You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lyallex <ly...@gmail.com> on 2007/08/23 09:25:51 UTC
Is Tomcat being hacked by curl ?
(Debian) Linux 2.6.11.12-xenU
Tomcat 5.5.20
Java 1.5.0_04
This question concerns access to a running Tomcat instance by a
previously unseen/unknown user agent.
I have been developing commercial sites in Java for a number of years
now but this is the first time I have
deployed a commercial application on my own and hence I am a complete
beginner when it comes to dealing with
nefarious nerks trying to hack my installation.
Is it a 'Tomcat' question ?... I'm not sure but here goes anyway.
The following might be quite harmless but it would be nice to hear of
others exp' in this area
Looking at the user agent section of my Webalizer generated access log
analysis page I can see the following entry
curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
I have been to http://curl.haxx.se/ and it seems to my (currently)
inexperienced eye
that this software _could_ be used to do all sorts of despicable
things to a web site.
I guess it could also be used to 'build your own browser' so I'm not
panicking just yet
I have telnet and ftp disabled and access the server via ssh and scp.
Is this likely to be some dismal little hacker trying to probe my defenses or
am I worrying unnecessarily.
I will investigate curl further of course.
Thanks
Duncan
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] RE: Is Tomcat being hacked by curl ?
Posted by Peter Crowther <Pe...@melandra.com>.
> From: David Rees [mailto:drees76@gmail.com]
> You can use telnet to run a crude DoS attack, too. Or any other tool
> which can open a TCP connection. curl would not be my first choice to
> perform a DoS attack if I were so inclined.
No, it's a bit resource-intensive. A good few years ago, when I was
testing credit card auth systems for a large UK retailer, I wrote a load
tester that would sustain upwards of 200 TCP connection attempts per
second. It took me a couple of hours to write the core, and it ran on a
P100 desktop under Yggdrasil Linux, kernel version 1.0.0 - we never
found out how high it'd go, as the servers failed at a small fraction of
that load. I've no doubt far more effective DoS (and DDoS) tools exist
than that now; this is merely a datum about just how easy it is to write
better hacking tools!
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by David Rees <dr...@gmail.com>.
On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> Although ... depending on what you consider hacking it certainly seems
> like it could easily be used to run a crude DOS attack (for example)
> simply by writing a shell script with a loop in it, like many other
> otherwise benign applications out there I'm sure.
You can use telnet to run a crude DoS attack, too. Or any other tool
which can open a TCP connection. curl would not be my first choice to
perform a DoS attack if I were so inclined.
-Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by David Smith <dn...@cornell.edu>.
Sorry, I wasn't after you. I was just trying to catch a discussion that
could easily lose sight of the original question.
For the benefit of people on the list, curl can be use for good purposes
like downloading packages, a test of server status (e.g. in heart beat
script activating a backup when the primary dies), or to automatically
backup a website if you have a CMS package with a backup tool. Magnolia
CMS falls into that last category and I've used curl with a cron job to
backup the site nightly.
--David
Lyallex wrote:
>On 8/23/07, David Smith <dn...@cornell.edu> wrote:
>
>
>>Just to nip this one early before the discussion strays too far, curl is
>>NOT a hacking tool. It's just a command line http client useful in all
>>sorts of linux/unix OS scripts.
>>
>>
>
>Yep, I understand what curl is now ... spent some time on the relevant
>website reading up about it. I never actually suggested it was a
>hacking tool, I was unsure what it was and was asking for relevant
>exp' from the uses of this list, and as is often the case
>users@tomcat.apache.org delivered the goods.
>
>
>
>>To determine if it's being used to probe your site, you need to pay
>>attention to WHAT is being requested. The brief sample offered by the
>>OP was actually very benign (no weird escape sequences or attempts to
>>access a binary executable).
>>
>>
>
>Although ... depending on what you consider hacking it certainly seems
>like it could easily be used to run a crude DOS attack (for example)
>simply by writing a shell script with a loop in it, like many other
>otherwise benign applications out there I'm sure.
