On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
chuck.caldar...@unisys.com>  wrote:

From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404

a few minutes ago, I saw the following in the log:

113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
HTTP/1.0" 404 -

This is an unfamiliar ip address to me

Can someone please give/share some background on this type of attack?

Another one from China.  GIYF.


http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly

  - Chuck


Thanks Chuck.

I kinda thought that was the reason for the attack, especially, when I went
to https://ipdb.at/, and did a lookup of the IP address. Also, I just used
TextPad (text editor) to do a couple of multiple file searches to see how
often these type of attacks have been occurring in the past.

I mentioned earlier that I removed the manager apps. The server is behind a
firewall router, port 8080 is port-forwarded from the router to the server,
the web app has login page (and login servlet/filter in place), but SSL is
not configured just yet. That is definitely on my to-do list to complete,
ASAP, as the CEO has given me the go-ahead.

Is it (very) possible that any of these hackers are sniffing-or-snooping
any of the web app's HTTP requests/responses?

Very unlikely. Sniffing/snooping requires that they have some kind of visibility into the link between the client and the server, so they'd either have to have a piece of malware installed in one of the ISPs between your client and your server (extremely difficult), or in your network or server, or the client's machines or network (not as difficult, but probably still unlikely). And if they had that, why would they call attention to themselves by letting their bot do automated searching for a manager app?



Honestly, based on the list of access log search results below (all are
unfamiliar/unwanted ip addresses), it doesn't seem as though my
server/tomcat/webapp is all that 'popular', but I am waiting to be
corrected. :)


Searching for: HEAD /manager/html
151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html HTTP/1.0"
404 -
54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0"
404 -
184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0"
404 -
72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html HTTP/1.0"
404 -
176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html HTTP/1.0"
404 -
65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0"
404 -
177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html HTTP/1.0"
404 -
50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html HTTP/1.0"
404 -
122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html HTTP/1.0"
404 -
82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html HTTP/1.0"
404 -
141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
Found 29 occurrence(s) in 23 file(s)

Searching for: HEAD /
62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 -
Found 11 occurrence(s) in 11 file(s)




THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail and
its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to