Malicious host is crashing my server

[Assaf <as...@yahoo.com>]

Hello,

I have a recurring visitor (from a fixed IP 
address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my site 
and EACH time causes the server to crash. My server actually gets a JDBC begin 
failed error for the next http calls.

Analyzing the logs, I cannot find out what is wrong. I can see it is a script as 
he is visiting the same pages in the same order (never downloading 
images/css/js). The only thing that I have noticed that is different with this 
user are the http headers he uses:

"Expand HTTP read ahead 1.0"

I could not google anything about those. I am running tomcat 6.0.20 on linux 
with mysql.

Anyone has an idea what this can be? How to find out? Also, what can I do to 
better protect?

Thanks,

Assaf


      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Ronald Klop <ro...@base.nl>]

Use ngrep, tcpdump or wireshark to look at what he/she is requesting. If it is SQL injection you should rewrite your query's to use PreparedStatements.

Ronald.


Op zondag, 7 november 2010 18:31 schreef Assaf <as...@yahoo.com>:
> 
>  
> Hi,
> 
> It might be. But I am not sure how to find out more. Any suggestions?
> 
> Assaf
> 
> 
> ----- Original Message ----
> From: Marc Boorshtein <mb...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:29:09 PM
> Subject: Re: Malicious host is crashing my server
> 
> JDBC?  Are you sure its not an attempted SQL Injection attack?
> 
> On Sun, Nov 7, 2010 at 12:23 PM, Assaf <as...@yahoo.com> wrote:
> > Hello,
> >
> > I have a recurring visitor (from a fixed IP
> > address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my 
> site
> > and EACH time causes the server to crash. My server actually gets a JDBC begin
> > failed error for the next http calls.
> >
> > Analyzing the logs, I cannot find out what is wrong. I can see it is a script 
> >as
> > he is visiting the same pages in the same order (never downloading
> > images/css/js). The only thing that I have noticed that is different with this
> > user are the http headers he uses:
> >
> > "Expand HTTP read ahead 1.0"
> >
> > I could not google anything about those. I am running tomcat 6.0.20 on linux
> > with mysql.
> >
> > Anyone has an idea what this can be? How to find out? Also, what can I do to
> > better protect?
> >
> > Thanks,
> >
> > Assaf
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
>       
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> 

Re: Malicious host is crashing my server

[Assaf <as...@yahoo.com>]

Hi,

It might be. But I am not sure how to find out more. Any suggestions?

Assaf


----- Original Message ----
From: Marc Boorshtein <mb...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sun, November 7, 2010 6:29:09 PM
Subject: Re: Malicious host is crashing my server

JDBC?  Are you sure its not an attempted SQL Injection attack?

On Sun, Nov 7, 2010 at 12:23 PM, Assaf <as...@yahoo.com> wrote:
> Hello,
>
> I have a recurring visitor (from a fixed IP
> address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my 
site
> and EACH time causes the server to crash. My server actually gets a JDBC begin
> failed error for the next http calls.
>
> Analyzing the logs, I cannot find out what is wrong. I can see it is a script 
>as
> he is visiting the same pages in the same order (never downloading
> images/css/js). The only thing that I have noticed that is different with this
> user are the http headers he uses:
>
> "Expand HTTP read ahead 1.0"
>
> I could not google anything about those. I am running tomcat 6.0.20 on linux
> with mysql.
>
> Anyone has an idea what this can be? How to find out? Also, what can I do to
> better protect?
>
> Thanks,
>
> Assaf
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Marc Boorshtein <mb...@gmail.com>]

JDBC?  Are you sure its not an attempted SQL Injection attack?

On Sun, Nov 7, 2010 at 12:23 PM, Assaf <as...@yahoo.com> wrote:
> Hello,
>
> I have a recurring visitor (from a fixed IP
> address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my site
> and EACH time causes the server to crash. My server actually gets a JDBC begin
> failed error for the next http calls.
>
> Analyzing the logs, I cannot find out what is wrong. I can see it is a script as
> he is visiting the same pages in the same order (never downloading
> images/css/js). The only thing that I have noticed that is different with this
> user are the http headers he uses:
>
> "Expand HTTP read ahead 1.0"
>
> I could not google anything about those. I am running tomcat 6.0.20 on linux
> with mysql.
>
> Anyone has an idea what this can be? How to find out? Also, what can I do to
> better protect?
>
> Thanks,
>
> Assaf
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Rainer Jung <ra...@kippdata.de>]

On 07.11.2010 18:23, Assaf wrote:
> Hello,
>
> I have a recurring visitor (from a fixed IP
> address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my site
> and EACH time causes the server to crash. My server actually gets a JDBC begin
> failed error for the next http calls.

