Re: Apache/Tomcat vulnerability

hi, i just wanted to let you know that the we have migrated to WildFly application server and our server is up online 24/24h from three weeks. Since this time it has never freezed so I suppose i was right saying somebody found DoS exploit on tomcat. Unfortunately I cannot help you in figure

Re: Apache/Tomcat vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jaaz, On 11/30/16 1:41 PM, Jaaz Portal wrote: > no it looks like dos, its dos > > i told you they dosed before bind server until we changed it to > other vendor, and later was scanning my host for apache > vulnerabilities Okay, let's just end

Re: Apache/Tomcat vulnerability

Let me ask you a question : if you have nothing in the logs, and there are no connections to your (Apache) server on port 80, then *what exactly* makes you think that you are under some kind of attack ? How do you know that it is not simply your application that is freezing up under normal

Re: Apache/Tomcat vulnerability

hi mark, thanks, i have fixed configuration as you pointed out, maybe this will mitigate the attack before there was no connection_timeout in configuration and this things was occurring too best, artur 2016-11-30 20:29 GMT+01:00 Mark Eggers : > Artur, > > On

Re: Apache/Tomcat vulnerability

Artur, On 11/30/2016 10:41 AM, Jaaz Portal wrote: > no it looks like dos, its dos > > i told you they dosed before bind server until we changed it to other > vendor, > and later was scanning my host for apache vulnerabilities > > configuration is standard, the only thing i changed (after your

Re: Apache/Tomcat vulnerability

no it looks like dos, its dos i told you they dosed before bind server until we changed it to other vendor, and later was scanning my host for apache vulnerabilities configuration is standard, the only thing i changed (after your guidance) is connection_timeout but this does not work for this

Re: Apache/Tomcat vulnerability

Artur, On 11/30/2016 8:36 AM, Jaaz Portal wrote: > hi, > they has tried again with success despite setting connection_timeout and > limiting number of clients by mod_bw > the tomcat has frozen again. > > netstat does not showed any connections on port 80 but plenty of > connections from apache to

Re: Apache/Tomcat vulnerability

yes, i was in hurry and pasted wrong ip but i talked with my mate, this one that had open connection was his host checking our webpage so beside our connections there was no open http connections but plenty of that between apache and tomcat it was no slowlaris guys and with the forensics logs

Re: Apache/Tomcat vulnerability

Artur, On 11/30/2016 9:02 AM, Jaaz Portal wrote: > hi, > sorry, there was two open connection on port 80 > from 194.135.88.32 that is somwhere on epix.net.pl > an association of internet traffick exchange (some pirate hub) > > best, > artur 194.135.88.32 appears to be your web site, no? . . .

Re: Apache/Tomcat vulnerability

hi, sorry, there was two open connection on port 80 from 194.135.88.32 that is somwhere on epix.net.pl an association of internet traffick exchange (some pirate hub) best, artur 2016-11-30 17:52 GMT+01:00 Jaaz Portal : > hi, > i looked at the logs but there are no strange

Re: Apache/Tomcat vulnerability

hi, i looked at the logs but there are no strange things, traffic as usual, no errors despite this one: [Wed Nov 30 17:10:13.375912 2016] [mpm_event:error] [pid 12870:tid 139906329666752] AH00484: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting any idea

Re: Apache/Tomcat vulnerability

hi, they has tried again with success despite setting connection_timeout and limiting number of clients by mod_bw the tomcat has frozen again. netstat does not showed any connections on port 80 but plenty of connections from apache to localhost:8009 so it was not an attack that you has described

Re: Apache/Tomcat vulnerability

On 28.11.2016 22:04, Jaaz Portal wrote: hi Andre, you are wrong. This vulnerability is not only causing memory leaks, it makes also apache workers to hang Maybe for the last time here : - what do you call "apache workers" ? , making it easy to exhaust the pool. - what do you call "the pool"

Re: Apache/Tomcat vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jaaz, On 11/28/16 2:24 PM, Jaaz Portal wrote: > hi, i written "exploited some well know vulnerability in mod_proxy" > not mod_jk. Yes but then you implied that mod_jk had the same problem: On 11/27/16 1:03 PM, Jaaz Portal wrote: > Then they

Re: Apache/Tomcat vulnerability

hi Andre, you are wrong. This vulnerability is not only causing memory leaks, it makes also apache workers to hang, making it easy to exhaust the pool. what i have in my log files. But it is true also that such exhaustion can be made by other forms of dos attacks described in this thread.

