chris derham wrote:
Let me just summarise my arguments then :
1) These scans are a burden for all webservers, not just for the vulnerable
ones. Whether we want to or not, we currently all have to invest resources
into countering (or simply responding to) these scans. Obviously, just
ignoring
But honestly, I am also a bit at a loss now as to how to continue. There is
of course no way for me to prove the validity of the scheme by installing it
on 31 million (20%) of webservers on the Internet and looking at the
resulting bot activity patterns to confirm my suspicions.
Try to enter
chris derham wrote:
But honestly, I am also a bit at a loss now as to how to continue. There is
of course no way for me to prove the validity of the scheme by installing it
on 31 million (20%) of webservers on the Internet and looking at the
resulting bot activity patterns to confirm my
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
also, if an 'ANN' email was sent, where /expert tomcat/ users can
derive/develop a list of the popular/frequent URLs
Leo Donahue - RDSA IT wrote:
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
also, if an 'ANN' email was sent, where /expert tomcat/ users can
derive/develop a list
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chris,
On 4/20/13 6:08 PM, chris derham wrote:
I think that you have articulated your suggestion very well. I
think you have weighed the pros well and been open to debate.
Personally I just don't think what you propose will have the effect
that
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chris,
On 4/20/13 6:08 PM, chris derham wrote:
I think that you have articulated your suggestion very well. I
think you have weighed the pros well and been open to debate.
Personally I just don't think what you propose
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/22/13 6:44 PM, André Warnier wrote:
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256
Chris,
On 4/20/13 6:08 PM, chris derham wrote:
I think that you have articulated your suggestion very well. I
The hack attempts that started this thread aren't denial of service attacks
at all. They are attempted penetration attempts which if successful lead to
installation of a viral servlet. The way I fixed them was to put an Apache
HTTPD in front with a whitelist so that only known management IP
Esmond Pitt wrote:
The hack attempts that started this thread aren't denial of service attacks
at all.
Who said that they were ?
They are attempted penetration attempts which if successful lead to
installation of a viral servlet.
They were HEAD requests, which just indicate whether this
Mark H. Wood wrote:
On Wed, Apr 17, 2013 at 01:24:04PM -0500, Caldarale, Charles R wrote:
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
So you are saying it could be possible to know
] Subject: Re: Tomcat access log reveals
hack attempt: HEAD /manager/html HTTP/1.0 404
That's the idea. That is one reason why I brought this
discussion here : to check if, if the default factory setting
was for example 1000 ms delay for each 404 answer, could anyone
think of a severe detrimental side
André Warnier wrote:
Mark H. Wood wrote:
On Wed, Apr 17, 2013 at 01:24:04PM -0500, Caldarale, Charles R wrote:
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Tomcat access log reveals hack attempt: HEAD
/manager/html HTTP/1.0 404
So you are saying it could
On 4/20/2013 7:29 AM, André Warnier wrote:
...
Addendum : actually, as far as 4xx codes go, a bit more discrimination
is needed. A 401 response (Auth required) for example, should not be
slowed down, as it is part of a normal authentication cycle. There may
be others like that.
Well, Java
Let me just summarise my arguments then :
1) These scans are a burden for all webservers, not just for the vulnerable
ones. Whether we want to or not, we currently all have to invest resources
into countering (or simply responding to) these scans. Obviously, just
ignoring them doesn't stop
On Sat, Apr 20, 2013 at 7:22 AM, André Warnier a...@ice-sa.com wrote:
5) if the scheme works, and it does the effect of making this type of
server-scanning uneconomical, bot developers will look for other ways to
find vulnerable targets.
IMHO, I don't see why bots will get 'turned off' by
On Thu, Apr 18, 2013 at 12:26 PM, André Warnier a...@ice-sa.com wrote:
My contention is that this would be self-defeating for the bots.
91.121.172.164 - - [03/Apr/2013:08:19:50 +0200] GET /robots.txt HTTP/1.1
404 360 - Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
I
: Tomcat access log reveals
hack attempt: HEAD /manager/html HTTP/1.0 404
That's the idea. That is one reason why I brought this
discussion here : to check if, if the default factory setting
was for example 1000 ms delay for each 404 answer, could anyone
think of a severe detrimental side
On Wed, Apr 17, 2013 at 01:24:04PM -0500, Caldarale, Charles R wrote:
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
So you are saying it could be possible to know in advance
chris derham wrote:
Hi.
