www.who.is Much more info
...tracking the perpetrator down now ... this is fun. On 8/23/07, Lyallex <[EMAIL PROTECTED]> wrote: > OK, that's all good advice ... > > [EMAIL PROTECTED]:/usr/tomcat/logs$ cat access.log | grep curl > > 69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "GET /favicon.ico > HTTP/1.1" 200 2238 "-" "curl/7.12.1 (i386-redhat-linux-gnu) > libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6" > 69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "HEAD / HTTP/1.1" 200 - > "-" "curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a > zlib/1.2.1.2 libidn/0.5.6" > > So, looking for favicon.ico and doing a HEAD on my entry page, doesn't > look to suspicious I guess. > > [EMAIL PROTECTED]:/usr/tomcat/logs$ whois 69.25.212.171 > > Internap Network Services PNAP-12-2002 (NET-69-25-0-0-1) > 69.25.0.0 - 69.25.255.255 > Name.com INAP-DEN-NAMECOM-1256 (NET-69-25-212-128-1) > 69.25.212.128 - 69.25.212.191 > > # ARIN WHOIS database, last updated 2007-08-22 19:10 > # Enter ? for additional hints on searching ARIN's WHOIS database. > > Sometimes whois returns a bunch of stuff sometimes I only get a > minimal return, not much use really. > > Anyway, I will investigate further > > Thanks for taking the time to reply > > Regards > Duncan > > On 8/23/07, Lyallex <[EMAIL PROTECTED]> wrote: > > (Debian) Linux 2.6.11.12-xenU > > Tomcat 5.5.20 > > Java 1.5.0_04 > > > > This question concerns access to a running Tomcat instance by a > > previously unseen/unknown user agent. > > I have been developing commercial sites in Java for a number of years > > now but this is the first time I have > > deployed a commercial application on my own and hence I am a complete > > beginner when it comes to dealing with > > nefarious nerks trying to hack my installation. > > > > Is it a 'Tomcat' question ?... I'm not sure but here goes anyway. > > > > The following might be quite harmless but it would be nice to hear of > > others exp' in this area > > > > Looking at the user agent section of my Webalizer generated access log > > analysis page I can see the following entry > > > > curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0. > > > > I have been to http://curl.haxx.se/ and it seems to my (currently) > > inexperienced eye > > that this software _could_ be used to do all sorts of despicable > > things to a web site. > > I guess it could also be used to 'build your own browser' so I'm not > > panicking just yet > > > > I have telnet and ftp disabled and access the server via ssh and scp. > > > > Is this likely to be some dismal little hacker trying to probe my defenses > > or > > am I worrying unnecessarily. > > > > I will investigate curl further of course. > > > > Thanks > > Duncan > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]