Can you elaborate what you mean by "crashing my server" and "JDBC begin 
failed error"? It is very unclear to me. The solution might well depend 
on the problem observed ;)

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Malicious host is crashing my server

[Martin Gainty <mg...@hotmail.com>]

wireshark culprits can bypass your filter this by changing ips
 
much better to:
1)encrypt your data BEFORE you put it on the wire
http://www.mobilefish.com/developer/bouncycastle/bouncycastle.html
2)Implement SSL on Tomcat
http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL

Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.



 

> Date: Mon, 8 Nov 2010 01:09:12 -0800
> From: assafn@yahoo.com
> Subject: Re: Malicious host is crashing my server
> To: users@tomcat.apache.org
> 
> DumpFilter is a good idea. For the time being we have decided to just block the 
> ip address. If it comes again from a different IP, I guess we will need to 
> further examine!
> 
> Thanks for all the good ideas
> 
> Assaf
> 
> 
> ----- Original Message ----
> From: David Fisher <df...@jmlafferty.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Mon, November 8, 2010 12:00:49 AM
> Subject: Re: Malicious host is crashing my server
> 
> You could modify the RequestDumpFilter to only dump the request for that ip 
> address.
> 
> Regards,
> Dave
> 
> Sent from my iPhone
> 
> On Nov 7, 2010, at 12:28 PM, Assaf <as...@yahoo.com> wrote:
> 
> > A filter to block is good. But then I would not be able to see him doing it 
> > again and then find out the issue.
> > 
> > Assaf
> > 
> > 
> > ----- Original Message ----
> > From: "Caldarale, Charles R" <Ch...@unisys.com>
> > To: Tomcat Users List <us...@tomcat.apache.org>
> > Sent: Sun, November 7, 2010 6:48:20 PM
> > Subject: RE: Malicious host is crashing my server
> > 
> >> From: Assaf [mailto:assafn@yahoo.com] 
> >> Subject: Malicious host is crashing my server
> > 
> >> what can I do to better protect?
> > 
> > As a temporary preventive measure, you can disable access from this particular 
> 
> > IP address by configuring the RemoteAddrValve in server.xml:
> > 
> > <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> > deny="79\.177\.23\.102"/>
> > 
> > That should give you some time to work out the real fix.
> > 
> > - Chuck
> > 
> > 
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> > MATERIAL and is thus for use only by the intended recipient. If you received 
> > this in error, please contact the sender and delete the e-mail and its 
> > attachments from all computers.
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  

Re: Malicious host is crashing my server

[Assaf <as...@yahoo.com>]

DumpFilter is a good idea. For the time being we have decided to just block the 
ip address. If it comes again from a different IP, I guess we will need to 
further examine!

Thanks for all the good ideas

Assaf


----- Original Message ----
From: David Fisher <df...@jmlafferty.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Cc: Tomcat Users List <us...@tomcat.apache.org>
Sent: Mon, November 8, 2010 12:00:49 AM
Subject: Re: Malicious host is crashing my server

You could modify the RequestDumpFilter to only dump the request for that ip 
address.

Regards,
Dave

Sent from my iPhone

On Nov 7, 2010, at 12:28 PM, Assaf <as...@yahoo.com> wrote:

> A filter to block is good. But then I would not be able to see him doing it 
> again and then find out the issue.
> 
> Assaf
> 
> 
> ----- Original Message ----
> From: "Caldarale, Charles R" <Ch...@unisys.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:48:20 PM
> Subject: RE: Malicious host is crashing my server
> 
>> From: Assaf [mailto:assafn@yahoo.com] 
>> Subject: Malicious host is crashing my server
> 
>> what can I do to better protect?
> 
> As a temporary preventive measure, you can disable access from this particular 

> IP address by configuring the RemoteAddrValve in server.xml:
> 
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> deny="79\.177\.23\.102"/>
> 
> That should give you some time to work out the real fix.
> 
> - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[David Fisher <df...@jmlafferty.com>]

You could modify the RequestDumpFilter to only dump the request for that ip address.