Long and thoughtful post. Thanks.
just hope it helps move the discussion forward
Say you have a botnet composed of 100 bots, and you want (collectively) to
have them scan 100,000 hosts in total, each one for 30 known buggy URLs.
These 30 URLs are unrelated to
On Tue, Apr 16, 2013 at 01:57:55PM -0300, chris derham wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
That's the idea. That is one reason why I brought this discussion here : to
check if, if the default factory setting was for example 1000
Yes. But someone *does* own the botted computers, and their own
operations are slightly affected. I have wondered if there is some
way to make a bot so intrusive that many more owners will ask
themselves, why is my computer so slow/weird/whatever? I'd better
get it looked at. Maybe I
Leo Donahue - RDSA IT wrote:
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
That's the idea. That is one reason why I brought this discussion here : to
check if, if the default
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/17/13 1:27 PM, André Warnier wrote:
Leo Donahue - RDSA IT wrote:
-Original Message- From: André Warnier
[mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals
hack attempt: HEAD /manager/html HTTP/1.0 404
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 4/17/13 8:49 AM, Mark H. Wood wrote:
Yes. But someone *does* own the botted computers, and their own
operations are slightly affected. I have wondered if there is
some way to make a bot so intrusive that many more owners will ask
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Wednesday, April 17, 2013 10:28 AM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
Leo Donahue - RDSA IT wrote:
-Original Message-
From: André Warnier
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 4/17/13 8:49 AM, Mark H. Wood wrote:
Yes. But someone *does
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
So you are saying it could be possible to know in advance that certain
requests are for repeated requests of nothing or being made
chris derham wrote:
Yes. But someone *does* own the botted computers, and their own
operations are slightly affected. I have wondered if there is some
way to make a bot so intrusive that many more owners will ask
themselves, why is my computer so slow/weird/whatever? I'd better
get it looked
2013/4/10 Howard W. Smith, Jr. smithh032...@gmail.com:
Every now and then, I like to review localhost_access_log files, just to
see who might be trying to access my web app, running on TomEE 1.6.0
snapshot (Tomcat 7.0.39). So, a few minutes ago, I saw the following in the
log:
113.11.200.30
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/17/13 1:27 PM, André Warnier wrote:
Leo Donahue - RDSA IT wrote:
-Original Message- From: André Warnier
[mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals
hack attempt: HEAD /manager
Leo Donahue - RDSA IT wrote:
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Wednesday, April 17, 2013 10:28 AM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
Leo Donahue - RDSA IT wrote:
-Original
Konstantin Kolinko wrote:
2013/4/10 Howard W. Smith, Jr. smithh032...@gmail.com:
Every now and then, I like to review localhost_access_log files, just to
see who might be trying to access my web app, running on TomEE 1.6.0
snapshot (Tomcat 7.0.39). So, a few minutes ago, I saw the following in
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
So you are saying it could be possible to know in advance that certain
requests are for repeated requests of nothing or being made
Leo Donahue - RDSA IT wrote:
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
So you are saying it could be possible to know in advance that certain
requests are for repeated requests
On Wed, Apr 17, 2013 at 10:45 AM, chris derham ch...@derham.me.uk wrote:
The OWASP recommendations for securing tomcat suggest removing all items
under
catalina_home/webapps as a first step. Just a thought.
The first step an attacker performs when conducting a focused attack,
is to map out
On Wed, Apr 17, 2013 at 1:59 PM, Leo Donahue - RDSA IT
leodona...@mail.maricopa.gov wrote:
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
People *do* do
On Wed, Apr 17, 2013 at 2:39 PM, André Warnier a...@ice-sa.com wrote:
Some other calculations :
According to the same Netcraft site, of the 600 million websites, 60% are
Apache (I guess that this includes httpd and Tomcat (or else Tomcat is in
others).