>
>Anyway, what this has taught me is to pay much more attention to the
>logs over and above checking out the webalizer pages once a day and to
>understand what is being requested as well as by what (and by whom)...
>oh yes, and to dredge up what I used to know about iptables (or was
>that ipchains) as well, good tip.
>
>So, a success than, and none of this is EVER a waste of time IMHO.
>
>Many thanks
>Duncan
>
>
>
>>--David
>>
>>Mark Deneen wrote:
>>
>>
>>
>>>Once you find them, you might be hard pressed to actually do anything
>>>about it beyond getting in touch with their ISP.
>>>
>>>It might be easier to just block them at the firewall or on the server
>>>tomcat runs on with something like iptables.
>>>
>>>Mark
>>>
>>>On 8/23/07, Lyallex <ly...@gmail.com> wrote:
>>>
>>>
>>>
>>>
>>>>www.who.is
>>>>
>>>>Much more info
>>>>
>>>>...tracking the perpetrator down now ... this is fun.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To start a new topic, e-mail: users@tomcat.apache.org
>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Lyallex <ly...@gmail.com>.
On 8/23/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Duncan,
>
> Not to belabor this thread too much, but...
>
> Lyallex wrote:
> > I never actually suggested [curl] was a
> > hacking tool
>
> See the subject line.
Yes ... fair point :-}
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Duncan,
Not to belabor this thread too much, but...
Lyallex wrote:
> I never actually suggested [curl] was a
> hacking tool
See the subject line.
> Although ... depending on what you consider hacking it certainly seems
> like it could easily be used to run a crude DOS attack (for example)
> simply by writing a shell script with a loop in it, like many other
> otherwise benign applications out there I'm sure.
...such as lynx, wget, telnet, etc. Of course, telnet doesn't report
itself using a user-agent header unless you want it to.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzefG9CaO5/Lv0PARAsn6AJ9RcuKjbeC2ccXOe1+3NmIWGmp00QCgv4RR
XnD4UQopQJ1d+PnCJWD0K5I=
=MxqR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Lyallex <ly...@gmail.com>.
On 8/23/07, David Smith <dn...@cornell.edu> wrote:
> Just to nip this one early before the discussion strays too far, curl is
> NOT a hacking tool. It's just a command line http client useful in all
> sorts of linux/unix OS scripts.
Yep, I understand what curl is now ... spent some time on the relevant
website reading up about it. I never actually suggested it was a
hacking tool, I was unsure what it was and was asking for relevant
exp' from the uses of this list, and as is often the case
users@tomcat.apache.org delivered the goods.
> To determine if it's being used to probe your site, you need to pay
> attention to WHAT is being requested. The brief sample offered by the
> OP was actually very benign (no weird escape sequences or attempts to
> access a binary executable).
Although ... depending on what you consider hacking it certainly seems
like it could easily be used to run a crude DOS attack (for example)
simply by writing a shell script with a loop in it, like many other
otherwise benign applications out there I'm sure.
Anyway, what this has taught me is to pay much more attention to the
logs over and above checking out the webalizer pages once a day and to
understand what is being requested as well as by what (and by whom)...
oh yes, and to dredge up what I used to know about iptables (or was
that ipchains) as well, good tip.
So, a success than, and none of this is EVER a waste of time IMHO.
Many thanks
Duncan
>
> --David
>
> Mark Deneen wrote:
>
> >Once you find them, you might be hard pressed to actually do anything
> >about it beyond getting in touch with their ISP.
> >
> >It might be easier to just block them at the firewall or on the server
> >tomcat runs on with something like iptables.
> >
> >Mark
> >
> >On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> >
> >
> >>www.who.is
> >>
> >>Much more info
> >>
> >>...tracking the perpetrator down now ... this is fun.
> >>
> >>
> >>
> >
> >---------------------------------------------------------------------
> >To start a new topic, e-mail: users@tomcat.apache.org
> >To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by David Smith <dn...@cornell.edu>.