Regards,
Dave

Sent from my iPhone

On Nov 7, 2010, at 12:28 PM, Assaf <as...@yahoo.com> wrote:

> A filter to block is good. But then I would not be able to see him doing it 
> again and then find out the issue.
> 
> Assaf
> 
> 
> ----- Original Message ----
> From: "Caldarale, Charles R" <Ch...@unisys.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:48:20 PM
> Subject: RE: Malicious host is crashing my server
> 
>> From: Assaf [mailto:assafn@yahoo.com] 
>> Subject: Malicious host is crashing my server
> 
>> what can I do to better protect?
> 
> As a temporary preventive measure, you can disable access from this particular 
> IP address by configuring the RemoteAddrValve in server.xml:
> 
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> deny="79\.177\.23\.102"/>
> 
> That should give you some time to work out the real fix.
> 
> - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Ziggy <zi...@gmail.com>]

That number is not necessarily the IP address used to connect to your
server.

On Sun, Nov 7, 2010 at 6:28 PM, Assaf <as...@yahoo.com> wrote:

> A filter to block is good. But then I would not be able to see him doing it
> again and then find out the issue.
>
> Assaf
>
>
> ----- Original Message ----
> From: "Caldarale, Charles R" <Ch...@unisys.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 6:48:20 PM
> Subject: RE: Malicious host is crashing my server
>
> > From: Assaf [mailto:assafn@yahoo.com]
> > Subject: Malicious host is crashing my server
>
> > what can I do to better protect?
>
> As a temporary preventive measure, you can disable access from this
> particular
> IP address by configuring the RemoteAddrValve in server.xml:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> deny="79\.177\.23\.102"/>
>
> That should give you some time to work out the real fix.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Malicious host is crashing my server

[Assaf <as...@yahoo.com>]

A filter to block is good. But then I would not be able to see him doing it 
again and then find out the issue.

Assaf


----- Original Message ----
From: "Caldarale, Charles R" <Ch...@unisys.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sun, November 7, 2010 6:48:20 PM
Subject: RE: Malicious host is crashing my server

> From: Assaf [mailto:assafn@yahoo.com] 
> Subject: Malicious host is crashing my server

> what can I do to better protect?

As a temporary preventive measure, you can disable access from this particular 
IP address by configuring the RemoteAddrValve in server.xml:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" 
deny="79\.177\.23\.102"/>

That should give you some time to work out the real fix.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Darryl Lewis <da...@unsw.edu.au>]

What do the server logs actually show? What do the database logs show?
Depending upon the database, turn on the maximum level of debugging to see what they are issuing.

It might even be a crawler doing this accidentally. Can you access the same pages in the same order with no ill effects to the server?

On 8/11/10 6:42 AM, "Marc Boorshtein" <mb...@gmail.com> wrote:

Any cookies or headers?

Sent from my iPad

On Nov 7, 2010, at 1:27 PM, Assaf <as...@yahoo.com> wrote:

> I know what sql injection is. But I cannot find any clues to it. None of the
> requests have any paramers or posting. Anyone has an idea how to find if this is
> the case?
>
>
> ----- Original Message ----
> From: Marc Boorshtein <mb...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 7:08:01 PM
> Subject: Re: Malicious host is crashing my server
>
> Do a search on SQL injection and you will get plenty of results
>
> Sent from my iPad
>
> On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com>
> wrote:
>
>>> From: Martin Gainty [mailto:mgainty@hotmail.com]
>>> Subject: RE: Malicious host is crashing my server
>>
>>> the culprit will change IPs
>>
>> That's why I said it was a temporary workaround.  However, given the DNS name
>> in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be
>> used to take out a range of IP addresses - at the risk of annoying any
>> legitimate clients using the same ISP.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Marc Boorshtein <mb...@gmail.com>]

Any cookies or headers?

