Sorry by the late to answer but I've been ill.
The system were down on 2018/11/28 at night. It seems that is was a Chinese
attack (by the logged ips). Now I will show them...
These lines are from localhost_access_log_2018_11_28.txt
85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
/api/webapi/chatucp/historicchats?idUser=4&idCustomer=1 HTTP/1.1" 200 656
85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
/api/webapi/usersextcontact?idUser=4&idCustomer=1 HTTP/1.1" 200 477
85.137.148.55 - - [28/Nov/2018:22:38:44 +0000] "GET
/api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - // Last known IP
177.66.148.196 - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200 11452 //
Chinesse IP
180.97.106.164 - - [28/Nov/2018:22:45:30 +0000] "-" 400 - // Chinesse IP
60.217.72.12 - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200 11452 //
Chinesse IP
In catalina.out for that day, I can find this crash:
28-Nov-2018 22:45:30.227 INFO [http-nio-80-exec-149]
org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP
request header
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name.
HTTP method names must be tokens
at
org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:233)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1045)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
It seems that call "-" is not well parsed (obviously).
I can't find any info for syslog for that crash in those days.
Do you have any idea of the problem? It seems that Tomcat can crash when no
GET, POST, PUT, DELETE... request is done. The "-" request seems to take Tomcat
down.
In have created a cron recurrent service to check if Tomcat is listening in
port 443, but I would like to solve this issue.
Thank you.
--
Fdo.: Ismael López Quintero.
Ingeniero de Software.
Correo electrónico: ilopezqu...@gmail.com.
Sitio Web: http://www.desarrolladorsoftware.com/
Huelva. España.
-----Mensaje original-----
De: Ismael López Quintero [mailto:ilopezqu...@gmail.com]
Enviado el: miércoles, 12 de diciembre de 2018 10:32
Para: 'Tomcat Users List' <users@tomcat.apache.org>
Asunto: RE: Tomcat 8.0.46
Great! I will give more info. Please, forgive me by the content shape faults.
I'm new to this mail list.
I'll write ASAP.
Thank you!
PD: My system is Debian 8.
--
Fdo.: Ismael López Quintero.
Ingeniero de Software.
Correo electrónico: ilopezqu...@gmail.com.
Sitio Web: http://www.desarrolladorsoftware.com/
Huelva. España.
-----Mensaje original-----
De: Christopher Schultz [mailto:ch...@christopherschultz.net]
Enviado el: miércoles, 12 de diciembre de 2018 5:07
Para: users@tomcat.apache.org
Asunto: Re: Tomcat 8.0.46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ismael,
On 12/11/18 08:45, Ismael López Quintero wrote:
> Hello! Crash: stop working. Process running and listenning in net
> ports 80 and 443 (SSL). After crashing, no process exist.
So... nothing in the Tomcat logs that says the process is going down?
For example, usually Java OOME will show in catalina.out, but the JVM will not
actually terminate.
My guess is Linux OOME killer (or similar). Check your syslog for "oome"
(lowercase) if you are on Linux.
If you are *not* on Linux, that would seem to be very important information is
you want to get some help.
Your original post was of the form "it didn't work; what went wrong?".
We need much more information if we are going to be able to help you.
- -chris
> -----Mensaje original----- De: Mark Thomas [mailto:ma...@apache.org]
> Enviado el: martes, 11 de diciembre de
> 2018 14:05 Para: users@tomcat.apache.org Asunto: Re: Tomcat 8.0.46
>
> On 11/12/2018 12:38, Ismael López Quintero wrote:
>> Hello!
>>
>>
>>
>> My Tomcat installation crashed some days ago. It is deployed to
>> serve a REST API using Jersey. Looking at localhost_access_log daily
>> file, just before crashing it received the next requests…
>>
>>
>>
>> X.X.X.X - - [28/Nov/2018:22:38:44 +0000] "GET
>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - ß-
>> This is the last known call before crashing
>>
>> X.X.X.X - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200
>> 11452
>>
>> X.X.X.X - - [28/Nov/2018:22:45:30 +0000] "-" 400 -
>>
>> X.X.X.X - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200
>> 11452
>>
>>
>>
>> Crashed.
>>
>>
>>
>> IP addresses are named X.X.X.X to protect callers privacy, but it
>> seems that the last three ones are owned by attackers (IPs are
>> geolocated in China). If you want I can give them (IPs).
>>
>>
>>
>> Everything is going ok in Tomcat, but this.
>>
>>
>>
>> Have you got any idea?
>
> Define "crashed".
>
> Mark
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwQiUYACgkQHPApP6U8
pFgWiA/8DhfO4ZlnmqWRjmjG3ihRfEXFKh6ScsVpW4uEXN7d+NP2F4HUNe7BHSyq
fieBH1PM3ytj9DTvJ875w1QCy4mC52lKNtWMXOu1ZfCwklBeMPlrtgZn7mkm4iSi
AYnhlDrwTIy3iLAFN44OBTAOf7TMwVQBJ4LA6tmbzUbM+5BldpO5Q4x/fBVtGQS7
Am+jQyyz5ZisNcMpK2Y2UGKmEHucuPkymCXKNt5892rJArI2oQAqAj6GjatvZW/Z
cJ6K6ghxJuwvNHDIPhOVYzkeVqFIBBnrODKnwomc66PF1QDBHC7q0ZghJugYH98g
WoyX7kmS+sh9OWRqnZ3lGEphWiU2+IvdMyxBhToXVPmtTXHQCIvWfz0OWImWvmPX
bzNS7RJYn8Y/0ne0FOxgjqdpNd1c4n7/Eyj4T4oSCydZyqBX+hIFI9rMuscTz2QZ
gTveYkoS1iaPKmrDACvMQlztzExD1j4BJ2Zp7pgdv6JN0vJ2CMeXCb5q1gUmJ4iC
PJ5BHBc+3VFnY3wFweVcQpvPKy32C8HoZrzhWenzQhPOi4ZnTILCePRS79Cc8mth
eRMZh/uxjiAl9Q8ffEKKyo9kfuOmUPCQvQKunQhzmppQxB26luPoT/YZ8bAwDtGn
0IeU061hHZ9Bn4eUzjz4sGzQ/LWpsNMBDqgCrUAkst67KtZxtA0=
=2I3s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