Just to nip this one early before the discussion strays too far, curl is
NOT a hacking tool. It's just a command line http client useful in all
sorts of linux/unix OS scripts.
To determine if it's being used to probe your site, you need to pay
attention to WHAT is being requested. The brief sample offered by the
OP was actually very benign (no weird escape sequences or attempts to
access a binary executable).
--David
Mark Deneen wrote:
>Once you find them, you might be hard pressed to actually do anything
>about it beyond getting in touch with their ISP.
>
>It might be easier to just block them at the firewall or on the server
>tomcat runs on with something like iptables.
>
>Mark
>
>On 8/23/07, Lyallex <ly...@gmail.com> wrote:
>
>
>>www.who.is
>>
>>Much more info
>>
>>...tracking the perpetrator down now ... this is fun.
>>
>>
>>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Mark Deneen <md...@gmail.com>.
Once you find them, you might be hard pressed to actually do anything
about it beyond getting in touch with their ISP.
It might be easier to just block them at the firewall or on the server
tomcat runs on with something like iptables.
Mark
On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> www.who.is
>
> Much more info
>
> ...tracking the perpetrator down now ... this is fun.
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by David Rees <dr...@gmail.com>.
On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> > So, looking for favicon.ico and doing a HEAD on my entry page, doesn't
> > look to suspicious I guess.
>
> ...tracking the perpetrator down now ... this is fun.
While the exercise may be fun, you are most likely wasting your time
as the client is very likely to be harmless and meant no harm -
hopefully you learn something from it.
As others have mentioned, while the user-agent of a client can be
interesting, for any real malicious activity the user-agent will
likely be spoofed to look more like something main stream than to
stand out.
-Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Lyallex <ly...@gmail.com>.
www.who.is
Much more info
...tracking the perpetrator down now ... this is fun.
On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> OK, that's all good advice ...
>
> lyallex@webproducts:/usr/tomcat/logs$ cat access.log | grep curl
>
> 69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "GET /favicon.ico
> HTTP/1.1" 200 2238 "-" "curl/7.12.1 (i386-redhat-linux-gnu)
> libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6"
> 69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "HEAD / HTTP/1.1" 200 -
> "-" "curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a
> zlib/1.2.1.2 libidn/0.5.6"
>
> So, looking for favicon.ico and doing a HEAD on my entry page, doesn't
> look to suspicious I guess.
>
> lyallex@webproducts:/usr/tomcat/logs$ whois 69.25.212.171
>
> Internap Network Services PNAP-12-2002 (NET-69-25-0-0-1)
> 69.25.0.0 - 69.25.255.255
> Name.com INAP-DEN-NAMECOM-1256 (NET-69-25-212-128-1)
> 69.25.212.128 - 69.25.212.191
>
> # ARIN WHOIS database, last updated 2007-08-22 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
>
> Sometimes whois returns a bunch of stuff sometimes I only get a
> minimal return, not much use really.
>
> Anyway, I will investigate further
>
> Thanks for taking the time to reply
>
> Regards
> Duncan
>
> On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> > (Debian) Linux 2.6.11.12-xenU
> > Tomcat 5.5.20
> > Java 1.5.0_04
> >
> > This question concerns access to a running Tomcat instance by a
> > previously unseen/unknown user agent.
> > I have been developing commercial sites in Java for a number of years
> > now but this is the first time I have
> > deployed a commercial application on my own and hence I am a complete
> > beginner when it comes to dealing with
> > nefarious nerks trying to hack my installation.
> >
> > Is it a 'Tomcat' question ?... I'm not sure but here goes anyway.
> >
> > The following might be quite harmless but it would be nice to hear of
> > others exp' in this area
> >
> > Looking at the user agent section of my Webalizer generated access log
> > analysis page I can see the following entry
> >
> > curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
> >
> > I have been to http://curl.haxx.se/ and it seems to my (currently)
> > inexperienced eye
> > that this software _could_ be used to do all sorts of despicable
> > things to a web site.
