On Wed, Apr 10, 2013 at 10:35 AM, David kerber <dcker...@verizon.net> wrote:
> On 4/10/2013 10:24 AM, Howard W. Smith, Jr. wrote: > >> On Wed, Apr 10, 2013 at 9:44 AM, David kerber<dcker...@verizon.net> >> wrote: >> >> On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote: >>> >>> On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R< >>>> chuck.caldar...@unisys.com> wrote: >>>> >>>> From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com****] >>>> >>>>> Subject: Tomcat access log reveals hack attempt: "HEAD /manager/html >>>>>> >>>>>> HTTP/1.0" 404 >>>>> >>>>> a few minutes ago, I saw the following in the log: >>>>> >>>>>> >>>>>> >>>>> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html >>>>> >>>>>> >>>>>> HTTP/1.0" 404 - >>>>> >>>>> This is an unfamiliar ip address to me >>>>> >>>>>> >>>>>> >>>>> Can someone please give/share some background on this type of attack? >>>>> >>>>>> >>>>>> >>>>> Another one from China. GIYF. >>>>> >>>>> >>>>> http://www.economist.com/news/****leaders/21572200-if-china-**<http://www.economist.com/news/**leaders/21572200-if-china-**> >>>>> wants-respect-abroad-it-must-****rein-its-hackers-getting-**ugly< >>>>> http://www.economist.com/**news/leaders/21572200-if-** >>>>> china-wants-respect-abroad-it-**must-rein-its-hackers-getting-**ugly<http://www.economist.com/news/leaders/21572200-if-china-wants-respect-abroad-it-must-rein-its-hackers-getting-ugly> >>>>> > >>>>> >>>>> - Chuck >>>>> >>>>> >>>>> Thanks Chuck. >>>>> >>>> >>>> I kinda thought that was the reason for the attack, especially, when I >>>> went >>>> to https://ipdb.at/, and did a lookup of the IP address. Also, I just >>>> used >>>> TextPad (text editor) to do a couple of multiple file searches to see >>>> how >>>> often these type of attacks have been occurring in the past. >>>> >>>> I mentioned earlier that I removed the manager apps. The server is >>>> behind >>>> a >>>> firewall router, port 8080 is port-forwarded from the router to the >>>> server, >>>> the web app has login page (and login servlet/filter in place), but SSL >>>> is >>>> not configured just yet. That is definitely on my to-do list to >>>> complete, >>>> ASAP, as the CEO has given me the go-ahead. >>>> >>>> Is it (very) possible that any of these hackers are sniffing-or-snooping >>>> any of the web app's HTTP requests/responses? >>>> >>>> >>> Very unlikely. Sniffing/snooping requires that they have some kind of >>> visibility into the link between the client and the server, so they'd >>> either have to have a piece of malware installed in one of the ISPs >>> between >>> your client and your server (extremely difficult), or in your network or >>> server, or the client's machines or network (not as difficult, but >>> probably >>> still unlikely). And if they had that, why would they call attention to >>> themselves by letting their bot do automated searching for a manager app? >>> >>> >>> Wow, good (and funny) question, David, and thanks for the info/response! >> >> I have actually seen some malware installed on the Windows Server 2003 R2, >> that I was using to host the web-app months ago; IIRC, the malware >> recorded >> keystrokes; i think I caught that in the C:\Temp folder or something like >> that, and I think I deleted the file(s) related to that on that server; i >> think i scanned the list of processes as well via Task manager, and >> searched the internet for processes that were listed in task manager, to >> see if any of the processes were malware. >> >> Also, the CEO of my organization is somewhat concerned about some of the >> personnel that may access that Windows Server 2003 R2, because he feels >> that they browse the internet often and may have been infected on their >> computers and/or mobile devices. :) >> > > That's my biggest concern about my network security too. I'm under no > illusions about my network not being hackable from outside by a determined > attacker, but that's not as big of a concern to me as my users getting > infected from their internet browsing habits and that infection spreading > to my servers. I do have one advantage in that my users are few in number > and are quite sharp, so it's easy to do training and to explain to them > what kinds of behaviors are risky. I have already convinced them to only > use IE as a last resort if none of the standard browsers work for what > they're doing. > > Interesting. Training (via email) is what I revert to as well, as I have a small number of endusers accessing the app, and I need to take it a step further, and warn them about risky (browsing) behavior. We already have our email discussions about Google/Android products/releases/software-updates, and I have asked them all to use Google Chrome when accessing