This is good to know, and honestly,
On Wed, Apr 17, 2013 at 3:45 PM, Leo Donahue - RDSA IT
leodona...@mail.maricopa.gov wrote:
Not knowing anything about the history of the HTTP 404 method, if a server
does not find a matching request URI, why was it decided that the protocol
would even respond at all? Seems like the request
Hi.
Long and thoughtful post. Thanks.
just hope it helps move the discussion forward
Say you have a botnet composed of 100 bots, and you want (collectively) to
have them scan 100,000 hosts in total, each one for 30 known buggy URLs.
These 30 URLs are unrelated to eachother; each one of them
On Mon, Apr 15, 2013 at 07:15:11PM +0200, André Warnier wrote:
Neven Cvetkovic wrote:
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
[snip]
Of course at the moment I am just fishing here for potential negative
side-effects.
Search
Mark H. Wood wrote:
On Mon, Apr 15, 2013 at 07:15:11PM +0200, André Warnier wrote:
Neven Cvetkovic wrote:
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
[snip]
Of course at the moment I am just fishing here for potential negative
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of the webservers.
This assumes that the scanning software makes
On 4/16/2013 12:57 PM, chris derham wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of the webservers.
This
On 16 Apr 2013, at 17:58, chris derham ch...@derham.me.uk wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of
chris derham wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was implemented
by 50% of the webservers.
This assumes that the
Pïd stèr wrote:
On 16 Apr 2013, at 17:58, chris derham ch...@derham.me.uk wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time would only be able to scan 1 server if a 1 s 404 delay was
On 16 Apr 2013, at 19:38, André Warnier a...@ice-sa.com wrote:
Pïd stèr wrote:
On 16 Apr 2013, at 17:58, chris derham ch...@derham.me.uk wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure within the same
time
On 4/16/2013 2:26 PM, André Warnier wrote:
...
The trick is to make the vaccine cheap enough and easy enough to
administer, so that there will be a significant enough proportion of
vaccinated servers to make the virus statistically ineffective.
Maybe if we find a simple patch to Tomcat to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/16/13 2:37 PM, André Warnier wrote:
Say that it would be easy to implement this in Tomcat, and that we
do not collectively find good reasons not to do so, and that it
does get implemented.
Then I pledge that my next move would be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
David,
On 4/16/13 2:53 PM, David kerber wrote:
On 4/16/2013 2:26 PM, André Warnier wrote:
...
The trick is to make the vaccine cheap enough and easy enough to
administer, so that there will be a significant enough proportion
of vaccinated
Pïd stèr wrote:
On 16 Apr 2013, at 19:38, André Warnier a...@ice-sa.com wrote:
Pïd stèr wrote:
On 16 Apr 2013, at 17:58, chris derham ch...@derham.me.uk wrote:
Or, another way of looking at this would be that for every 40 servers
scanned without a 404 delay, the same bot infrastructure
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André,
On 4/16/13 2:37 PM, André Warnier wrote:
Say that it would be easy to implement this in Tomcat, and that we
do not collectively find good reasons not to do so, and that it
does get implemented.
Then I pledge
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
David,
On 4/16/13 2:53 PM, David kerber wrote:
On 4/16/2013 2:26 PM, André Warnier wrote:
...
The trick is to make the vaccine cheap enough and easy enough to
administer, so that there will be a significant enough
On 15/04/2013 00:03, Christopher Schultz wrote:
Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote:
On 11 Apr 2013, at 21:36, Christopher Schultz
ch...@christopherschultz.net wrote:
[...] though I would run Apache httpd and Tomcat on different
hosts, so localhost-binding is not possible unless you
On 15/04/2013 03:51, Esmond Pitt wrote:
I agree with your comment. Adding a second box for Tomcat only means I
also have to configure a firewall between them, whereas using
127.0.0.x for Tomcat protects it completely.
No it doesn't!
Obfuscation or indirection != security.
HTTPD doesn't
'
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
On 15/04/2013 03:51, Esmond Pitt wrote:
I agree with your comment. Adding a second box for Tomcat only means
I also have to configure a firewall between them, whereas using
127.0.0.x for Tomcat protects
that 'hiding' Tomcat behind Apache HTTPD
alone improves their security.
p
EJP
-Original Message-
From: Pid [mailto:p...@pidster.com]
Sent: Monday, 15 April 2013 8:25 PM
To: Esmond Pitt
Cc: 'Tomcat Users List'
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
On Mon, Apr 15, 2013 at 7:49 AM, Pid p...@pidster.com wrote:
I'm persisting in this point because I don't want other users to
continue believing the fallacy that 'hiding' Tomcat behind Apache HTTPD
alone improves their security.