> > I guess it could also be used to 'build your own browser' so I'm not
> > panicking just yet
> >
> > I have telnet and ftp disabled and access the server via ssh and scp.
> >
> > Is this likely to be some dismal little hacker trying to probe my defenses or
> > am I worrying unnecessarily.
> >
> > I will investigate curl further of course.
> >
> > Thanks
> > Duncan
> >
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Lyallex <ly...@gmail.com>.
OK, that's all good advice ...
lyallex@webproducts:/usr/tomcat/logs$ cat access.log | grep curl
69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "GET /favicon.ico
HTTP/1.1" 200 2238 "-" "curl/7.12.1 (i386-redhat-linux-gnu)
libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6"
69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] "HEAD / HTTP/1.1" 200 -
"-" "curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a
zlib/1.2.1.2 libidn/0.5.6"
So, looking for favicon.ico and doing a HEAD on my entry page, doesn't
look to suspicious I guess.
lyallex@webproducts:/usr/tomcat/logs$ whois 69.25.212.171
Internap Network Services PNAP-12-2002 (NET-69-25-0-0-1)
69.25.0.0 - 69.25.255.255
Name.com INAP-DEN-NAMECOM-1256 (NET-69-25-212-128-1)
69.25.212.128 - 69.25.212.191
# ARIN WHOIS database, last updated 2007-08-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Sometimes whois returns a bunch of stuff sometimes I only get a
minimal return, not much use really.
Anyway, I will investigate further
Thanks for taking the time to reply
Regards
Duncan
On 8/23/07, Lyallex <ly...@gmail.com> wrote:
> (Debian) Linux 2.6.11.12-xenU
> Tomcat 5.5.20
> Java 1.5.0_04
>
> This question concerns access to a running Tomcat instance by a
> previously unseen/unknown user agent.
> I have been developing commercial sites in Java for a number of years
> now but this is the first time I have
> deployed a commercial application on my own and hence I am a complete
> beginner when it comes to dealing with
> nefarious nerks trying to hack my installation.
>
> Is it a 'Tomcat' question ?... I'm not sure but here goes anyway.
>
> The following might be quite harmless but it would be nice to hear of
> others exp' in this area
>
> Looking at the user agent section of my Webalizer generated access log
> analysis page I can see the following entry
>
> curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
>
> I have been to http://curl.haxx.se/ and it seems to my (currently)
> inexperienced eye
> that this software _could_ be used to do all sorts of despicable
> things to a web site.
> I guess it could also be used to 'build your own browser' so I'm not
> panicking just yet
>
> I have telnet and ftp disabled and access the server via ssh and scp.
>
> Is this likely to be some dismal little hacker trying to probe my defenses or
> am I worrying unnecessarily.
>
> I will investigate curl further of course.
>
> Thanks
> Duncan
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Is Tomcat being hacked by curl ?
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Lyallex [mailto:lyallex@gmail.com]
> curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
>
> I have been to http://curl.haxx.se/ and it seems to my (currently)
> inexperienced eye
> that this software _could_ be used to do all sorts of despicable
> things to a web site.
Or it could be used, as I do, to script operations on my own sites and
for large data uploads.
Basically, someone's got a copy of cURL and has performed at least one
operation on your site from (apparently) a RedHat box. There are much
better cracking tools than cURL, and this is either legitimate or a very
inexperienced script kiddie - they haven't even changed the user agent
string. Chase the person, not the technology - I'd be much more
interested in which resources they accessed and which IP they came from.
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Ronald Klop <ro...@base.nl>.
Curl is a command line http client. It is available for almost all unix/linux platforms.
It is easy to use in scripts to download stuff from http servers. It is not a hacking tool.
You should look at what people are downloading/requesting with it.
Ronald.
