the
chris derham wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of the webservers.
This assumes that the scanning
On 16 Apr 2013, at 17:58, chris derham wrote:
>> Or, another way of looking at this would be that for every 40 servers
>> scanned without a 404 delay, the same bot infrastructure within the same
>> time would only be able to scan 1 server if a 1 s 404 delay was implemented
>> by 50% of the webser
On 4/16/2013 12:57 PM, chris derham wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of the webservers.
This as
> Or, another way of looking at this would be that for every 40 servers
> scanned without a 404 delay, the same bot infrastructure within the same
> time would only be able to scan 1 server if a 1 s 404 delay was implemented
> by 50% of the webservers.
This assumes that the scanning software makes
Mark H. Wood wrote:
On Mon, Apr 15, 2013 at 07:15:11PM +0200, André Warnier wrote:
Neven Cvetkovic wrote:
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
[snip]
Of course at the moment I am just fishing here for potential negative
side-
On Mon, Apr 15, 2013 at 07:15:11PM +0200, André Warnier wrote:
> Neven Cvetkovic wrote:
> > How about creating a fake manager application :)))
> >
> > That takes X minutes/seconds to get back a 404 ;)))
[snip]
> Of course at the moment I am just fishing here for potential negative
> side-effects.
On 4/15/2013 10:15 AM, André Warnier wrote:
Neven Cvetkovic wrote:
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
Just for the sake of the discussion :
- a fake manager application would apply to just the /manager webapp,
not to other p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Pid,
On 4/15/13 6:19 AM, Pid wrote:
> On 15/04/2013 00:03, Christopher Schultz wrote:
>> Pid,
>>
>> On 4/12/13 1:54 PM, Pïd stèr wrote:
>>> On 11 Apr 2013, at 21:36, Christopher Schultz
>>> wrote:
[...] though I would run Apache httpd and To
Neven Cvetkovic wrote:
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
Just for the sake of the discussion :
- a fake manager application would apply to just the /manager webapp, not to other
potential hacking targets, no ? (or you would
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
In what I believe to be related anough to the subject of the original post, I would like
to float a proposal, to make life a bit harder for these automated hackers.
By personal observation, I note that many such attempts (the large majority in fact) end
up requesting URLs which do not exist on
point because I don't want other users to
continue believing the fallacy that 'hiding' Tomcat behind Apache HTTPD
alone improves their security.
p
EJP
-Original Message-
From: Pid [mailto:p...@pidster.com]
Sent: Monday, 15 April 2013 8:25 PM
To: Esmond Pitt
Cc: 'T
On 15/04/2013 16:11, Mark Eggers wrote:
> On 4/15/2013 3:19 AM, Pid wrote:
>> On 15/04/2013 00:03, Christopher Schultz wrote:
>>> Pid,
>>>
>>> On 4/12/13 1:54 PM, Pïd stèr wrote:
On 11 Apr 2013, at 21:36, Christopher Schultz
wrote:
> [...] though I would run Apache httpd and Tomcat o
On 4/15/2013 3:19 AM, Pid wrote:
On 15/04/2013 00:03, Christopher Schultz wrote:
Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote:
On 11 Apr 2013, at 21:36, Christopher Schultz
wrote:
[...] though I would run Apache httpd and Tomcat on different
hosts, so localhost-binding is not possible unless you
On Mon, Apr 15, 2013 at 7:49 AM, Pid wrote:
>
> I'm persisting in this point because I don't want other users to
> continue believing the fallacy that 'hiding' Tomcat behind Apache HTTPD
> alone improves their security.
>
>
And your persistence is appreciated, and I definitely appreciate all the
x27;m persisting in this point because I don't want other users to
continue believing the fallacy that 'hiding' Tomcat behind Apache HTTPD
alone improves their security.
p
> EJP
> -Original Message-
> From: Pid [mailto:p...@pidster.com]
> Sent: Monday, 15 April 2
: 'Tomcat Users List'
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404
On 15/04/2013 03:51, Esmond Pitt wrote:
>
>>> I agree with your comment. Adding a second box for Tomcat only means
>>> I also have to configure a f
On 15/04/2013 03:51, Esmond Pitt wrote:
>
>>> I agree with your comment. Adding a second box for Tomcat only means I
>>> also have to configure a firewall between them, whereas using
>>> 127.0.0.x for Tomcat protects it completely.