Sent from my iPad

On Nov 7, 2010, at 1:27 PM, Assaf <as...@yahoo.com> wrote:

> I know what sql injection is. But I cannot find any clues to it. None of the 
> requests have any paramers or posting. Anyone has an idea how to find if this is 
> the case?
> 
> 
> ----- Original Message ----
> From: Marc Boorshtein <mb...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sun, November 7, 2010 7:08:01 PM
> Subject: Re: Malicious host is crashing my server
> 
> Do a search on SQL injection and you will get plenty of results
> 
> Sent from my iPad
> 
> On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com> 
> wrote:
> 
>>> From: Martin Gainty [mailto:mgainty@hotmail.com] 
>>> Subject: RE: Malicious host is crashing my server
>> 
>>> the culprit will change IPs
>> 
>> That's why I said it was a temporary workaround.  However, given the DNS name 
>> in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be 
>> used to take out a range of IP addresses - at the risk of annoying any 
>> legitimate clients using the same ISP.
>> 
>> - Chuck
>> 
>> 
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
>> MATERIAL and is thus for use only by the intended recipient. If you received 
>> this in error, please contact the sender and delete the e-mail and its 
>> attachments from all computers.
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Assaf <as...@yahoo.com>]

I know what sql injection is. But I cannot find any clues to it. None of the 
requests have any paramers or posting. Anyone has an idea how to find if this is 
the case?


----- Original Message ----
From: Marc Boorshtein <mb...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sun, November 7, 2010 7:08:01 PM
Subject: Re: Malicious host is crashing my server

Do a search on SQL injection and you will get plenty of results

Sent from my iPad

On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com> 
wrote:

>> From: Martin Gainty [mailto:mgainty@hotmail.com] 
>> Subject: RE: Malicious host is crashing my server
> 
>> the culprit will change IPs
> 
> That's why I said it was a temporary workaround.  However, given the DNS name 
>in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be 
>used to take out a range of IP addresses - at the risk of annoying any 
>legitimate clients using the same ISP.
> 
> - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
>MATERIAL and is thus for use only by the intended recipient. If you received 
>this in error, please contact the sender and delete the e-mail and its 
>attachments from all computers.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Malicious host is crashing my server

[Marc Boorshtein <mb...@gmail.com>]

Do a search on SQL injection and you will get plenty of results

Sent from my iPad

On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R" <Ch...@unisys.com> wrote:

>> From: Martin Gainty [mailto:mgainty@hotmail.com] 
>> Subject: RE: Malicious host is crashing my server
> 
>> the culprit will change IPs
> 
> That's why I said it was a temporary workaround.  However, given the DNS name in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be used to take out a range of IP addresses - at the risk of annoying any legitimate clients using the same ISP.
> 
> - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Malicious host is crashing my server

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Martin Gainty [mailto:mgainty@hotmail.com] 
> Subject: RE: Malicious host is crashing my server

> the culprit will change IPs

That's why I said it was a temporary workaround.  However, given the DNS name in use, it is likely assigned via DHCP by the perp's ISP, so an IP mask could be used to take out a range of IP addresses - at the risk of annoying any legitimate clients using the same ISP.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Malicious host is crashing my server

[Martin Gainty <mg...@hotmail.com>]

the culprit will change IPs

are you implementing SSL?
are you encrypting your data before putting on the wire?

Martin 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.



 

> From: Chuck.Caldarale@unisys.com
> To: users@tomcat.apache.org
> Date: Sun, 7 Nov 2010 11:48:20 -0600
> Subject: RE: Malicious host is crashing my server
> 
> > From: Assaf [mailto:assafn@yahoo.com] 
> > Subject: Malicious host is crashing my server
> 
> > what can I do to better protect?
> 
> As a temporary preventive measure, you can disable access from this particular IP address by configuring the RemoteAddrValve in server.xml:
> 
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="79\.177\.23\.102"/>
> 
> That should give you some time to work out the real fix.
> 
> - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  

RE: Malicious host is crashing my server

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Assaf [mailto:assafn@yahoo.com] 
> Subject: Malicious host is crashing my server

> what can I do to better protect?

As a temporary preventive measure, you can disable access from this particular IP address by configuring the RemoteAddrValve in server.xml:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="79\.177\.23\.102"/>

That should give you some time to work out the real fix.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org