Hi.
Miguel Gonzalez wrote:
Dear all,
I have tomcat 5.5.27 and jdk 1.5.0_17
That's all quite old,and you should probably upgrade.
As someone suggested to the list I enabled HeapDumpOnOutOfMemoryError. I have
javamelody running to monitor tomcat. The only thing that I see is that memory
use increases just before the system crashed.
The system has crashed only showing this in the catalina.log:
May 8, 2012 12:03:48 PM org.apache.tomcat.util.http.Parameters
processParameters
WARNING: Parameters: Character decoding failed. Parameter skipped.
java.io.CharConversionException: isHexDigit
...
Many entries like: May 8, 2012 12:03:48 PM
org.apache.tomcat.util.http.Parameters processParameters
WARNING: Parameters: Invalid chunk ignored.
Ther above seems to indicate that your server receives requests with URLs that are not
properly URL-encoded. In a URL, roughly-speaking, any character (in fact, any byte) that
is not a printable US-ASCII character must be encoded as a "%xy" hex sequence, where "xy"
is the hexadecimal value of the character.
The4 above error seems to indicate that you are receiving request URLs which contain
sequences like "%xy" where "xy" are not valid hexadecimal digits.
In consequence, the URL-decoding part of Tomcat cannot decode these URLs properly, and
complains.
until I get :
May 8, 2012 1:50:41 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-80
May 8, 2012 1:50:41 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-443
...
Now this seems to be a normal Tomcat shutdown, following a received shutdown
command.
But it could be the result of running out of memory for example.
I do not know if the two are related or not. But in my suspicious mind, I would try to
examine which request URLs are the badly-encoded ones, and try to find out where these
requests come from. That is because they could very well be attempts to break your server
(if it is connected to the Internet e.g.). And maybe your unexplained shutdowns are due
to a succesful break-in, or a succesful DOS attack ?
Not sure if the isHexDigit exception is causing this. but it happens 2 hours
before the system breaks.
Maybe an attacker is trying a series of URLs in a row, and finally they manage one that
finds a weakness in your very very old Tomcat.
I really don't know what to enable to get to know what is causing Tomcat to
crash
Enabling the AccessLog Valve may enable you to see the bad request URLs.
If they do not show up in the Access log (unlikely, since Tomcat apparently continues to
run), you may want to set up an Apache httpd front-end to your Tomcat, and log the
accesses there.
Searching Google for "tomcat isHexDigit attack" provides some links you might
want to look at.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