>
>> No it doesn't!
>> Obfuscation or indirection != security.
On 15/04/2013 00:03, Christopher Schultz wrote:
> Pid,
>
> On 4/12/13 1:54 PM, Pïd stèr wrote:
>> On 11 Apr 2013, at 21:36, Christopher Schultz
>> wrote:
>>> [...] though I would run Apache httpd and Tomcat on different
>>> hosts, so localhost-binding is not possible unless you are doing
>>> som
>> I agree with your comment. Adding a second box for Tomcat only means I
>> also have to configure a firewall between them, whereas using
>> 127.0.0.x for Tomcat protects it completely.
> No it doesn't!
> Obfuscation or indirection != security.
> HTTPD doesn't magically provide you with some e
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote:
> On 11 Apr 2013, at 21:36, Christopher Schultz
> wrote:
>> [...] though I would run Apache httpd and Tomcat on different
>> hosts, so localhost-binding is not possible unless you are doing
>> something lik
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Esmond,
On 4/11/13 8:43 PM, Esmond Pitt wrote:
> I referred to the OpenLDAP lockout mechanism, which is not at all
> primitive.
How does OpenLDAP do better than Tomcat? If I make repeated (failed)
login attempts against a single user, can I cause
On Apr 13, 2013 3:55 PM, "Mark Eggers" wrote:
>
> On 4/10/2013 5:47 PM, Howard W. Smith, Jr. wrote:
>>
>> Some legit 404s definitely show up for every enduser that access the
webapp
>> via mobile device, because PrimeFaces has 2 files that no longer exist in
>> the JAR file, and I just reported th
On 4/10/2013 5:47 PM, Howard W. Smith, Jr. wrote:
Some legit 404s definitely show up for every enduser that access the webapp
via mobile device, because PrimeFaces has 2 files that no longer exist in
the JAR file, and I just reported this in their Issue Tracker.
127.0.0.1 - - [10/Apr/2013:20:00:
ecurity.
HTTPD doesn't magically provide you with some extra security capability.
p
>
> -Original Message-
> From: Pïd stèr [mailto:p...@pidster.com]
> Sent: Saturday, 13 April 2013 3:54 AM
> To: Tomcat Users List
> Subject: Re: Tomcat access log reveals hack attempt
On 11 Apr 2013, at 21:36, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Esmond,
>
> On 4/10/13 8:21 PM, Esmond Pitt wrote:
>> We had lots of these and finally an attack last year on a Tomcat
>> where the manager password somehow hadn't been changed.
>
> Note t
> You would have had to intentionally enable the "default" password.
I had clearly done that.
> The attacker installed a viral servlet application that killed the
> server completely, we had to rebuild it.
I -- like most people I would guess -- don't run under a SecurityManager,
but doing so c
2013/4/12 Christopher Schultz :
>
>> The attacker installed a viral servlet application that killed the
>> server completely, we had to rebuild it.
>
> I -- like most people I would guess -- don't run under a
> SecurityManager, but doing so can significantly limit the damage that
> a rogue webapp c
t; >> [mailto:smithh032...@gmail.com] Sent: Wednesday, April 10, 2013
> >> 7:35 PM To: Esmond Pitt Cc: Tomcat Users List Subject: Re: Tomcat
> >> access log reveals hack attempt: "HEAD /manager/html HTTP/1.0"
> >> 404
> >>
> >> On Wed
On Thu, Apr 11, 2013 at 9:47 AM, Jeffrey Janner wrote:
> > -Original Message-
> > From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
> > Sent: Wednesday, April 10, 2013 7:35 PM
> > To: Esmond Pitt
> > Cc: Tomcat Users List
> > Subject: Re: To
ubject: Re: Tomcat
>> access log reveals hack attempt: "HEAD /manager/html HTTP/1.0"
>> 404
>>
>> On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt
>> wrote:
>>
>>> We had lots of these and finally an attack last year on a
>>> Tomcat
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Esmond,
On 4/10/13 8:21 PM, Esmond Pitt wrote:
> We had lots of these and finally an attack last year on a Tomcat
> where the manager password somehow hadn't been changed.
