On 4/10/2013 10:24 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 9:44 AM, David kerber<dcker...@verizon.net> wrote:
On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R<
chuck.caldar...@unisys.com> wrote:
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com**]
Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404
a few minutes ago, I saw the following in the log:
113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
This is an unfamiliar ip address to me
Can someone please give/share some background on this type of attack?
Another one from China. GIYF.
http://www.economist.com/news/**leaders/21572200-if-china-**
wants-respect-abroad-it-must-**rein-its-hackers-getting-ugly<http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly>
- Chuck
Thanks Chuck.
I kinda thought that was the reason for the attack, especially, when I
went
to https://ipdb.at/, and did a lookup of the IP address. Also, I just
used
TextPad (text editor) to do a couple of multiple file searches to see how
often these type of attacks have been occurring in the past.
I mentioned earlier that I removed the manager apps. The server is behind
a
firewall router, port 8080 is port-forwarded from the router to the
server,
the web app has login page (and login servlet/filter in place), but SSL is
not configured just yet. That is definitely on my to-do list to complete,
ASAP, as the CEO has given me the go-ahead.
Is it (very) possible that any of these hackers are sniffing-or-snooping
any of the web app's HTTP requests/responses?
Very unlikely. Sniffing/snooping requires that they have some kind of
visibility into the link between the client and the server, so they'd
either have to have a piece of malware installed in one of the ISPs between
your client and your server (extremely difficult), or in your network or
server, or the client's machines or network (not as difficult, but probably
still unlikely). And if they had that, why would they call attention to
themselves by letting their bot do automated searching for a manager app?
Wow, good (and funny) question, David, and thanks for the info/response!
I have actually seen some malware installed on the Windows Server 2003 R2,
that I was using to host the web-app months ago; IIRC, the malware recorded
keystrokes; i think I caught that in the C:\Temp folder or something like
that, and I think I deleted the file(s) related to that on that server; i
think i scanned the list of processes as well via Task manager, and
searched the internet for processes that were listed in task manager, to
see if any of the processes were malware.
Also, the CEO of my organization is somewhat concerned about some of the
personnel that may access that Windows Server 2003 R2, because he feels
that they browse the internet often and may have been infected on their
computers and/or mobile devices. :)
That's my biggest concern about my network security too. I'm under no
illusions about my network not being hackable from outside by a
determined attacker, but that's not as big of a concern to me as my
users getting infected from their internet browsing habits and that
infection spreading to my servers. I do have one advantage in that my
users are few in number and are quite sharp, so it's easy to do training
and to explain to them what kinds of behaviors are risky. I have
already convinced them to only use IE as a last resort if none of the
standard browsers work for what they're doing.
The servers have been accessed, by trusted-and-a-very-limited-number-of
personnel, via Remote Desktop, in the past, but that server is rarely
accessed anymore. I am the only one that access the new Windows Server 2008
R2 64bit server (opened a 'different' port in router, which is forwarded to
remote desktop port of the server), and I have did some checking around on
the server for malware (possibly installed) and netstat, to ensure myself
and personnel are the only people connecting to the server. The tomcat
localhost access log files are now the only resource I check to see if
anyone is trying to hack the server/tomcat/web-app.
Honestly, based on the list of access log search results below (all are
unfamiliar/unwanted ip addresses), it doesn't seem as though my
server/tomcat/webapp is all that 'popular', but I am waiting to be
corrected. :)
Searching for: HEAD /manager/html
151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html
HTTP/1.0"
404 -
54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html HTTP/1.0"
404 -
184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html HTTP/1.0"
404 -
72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html
HTTP/1.0"
404 -
176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html
HTTP/1.0"
404 -
65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html HTTP/1.0"
404 -
177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html
HTTP/1.0"
404 -
50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html
HTTP/1.0"
404 -
122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html
HTTP/1.0"
404 -
82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html
HTTP/1.0" 404 -
184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html HTTP/1.0"
404 -
141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html
HTTP/1.0" 404 -
Found 29 occurrence(s) in 23 file(s)
Searching for: HEAD /
62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 -
68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 -
75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 -
198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 -
188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 -
50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 -
137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 -
200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 -
128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 -
200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 -
84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 -
Found 11 occurrence(s) in 11 file(s)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