Re: Apache/Tomcat vulnerability

On 28.11.2016 20:34, Jaaz Portal wrote: hi mark, yes, i understand now what slowloris attack is. maybe it was this maybe *this one based on * * mod_proxy denial of service * CVE-2014-0117 You keep on saying this, but the description

Re: Apache/Tomcat vulnerability

hi mark, yes, i understand now what slowloris attack is. maybe it was this maybe *this one based on * * mod_proxy denial of service * CVE-2014-0117 we do not know yet we have setup more logging and are waiting for them to attack once

Re: Apache/Tomcat vulnerability

hi, i written "exploited some well know vulnerability in mod_proxy" not mod_jk. This one: *moderate: * * mod_proxy denial of service * CVE-2014-0117 A flaw was found in mod_proxy in httpd versions 2.4.6 to 2.4.9. A remote attacker

Re: Apache/Tomcat vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jaaz, On 11/27/16 1:03 PM, Jaaz Portal wrote: > Then they exploited some well know vulnerability in mod_proxy. We > have updated apache to the latest but again they has exploited it, > so we have switched to mod_jk. And then guess what. They

Re: Apache/Tomcat vulnerability

Jaaz, On 11/27/2016 2:46 PM, André Warnier (tomcat) wrote: > On 27.11.2016 19:03, Jaaz Portal wrote: >> 2016-11-27 18:30 GMT+01:00 André Warnier (tomcat) : >> >>> On 27.11.2016 14:26, Jaaz Portal wrote: >>> hi, everything i know so far is just this single log line that

Re: Apache/Tomcat vulnerability

On 27.11.2016 19:03, Jaaz Portal wrote: 2016-11-27 18:30 GMT+01:00 André Warnier (tomcat) : On 27.11.2016 14:26, Jaaz Portal wrote: hi, everything i know so far is just this single log line that appeared in apache error.log [Fri Nov 25 13:08:00.647835 2016]

Re: Apache/Tomcat vulnerability

2016-11-27 18:30 GMT+01:00 André Warnier (tomcat) : > On 27.11.2016 14:26, Jaaz Portal wrote: > >> hi, >> everything i know so far is just this single log line that appeared in >> apache error.log >> >> [Fri Nov 25 13:08:00.647835 2016] [mpm_event:error] [pid 13385:tid >>

Re: Apache/Tomcat vulnerability

On 27.11.2016 14:26, Jaaz Portal wrote: hi, everything i know so far is just this single log line that appeared in apache error.log [Fri Nov 25 13:08:00.647835 2016] [mpm_event:error] [pid 13385:tid 1397934896385 92] AH00484: server reached MaxRequestWorkers setting, consider raising the MaxR

Re: Apache/Tomcat vulnerability

hi, everything i know so far is just this single log line that appeared in apache error.log [Fri Nov 25 13:08:00.647835 2016] [mpm_event:error] [pid 13385:tid 1397934896385 92] AH00484: server reached MaxRequestWorkers setting, consider raising the MaxR equestWorkers setting there was nothing

Re: Apache/Tomcat vulnerability

On 27.11.2016 13:23, Jaaz Portal wrote: hi Andre, thank you very much this was very educative but in my case it is little bit different. The server is no flooded, there is maybe dozen of very sophisticated connections that somehow hangs apache workers threads Can you be a bit more specific ?

Re: Apache/Tomcat vulnerability

hi Andre, thank you very much this was very educative but in my case it is little bit different. The server is no flooded, there is maybe dozen of very sophisticated connections that somehow hangs apache workers threads and the effect is permanent. Quickly the pool is exhausted and the only

Re: Apache/Tomcat vulnerability

Hi. Have a look that the indicated parameters in the two pages below. You may be the target of such a variant of DDoS attack : many clients open a TCP connection to your server (front-end), but then never sends a HTTP request on that connection. In the meantime, the server accepts the TCP

Re: Apache/Tomcat vulnerability

hi, sorry, its mod_jk no jk2, my typo. All at latest versions. We tried with mod proxy too. There is no flood of the server. Nobody is flooding us, they use some specific connections after which pool of apache workers is exhausted and blocked and we need to restart tomcat server. It is some kind

Re: Apache/Tomcat vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Artur, On 11/25/16 8:42 AM, Jaaz Portal wrote: > hi, we are from some weeks struggling with some Polish hackers that > are bringing our server down. After updating apache to latest > version (2.4.23) and tomcat (8.0.38) available for debian systems

Re: Apache/Tomcat vulnerability

you can find who is flooding site in apache access.log and block them in firewall. ex to find the IP: cat /var/log/apache2/access.log |cut -d' ' -f1 |sort |uniq -c|sort -gr On Fri, Nov 25, 2016 at 8:42 AM, Jaaz Portal wrote: > hi, > we are from some weeks struggling

Apache/Tomcat vulnerability

hi, we are from some weeks struggling with some Polish hackers that are bringing our server down. After updating apache to latest version (2.4.23) and tomcat (8.0.38) available for debian systems we still cannot secure our server. Today it has stopped to respond again and we needed to restart