And your persistence is appreciated, and I definitely
On 4/15/2013 3:19 AM, Pid wrote:
On 15/04/2013 00:03, Christopher Schultz wrote:
Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote:
On 11 Apr 2013, at 21:36, Christopher Schultz
ch...@christopherschultz.net wrote:
[...] though I would run Apache httpd and Tomcat on different
hosts, so
On 15/04/2013 16:11, Mark Eggers wrote:
On 4/15/2013 3:19 AM, Pid wrote:
On 15/04/2013 00:03, Christopher Schultz wrote:
Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote:
On 11 Apr 2013, at 21:36, Christopher Schultz
ch...@christopherschultz.net wrote:
[...] though I would run Apache httpd and
the fallacy that 'hiding' Tomcat behind Apache HTTPD
alone improves their security.
p
EJP
-Original Message-
From: Pid [mailto:p...@pidster.com]
Sent: Monday, 15 April 2013 8:25 PM
To: Esmond Pitt
Cc: 'Tomcat Users List'
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager
In what I believe to be related anough to the subject of the original post, I would like
to float a proposal, to make life a bit harder for these automated hackers.
By personal observation, I note that many such attempts (the large majority in fact) end
up requesting URLs which do not exist on
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
Neven Cvetkovic wrote:
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
Just for the sake of the discussion :
- a fake manager application would apply to just the /manager webapp, not to other
potential hacking targets, no ? (or you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Pid,
On 4/15/13 6:19 AM, Pid wrote:
On 15/04/2013 00:03, Christopher Schultz wrote:
Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote:
On 11 Apr 2013, at 21:36, Christopher Schultz
ch...@christopherschultz.net wrote:
[...] though I would run Apache
On 4/15/2013 10:15 AM, André Warnier wrote:
Neven Cvetkovic wrote:
How about creating a fake manager application :)))
That takes X minutes/seconds to get back a 404 ;)))
Just for the sake of the discussion :
- a fake manager application would apply to just the /manager webapp,
not to other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Esmond,
On 4/11/13 8:43 PM, Esmond Pitt wrote:
I referred to the OpenLDAP lockout mechanism, which is not at all
primitive.
How does OpenLDAP do better than Tomcat? If I make repeated (failed)
login attempts against a single user, can I cause
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote:
On 11 Apr 2013, at 21:36, Christopher Schultz
ch...@christopherschultz.net wrote:
[...] though I would run Apache httpd and Tomcat on different
hosts, so localhost-binding is not possible unless you are
I agree with your comment. Adding a second box for Tomcat only means I
also have to configure a firewall between them, whereas using
127.0.0.x for Tomcat protects it completely.
No it doesn't!
Obfuscation or indirection != security.
HTTPD doesn't magically provide you with some extra
!= security.
HTTPD doesn't magically provide you with some extra security capability.
p
-Original Message-
From: Pïd stèr [mailto:p...@pidster.com]
Sent: Saturday, 13 April 2013 3:54 AM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
On 4/10/2013 5:47 PM, Howard W. Smith, Jr. wrote:
Some legit 404s definitely show up for every enduser that access the webapp
via mobile device, because PrimeFaces has 2 files that no longer exist in
the JAR file, and I just reported this in their Issue Tracker.
127.0.0.1 - -
On Apr 13, 2013 3:55 PM, Mark Eggers its_toas...@yahoo.com wrote:
On 4/10/2013 5:47 PM, Howard W. Smith, Jr. wrote:
Some legit 404s definitely show up for every enduser that access the
webapp
via mobile device, because PrimeFaces has 2 files that no longer exist in
the JAR file, and I just
On 11 Apr 2013, at 21:36, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Esmond,
On 4/10/13 8:21 PM, Esmond Pitt wrote:
We had lots of these and finally an attack last year on a Tomcat
where the manager password somehow hadn't been
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Sent: Wednesday, April 10, 2013 7:35 PM
To: Esmond Pitt
Cc: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: HEAD
/manager/html HTTP/1.0 404
On Wed, Apr 10, 2013 at 8:21 PM, Esmond
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Esmond,
On 4/10/13 8:21 PM, Esmond Pitt wrote:
We had lots of these and finally an attack last year on a Tomcat
where the manager password somehow hadn't been changed.