the app (even Google Chrome for iPad). :) > > > >> The servers have been accessed, by trusted-and-a-very-limited-**number-of >> personnel, via Remote Desktop, in the past, but that server is rarely >> accessed anymore. I am the only one that access the new Windows Server >> 2008 >> R2 64bit server (opened a 'different' port in router, which is forwarded >> to >> remote desktop port of the server), and I have did some checking around on >> the server for malware (possibly installed) and netstat, to ensure myself >> and personnel are the only people connecting to the server. The tomcat >> localhost access log files are now the only resource I check to see if >> anyone is trying to hack the server/tomcat/web-app. >> >> >> >> >>> >>> >>> Honestly, based on the list of access log search results below (all are >>>> unfamiliar/unwanted ip addresses), it doesn't seem as though my >>>> server/tomcat/webapp is all that 'popular', but I am waiting to be >>>> corrected. :) >>>> >>>> >>>> Searching for: HEAD /manager/html >>>> 151.97.16.39 - - [20/Jan/2013:23:40:09 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 54.243.1.46 - - [23/Jan/2013:00:16:30 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 184.22.232.18 - - [25/Jan/2013:04:09:00 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 148.241.188.62 - - [08/Feb/2013:21:34:19 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 116.1.249.3 - - [09/Feb/2013:05:02:33 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 72.44.38.139 - - [11/Feb/2013:16:25:02 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 176.34.219.177 - - [12/Feb/2013:03:27:21 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 163.28.16.49 - - [14/Feb/2013:04:32:46 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 65.61.202.159 - - [14/Feb/2013:05:14:39 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 24.248.215.60 - - [14/Feb/2013:05:51:41 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 87.249.106.69 - - [14/Feb/2013:07:34:53 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 31.169.105.59 - - [14/Feb/2013:14:46:40 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 190.6.20.69 - - [17/Feb/2013:15:56:20 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 177.1.202.45 - - [18/Feb/2013:04:40:42 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 50.18.148.126 - - [20/Feb/2013:15:03:42 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 117.6.64.168 - - [23/Feb/2013:20:40:38 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 122.225.96.215 - - [26/Feb/2013:16:47:03 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 187.188.175.49 - - [26/Feb/2013:18:07:10 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 192.248.80.9 - - [28/Feb/2013:04:10:42 -0500] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 82.165.140.189 - - [03/Mar/2013:12:08:10 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 187.188.175.49 - - [05/Mar/2013:13:51:44 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 122.225.96.215 - - [07/Mar/2013:01:34:56 -0500] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 184.169.214.34 - - [10/Mar/2013:23:46:53 -0400] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 70.34.195.106 - - [17/Mar/2013:16:59:43 -0400] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 63.218.12.130 - - [19/Mar/2013:17:29:20 -0400] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 67.55.2.40 - - [31/Mar/2013:02:57:39 -0400] "HEAD /manager/html >>>> HTTP/1.0" >>>> 404 - >>>> 141.11.254.77 - - [31/Mar/2013:15:32:49 -0400] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 74.216.195.99 - - [04/Apr/2013:21:21:20 -0400] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html >>>> HTTP/1.0" 404 - >>>> Found 29 occurrence(s) in 23 file(s) >>>> >>>> Searching for: HEAD / >>>> 62.219.119.176 - - [21/Jan/2013:22:16:13 -0500] "HEAD / HTTP/1.0" 404 - >>>> 68.87.82.214 - - [23/Jan/2013:16:14:22 -0500] "HEAD / HTTP/1.0" 404 - >>>> 75.140.255.62 - - [28/Jan/2013:20:33:33 -0500] "HEAD / HTTP/1.0" 404 - >>>> 198.107.142.2 - - [07/Mar/2013:04:15:13 -0500] "HEAD / HTTP/1.0" 404 - >>>> 188.40.129.204 - - [08/Mar/2013:11:46:50 -0500] "HEAD / HTTP/1.0" 404 - >>>> 50.17.48.249 - - [09/Mar/2013:07:41:36 -0500] "HEAD / HTTP/1.0" 404 - >>>> 137.110.160.35 - - [12/Mar/2013:18:13:24 -0400] "HEAD / HTTP/1.0" 404 - >>>> 200.105.228.106 - - [17/Mar/2013:22:04:07 -0400] "HEAD / HTTP/1.0" 404 - >>>> 128.173.98.158 - - [20/Mar/2013:00:08:39 -0400] "HEAD / HTTP/1.0" 404 - >>>> 200.116.127.81 - - [27/Mar/2013:20:37:04 -0400] "HEAD / HTTP/1.0" 404 - >>>> 84.22.192.8 - - [31/Mar/2013:13:29:53 -0400] "HEAD / HTTP/1.0" 404 - >>>> Found 11 occurrence(s) in 11 file(s) >>>> >>> > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > >