You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Assaf <as...@yahoo.com> on 2010/11/07 18:23:48 UTC
Malicious host is crashing my server
Hello,
I have a recurring visitor (from a fixed IP
address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my site
and EACH time causes the server to crash. My server actually gets a JDBC begin
failed error for the next http calls.
Analyzing the logs, I cannot find out what is wrong. I can see it is a script as
he is visiting the same pages in the same order (never downloading
images/css/js). The only thing that I have noticed that is different with this
user are the http headers he uses:
"Expand HTTP read ahead 1.0"
I could not google anything about those. I am running tomcat 6.0.20 on linux
with mysql.
Anyone has an idea what this can be? How to find out? Also, what can I do to
better protect?
Thanks,
Assaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Ronald Klop <ro...@base.nl>.
Use ngrep, tcpdump or wireshark to look at what he/she is requesting. If it is SQL injection you should rewrite your query's to use PreparedStatements.
Ronald.
Op zondag, 7 november 2010 18:31 schreef Assaf <as...@yahoo.com>:
>
>
> Hi,
>
> It might be. But I am not sure how to find out more. Any suggestions?
>
> Assaf
>
>
> ----- Original Message ----
> From: Marc Boorshtein <mb...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:29:09 PM
> Subject: Re: Malicious host is crashing my server
>
> JDBC? Are you sure its not an attempted SQL Injection attack?
>
> On Sun, Nov 7, 2010 at 12:23 PM, Assaf <as...@yahoo.com> wrote:
> > Hello,
> >
> > I have a recurring visitor (from a fixed IP
> > address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my
> site
> > and EACH time causes the server to crash. My server actually gets a JDBC begin
> > failed error for the next http calls.
> >
> > Analyzing the logs, I cannot find out what is wrong. I can see it is a script
> >as
> > he is visiting the same pages in the same order (never downloading
> > images/css/js). The only thing that I have noticed that is different with this
> > user are the http headers he uses:
> >
> > "Expand HTTP read ahead 1.0"
> >
> > I could not google anything about those. I am running tomcat 6.0.20 on linux
> > with mysql.
> >
> > Anyone has an idea what this can be? How to find out? Also, what can I do to
> > better protect?
> >
> > Thanks,
> >
> > Assaf
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
Re: Malicious host is crashing my server
Posted by Assaf <as...@yahoo.com>.
Hi,
It might be. But I am not sure how to find out more. Any suggestions?
Assaf
----- Original Message ----
From: Marc Boorshtein <mb...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sun, November 7, 2010 6:29:09 PM
Subject: Re: Malicious host is crashing my server
JDBC? Are you sure its not an attempted SQL Injection attack?
On Sun, Nov 7, 2010 at 12:23 PM, Assaf <as...@yahoo.com> wrote:
> Hello,
>
> I have a recurring visitor (from a fixed IP
> address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my
site
> and EACH time causes the server to crash. My server actually gets a JDBC begin
> failed error for the next http calls.
>
> Analyzing the logs, I cannot find out what is wrong. I can see it is a script
>as
> he is visiting the same pages in the same order (never downloading
> images/css/js). The only thing that I have noticed that is different with this
> user are the http headers he uses:
>
> "Expand HTTP read ahead 1.0"
>
> I could not google anything about those. I am running tomcat 6.0.20 on linux
> with mysql.
>
> Anyone has an idea what this can be? How to find out? Also, what can I do to
> better protect?
>
> Thanks,
>
> Assaf
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Marc Boorshtein <mb...@gmail.com>.
JDBC? Are you sure its not an attempted SQL Injection attack?
On Sun, Nov 7, 2010 at 12:23 PM, Assaf <as...@yahoo.com> wrote:
> Hello,
>
> I have a recurring visitor (from a fixed IP
> address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my site
> and EACH time causes the server to crash. My server actually gets a JDBC begin
> failed error for the next http calls.
>
> Analyzing the logs, I cannot find out what is wrong. I can see it is a script as
> he is visiting the same pages in the same order (never downloading
> images/css/js). The only thing that I have noticed that is different with this
> user are the http headers he uses:
>
> "Expand HTTP read ahead 1.0"
>
> I could not google anything about those. I am running tomcat 6.0.20 on linux
> with mysql.
>
> Anyone has an idea what this can be? How to find out? Also, what can I do to
> better protect?
>
> Thanks,
>
> Assaf
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Rainer Jung <ra...@kippdata.de>.
On 07.11.2010 18:23, Assaf wrote:
> Hello,
>
> I have a recurring visitor (from a fixed IP
> address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my site
> and EACH time causes the server to crash. My server actually gets a JDBC begin
> failed error for the next http calls.
Can you elaborate what you mean by "crashing my server" and "JDBC begin
failed error"? It is very unclear to me. The solution might well depend
on the problem observed ;)
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Malicious host is crashing my server
Posted by Martin Gainty <mg...@hotmail.com>.
wireshark culprits can bypass your filter this by changing ips
much better to:
1)encrypt your data BEFORE you put it on the wire
http://www.mobilefish.com/developer/bouncycastle/bouncycastle.html
2)Implement SSL on Tomcat
http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Mon, 8 Nov 2010 01:09:12 -0800
> From: assafn@yahoo.com
> Subject: Re: Malicious host is crashing my server
> To: users@tomcat.apache.org
>
> DumpFilter is a good idea. For the time being we have decided to just block the
> ip address. If it comes again from a different IP, I guess we will need to
> further examine!
>
> Thanks for all the good ideas
>
> Assaf
>
>
> ----- Original Message ----
> From: David Fisher <df...@jmlafferty.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Mon, November 8, 2010 12:00:49 AM
> Subject: Re: Malicious host is crashing my server
>
> You could modify the RequestDumpFilter to only dump the request for that ip
> address.
>
> Regards,
> Dave
>
> Sent from my iPhone
>
> On Nov 7, 2010, at 12:28 PM, Assaf <as...@yahoo.com> wrote:
>
> > A filter to block is good. But then I would not be able to see him doing it
> > again and then find out the issue.
> >
> > Assaf
> >
> >
> > ----- Original Message ----
> > From: "Caldarale, Charles R" <Ch...@unisys.com>
> > To: Tomcat Users List <us...@tomcat.apache.org>
> > Sent: Sun, November 7, 2010 6:48:20 PM
> > Subject: RE: Malicious host is crashing my server
> >
> >> From: Assaf [mailto:assafn@yahoo.com]
> >> Subject: Malicious host is crashing my server
> >
> >> what can I do to better protect?
> >
> > As a temporary preventive measure, you can disable access from this particular
>
> > IP address by configuring the RemoteAddrValve in server.xml:
> >
> > <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> > deny="79\.177\.23\.102"/>
> >
> > That should give you some time to work out the real fix.
> >
> > - Chuck
> >
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> > MATERIAL and is thus for use only by the intended recipient. If you received
> > this in error, please contact the sender and delete the e-mail and its
> > attachments from all computers.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Malicious host is crashing my server
Posted by Assaf <as...@yahoo.com>.
DumpFilter is a good idea. For the time being we have decided to just block the
ip address. If it comes again from a different IP, I guess we will need to
further examine!
Thanks for all the good ideas
Assaf
----- Original Message ----
From: David Fisher <df...@jmlafferty.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Cc: Tomcat Users List <us...@tomcat.apache.org>
Sent: Mon, November 8, 2010 12:00:49 AM
Subject: Re: Malicious host is crashing my server
You could modify the RequestDumpFilter to only dump the request for that ip
address.
Regards,
Dave
Sent from my iPhone
On Nov 7, 2010, at 12:28 PM, Assaf <as...@yahoo.com> wrote:
> A filter to block is good. But then I would not be able to see him doing it
> again and then find out the issue.
>
> Assaf
>
>
> ----- Original Message ----
> From: "Caldarale, Charles R" <Ch...@unisys.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:48:20 PM
> Subject: RE: Malicious host is crashing my server
>
>> From: Assaf [mailto:assafn@yahoo.com]
>> Subject: Malicious host is crashing my server
>
>> what can I do to better protect?
>
> As a temporary preventive measure, you can disable access from this particular
> IP address by configuring the RemoteAddrValve in server.xml:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> deny="79\.177\.23\.102"/>
>
> That should give you some time to work out the real fix.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by David Fisher <df...@jmlafferty.com>.
You could modify the RequestDumpFilter to only dump the request for that ip address.
Regards,
Dave
Sent from my iPhone
On Nov 7, 2010, at 12:28 PM, Assaf <as...@yahoo.com> wrote:
> A filter to block is good. But then I would not be able to see him doing it
> again and then find out the issue.
>
> Assaf
>
>
> ----- Original Message ----
> From: "Caldarale, Charles R" <Ch...@unisys.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:48:20 PM
> Subject: RE: Malicious host is crashing my server
>
>> From: Assaf [mailto:assafn@yahoo.com]
>> Subject: Malicious host is crashing my server
>
>> what can I do to better protect?
>
> As a temporary preventive measure, you can disable access from this particular
> IP address by configuring the RemoteAddrValve in server.xml:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> deny="79\.177\.23\.102"/>
>
> That should give you some time to work out the real fix.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Ziggy <zi...@gmail.com>.
That number is not necessarily the IP address used to connect to your
server.
On Sun, Nov 7, 2010 at 6:28 PM, Assaf <as...@yahoo.com> wrote:
> A filter to block is good. But then I would not be able to see him doing it
> again and then find out the issue.
>
> Assaf
>
>
> ----- Original Message ----
> From: "Caldarale, Charles R" <Ch...@unisys.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:48:20 PM
> Subject: RE: Malicious host is crashing my server
>
> > From: Assaf [mailto:assafn@yahoo.com]
> > Subject: Malicious host is crashing my server
>
> > what can I do to better protect?
>
> As a temporary preventive measure, you can disable access from this
> particular
> IP address by configuring the RemoteAddrValve in server.xml:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> deny="79\.177\.23\.102"/>
>
> That should give you some time to work out the real fix.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Malicious host is crashing my server
Posted by Assaf <as...@yahoo.com>.
A filter to block is good. But then I would not be able to see him doing it
again and then find out the issue.
Assaf
----- Original Message ----
From: "Caldarale, Charles R" <Ch...@unisys.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sun, November 7, 2010 6:48:20 PM
Subject: RE: Malicious host is crashing my server
> From: Assaf [mailto:assafn@yahoo.com]
> Subject: Malicious host is crashing my server
> what can I do to better protect?
As a temporary preventive measure, you can disable access from this particular
IP address by configuring the RemoteAddrValve in server.xml:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
deny="79\.177\.23\.102"/>
That should give you some time to work out the real fix.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Darryl Lewis <da...@unsw.edu.au>.
What do the server logs actually show? What do the database logs show?
Depending upon the database, turn on the maximum level of debugging to see what they are issuing.
It might even be a crawler doing this accidentally. Can you access the same pages in the same order with no ill effects to the server?
On 8/11/10 6:42 AM, "Marc Boorshtein" <mb...@gmail.com> wrote:
Any cookies or headers?
Sent from my iPad
On Nov 7, 2010, at 1:27 PM, Assaf <as...@yahoo.com> wrote:
> I know what sql injection is. But I cannot find any clues to it. None of the
> requests have any paramers or posting. Anyone has an idea how to find if this is
> the case?
>
>
> ----- Original Message ----
> From: Marc Boorshtein <mb...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 7:08:01 PM
> Subject: Re: Malicious host is crashing my server
>
> Do a search on SQL injection and you will get plenty of results
>
> Sent from my iPad
>
> On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com>
> wrote:
>
>>> From: Martin Gainty [mailto:mgainty@hotmail.com]
>>> Subject: RE: Malicious host is crashing my server
>>
>>> the culprit will change IPs
>>
>> That's why I said it was a temporary workaround. However, given the DNS name
>> in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be
>> used to take out a range of IP addresses - at the risk of annoying any
>> legitimate clients using the same ISP.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Marc Boorshtein <mb...@gmail.com>.
Any cookies or headers?
Sent from my iPad
On Nov 7, 2010, at 1:27 PM, Assaf <as...@yahoo.com> wrote:
> I know what sql injection is. But I cannot find any clues to it. None of the
> requests have any paramers or posting. Anyone has an idea how to find if this is
> the case?
>
>
> ----- Original Message ----
> From: Marc Boorshtein <mb...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 7:08:01 PM
> Subject: Re: Malicious host is crashing my server
>
> Do a search on SQL injection and you will get plenty of results
>
> Sent from my iPad
>
> On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com>
> wrote:
>
>>> From: Martin Gainty [mailto:mgainty@hotmail.com]
>>> Subject: RE: Malicious host is crashing my server
>>
>>> the culprit will change IPs
>>
>> That's why I said it was a temporary workaround. However, given the DNS name
>> in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be
>> used to take out a range of IP addresses - at the risk of annoying any
>> legitimate clients using the same ISP.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Assaf <as...@yahoo.com>.
I know what sql injection is. But I cannot find any clues to it. None of the
requests have any paramers or posting. Anyone has an idea how to find if this is
the case?
----- Original Message ----
From: Marc Boorshtein <mb...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sun, November 7, 2010 7:08:01 PM
Subject: Re: Malicious host is crashing my server
Do a search on SQL injection and you will get plenty of results
Sent from my iPad
On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com>
wrote:
>> From: Martin Gainty [mailto:mgainty@hotmail.com]
>> Subject: RE: Malicious host is crashing my server
>
>> the culprit will change IPs
>
> That's why I said it was a temporary workaround. However, given the DNS name
>in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be
>used to take out a range of IP addresses - at the risk of annoying any
>legitimate clients using the same ISP.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>MATERIAL and is thus for use only by the intended recipient. If you received
>this in error, please contact the sender and delete the e-mail and its
>attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Malicious host is crashing my server
Posted by Marc Boorshtein <mb...@gmail.com>.
Do a search on SQL injection and you will get plenty of results
Sent from my iPad
On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com> wrote:
>> From: Martin Gainty [mailto:mgainty@hotmail.com]
>> Subject: RE: Malicious host is crashing my server
>
>> the culprit will change IPs
>
> That's why I said it was a temporary workaround. However, given the DNS name in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be used to take out a range of IP addresses - at the risk of annoying any legitimate clients using the same ISP.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Malicious host is crashing my server
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin Gainty [mailto:mgainty@hotmail.com]
> Subject: RE: Malicious host is crashing my server
> the culprit will change IPs
That's why I said it was a temporary workaround. However, given the DNS name in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be used to take out a range of IP addresses - at the risk of annoying any legitimate clients using the same ISP.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Malicious host is crashing my server
Posted by Martin Gainty <mg...@hotmail.com>.
the culprit will change IPs
are you implementing SSL?
are you encrypting your data before putting on the wire?
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> From: Chuck.Caldarale@unisys.com
> To: users@tomcat.apache.org
> Date: Sun, 7 Nov 2010 11:48:20 -0600
> Subject: RE: Malicious host is crashing my server
>
> > From: Assaf [mailto:assafn@yahoo.com]
> > Subject: Malicious host is crashing my server
>
> > what can I do to better protect?
>
> As a temporary preventive measure, you can disable access from this particular IP address by configuring the RemoteAddrValve in server.xml:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="79\.177\.23\.102"/>
>
> That should give you some time to work out the real fix.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: Malicious host is crashing my server
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Assaf [mailto:assafn@yahoo.com]
> Subject: Malicious host is crashing my server
> what can I do to better protect?
As a temporary preventive measure, you can disable access from this particular IP address by configuring the RemoteAddrValve in server.xml:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="79\.177\.23\.102"/>
That should give you some time to work out the real fix.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org