Note that the manager webapp has no default passwords, so I wonder
what you
log reveals hack attempt: HEAD /manager/html HTTP/1.0
404
On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt
esmond.p...@bigpond.comwrote:
We had lots of these and finally an attack last year on a
Tomcat
where
the manager password somehow hadn't been changed. The attacker
installed a viral
reveals hack attempt: HEAD
/manager/html HTTP/1.0 404
On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt
esmond.p...@bigpond.comwrote:
We had lots of these and finally an attack last year on a Tomcat
where
the manager password somehow hadn't been changed. The attacker
installed a viral
: Wednesday, April 10, 2013
7:35 PM To: Esmond Pitt Cc: Tomcat Users List Subject: Re: Tomcat
access log reveals hack attempt: HEAD /manager/html HTTP/1.0
404
On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt
esmond.p...@bigpond.comwrote:
We had lots of these and finally an attack last year
2013/4/12 Christopher Schultz ch...@christopherschultz.net:
The attacker installed a viral servlet application that killed the
server completely, we had to rebuild it.
I -- like most people I would guess -- don't run under a
SecurityManager, but doing so can significantly limit the damage
You would have had to intentionally enable the default password.
I had clearly done that.
The attacker installed a viral servlet application that killed the
server completely, we had to rebuild it.
I -- like most people I would guess -- don't run under a SecurityManager,
but doing so can
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
a few minutes ago, I saw the following in the log:
113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] HEAD /manager/html HTTP/1.0
404 -
This is an
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
a few minutes ago, I saw the following in the log:
On Apr 10, 2013, at 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
a
On Wed, Apr 10, 2013 at 8:48 AM, Daniel Mikusa dmik...@vmware.com wrote:
On Apr 10, 2013, at 8:17 AM, Howard W. Smith, Jr. wrote:
This looks like a bot or automated script, checking to see if the Manager
app is available. If it found the app, you'd probably see it try some
exploit. Since
On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
a few
On Wed, Apr 10, 2013 at 9:44 AM, David kerber dcker...@verizon.net wrote:
On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com**]
Subject: Tomcat
On 4/10/2013 10:24 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 9:44 AM, David kerberdcker...@verizon.net wrote:
On 4/10/2013 8:17 AM, Howard W. Smith, Jr. wrote:
On Wed, Apr 10, 2013 at 8:00 AM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Howard W. Smith,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Howard,
On 4/10/13 7:32 AM, Howard W. Smith, Jr. wrote:
Every now and then, I like to review localhost_access_log files,
just to see who might be trying to access my web app, running on
TomEE 1.6.0 snapshot (Tomcat 7.0.39). So, a few minutes
Chris,
As others have mentioned, I wouldn't give this too much thought:
someone is scanning you for vulnerabilities. I'll bet if you log the
full headers of those requests, you'll see something like
admin/admin or scott/tiger in the WWW-Authenticate headers. Just
someone knocking on your
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Howard,
On 4/10/13 1:23 PM, Howard W. Smith, Jr. wrote:
As others have mentioned, I wouldn't give this too much thought:
someone is scanning you for vulnerabilities. I'll bet if you log
the full headers of those requests, you'll see something
may
have played the biggest part in all this.
EJP
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Sent: Wednesday, 10 April 2013 10:18 PM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404
On Wed, Apr
On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt esmond.p...@bigpond.comwrote:
We had lots of these and finally an attack last year on a Tomcat where the
manager password somehow hadn't been changed. The attacker installed a
viral
servlet application that killed the server completely, we had to
On Wed, Apr 10, 2013 at 4:32 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Howard,
On 4/10/13 1:23 PM, Howard W. Smith, Jr. wrote:
As others have mentioned, I wouldn't give this too much thought:
someone is scanning you for
95 matches
Mail list logo