Note that the manager webapp has no default passwords, so I wonder
what you
> -Original Message-
> From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
> Sent: Wednesday, April 10, 2013 7:35 PM
> To: Esmond Pitt
> Cc: Tomcat Users List
> Subject: Re: Tomcat access log reveals hack attempt: "HEAD
> /manager/html HTTP/1.0" 404
&g
On Wed, Apr 10, 2013 at 4:32 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Howard,
>
> On 4/10/13 1:23 PM, Howard W. Smith, Jr. wrote:
> >> As others have mentioned, I wouldn't give this too much thought:
> >> someone is scan
On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt wrote:
> We had lots of these and finally an attack last year on a Tomcat where the
> manager password somehow hadn't been changed. The attacker installed a
> viral
> servlet application that killed the server completely, we had to rebuild
> it.
>
> We:
8080 may
have played the biggest part in all this.
EJP
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Sent: Wednesday, 10 April 2013 10:18 PM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0&qu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Howard,
On 4/10/13 1:23 PM, Howard W. Smith, Jr. wrote:
>> As others have mentioned, I wouldn't give this too much thought:
>> someone is scanning you for vulnerabilities. I'll bet if you log
>> the full headers of those requests, you'll see someth
Chris,
> As others have mentioned, I wouldn't give this too much thought:
> someone is scanning you for vulnerabilities. I'll bet if you log the
> full headers of those requests, you'll see something like
> "admin/admin" or "scott/tiger" in the WWW-Authenticate headers. Just
> someone knocking on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Howard,
On 4/10/13 7:32 AM, Howard W. Smith, Jr. wrote:
> Every now and then, I like to review localhost_access_log files,
> just to see who might be trying to access my web app, running on
> TomEE 1.6.0 snapshot (Tomcat 7.0.39). So, a few minutes a
On Wed, Apr 10, 2013 at 10:35 AM, David kerber wrote:
> On 4/10/2013 10:24 AM, Howard W. Smith, Jr. wrote:
>
>> On Wed, Apr 10, 2013 at 9:44 AM, David kerber
>> wrote:
>>
>> On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
>>>
>>> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
ch
On 4/10/2013 10:24 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 9:44 AM, David kerber wrote:
On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
chuck.caldar...@unisys.com> wrote:
From: Howard W. Smith, Jr. [mailto:smithh03
On Wed, Apr 10, 2013 at 9:44 AM, David kerber wrote:
> On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
>
>> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
>> chuck.caldar...@unisys.com> wrote:
>>
>> From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com**]
Subject: Tomcat acce
On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
chuck.caldar...@unisys.com> wrote:
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404
a few min
On Wed, Apr 10, 2013 at 8:48 AM, Daniel Mikusa wrote:
> On Apr 10, 2013, at 8:17 AM, Howard W. Smith, Jr. wrote:
>
>
> This looks like a bot or automated script, checking to see if the Manager
> app is available. If it found the app, you'd probably see it try some
> exploit. Since you've remove
On Apr 10, 2013, at 8:17 AM, Howard W. Smith, Jr. wrote:
> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R <
> chuck.caldar...@unisys.com> wrote:
>
>>> From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
>>> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
>> HTTP
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:
> > From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
> > Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
> HTTP/1.0" 404
>
> > a few minutes ago, I saw the following in the log
> From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
> HTTP/1.0" 404
> a few minutes ago, I saw the following in the log:
> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html HTTP/1.0"
> 404 -
> Thi
96 matches
Mail list logo