OK, that's all good advice ... [EMAIL PROTECTED]:/usr/tomcat/logs$ cat access.log | grep curl
69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "GET /favicon.ico HTTP/1.1" 200 2238 "-" "curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6" 69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "HEAD / HTTP/1.1" 200 - "-" "curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6" So, looking for favicon.ico and doing a HEAD on my entry page, doesn't look to suspicious I guess. [EMAIL PROTECTED]:/usr/tomcat/logs$ whois 69.25.212.171 Internap Network Services PNAP-12-2002 (NET-69-25-0-0-1) 69.25.0.0 - 69.25.255.255 Name.com INAP-DEN-NAMECOM-1256 (NET-69-25-212-128-1) 69.25.212.128 - 69.25.212.191 # ARIN WHOIS database, last updated 2007-08-22 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Sometimes whois returns a bunch of stuff sometimes I only get a minimal return, not much use really. Anyway, I will investigate further Thanks for taking the time to reply Regards Duncan On 8/23/07, Lyallex <[EMAIL PROTECTED]> wrote: > (Debian) Linux 2.6.11.12-xenU > Tomcat 5.5.20 > Java 1.5.0_04 > > This question concerns access to a running Tomcat instance by a > previously unseen/unknown user agent. > I have been developing commercial sites in Java for a number of years > now but this is the first time I have > deployed a commercial application on my own and hence I am a complete > beginner when it comes to dealing with > nefarious nerks trying to hack my installation. > > Is it a 'Tomcat' question ?... I'm not sure but here goes anyway. > > The following might be quite harmless but it would be nice to hear of > others exp' in this area > > Looking at the user agent section of my Webalizer generated access log > analysis page I can see the following entry > > curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0. > > I have been to http://curl.haxx.se/ and it seems to my (currently) > inexperienced eye > that this software _could_ be used to do all sorts of despicable > things to a web site. > I guess it could also be used to 'build your own browser' so I'm not > panicking just yet > > I have telnet and ftp disabled and access the server via ssh and scp. > > Is this likely to be some dismal little hacker trying to probe my defenses or > am I worrying unnecessarily. > > I will investigate curl further of course. > > Thanks > Duncan > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]