On Thu Aug 23 09:25:51 CEST 2007 Tomcat Users List <us...@tomcat.apache.org> wrote:
> (Debian) Linux 2.6.11.12-xenU
> Tomcat 5.5.20
> Java 1.5.0_04
>
> This question concerns access to a running Tomcat instance by a
> previously unseen/unknown user agent.
> I have been developing commercial sites in Java for a number of years
> now but this is the first time I have
> deployed a commercial application on my own and hence I am a complete
> beginner when it comes to dealing with
> nefarious nerks trying to hack my installation.
>
> Is it a 'Tomcat' question ?... I'm not sure but here goes anyway.
>
> The following might be quite harmless but it would be nice to hear of
> others exp' in this area
>
> Looking at the user agent section of my Webalizer generated access log
> analysis page I can see the following entry
>
> curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
>
> I have been to http://curl.haxx.se/ and it seems to my (currently)
> inexperienced eye
> that this software _could_ be used to do all sorts of despicable
> things to a web site.
> I guess it could also be used to 'build your own browser' so I'm not
> panicking just yet
>
> I have telnet and ftp disabled and access the server via ssh and scp.
>
> Is this likely to be some dismal little hacker trying to probe my defenses or
> am I worrying unnecessarily.
>
> I will investigate curl further of course.
>
> Thanks
> Duncan
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Is Tomcat being hacked by curl ?
Posted by David Delbecq <de...@oma.be>.
You should look at the client query, not agent to get an idea about
security. Curl client is not that uncomon. I use is (as long as wget,
depending on server) to download files from public server directy to my
own server. Example of use here are
- download a JVM from sun website (wget 'url' or curl 'url')
- download additional perl modules from CPAN
- test a connection :)
it could also be part of a script that is pumping your webcontent for
various indexing reason. Althought, in last case, nasty indexers tends
to mimic firefox or internet explorer as client :)
Last but not least it could also be a user which has changed, for
unknown reason, it's navigator identity for a test and forgot to reset
it back to normal before going to the net.
En l'instant précis du 23/08/07 09:25, Lyallex s'exprimait en ces termes:
> (Debian) Linux 2.6.11.12-xenU
> Tomcat 5.5.20
> Java 1.5.0_04
>
> This question concerns access to a running Tomcat instance by a
> previously unseen/unknown user agent.
> I have been developing commercial sites in Java for a number of years
> now but this is the first time I have
> deployed a commercial application on my own and hence I am a complete
> beginner when it comes to dealing with
> nefarious nerks trying to hack my installation.
>
> Is it a 'Tomcat' question ?... I'm not sure but here goes anyway.
>
> The following might be quite harmless but it would be nice to hear of
> others exp' in this area
>
> Looking at the user agent section of my Webalizer generated access log
> analysis page I can see the following entry
>
> curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
>
> I have been to http://curl.haxx.se/ and it seems to my (currently)
> inexperienced eye
> that this software _could_ be used to do all sorts of despicable
> things to a web site.
> I guess it could also be used to 'build your own browser' so I'm not
> panicking just yet
>
> I have telnet and ftp disabled and access the server via ssh and scp.
>
> Is this likely to be some dismal little hacker trying to probe my defenses or
> am I worrying unnecessarily.
>
> I will investigate curl further of course.
>
> Thanks
> Duncan
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
http://www.noooxml.org/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is Tomcat being hacked by curl ?
Posted by Markus Schönhaber <ma...@schoenhaber.de>.
Lyallex wrote:
> This question concerns access to a running Tomcat instance by a
> previously unseen/unknown user agent.
[...]
> Is it a 'Tomcat' question ?... I'm not sure but here goes anyway.
No.
> The following might be quite harmless but it would be nice to hear of
> others exp' in this area
>
> Looking at the user agent section of my Webalizer generated access log
> analysis page I can see the following entry
>
> curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
>
> I have been to http://curl.haxx.se/ and it seems to my (currently)
> inexperienced eye
> that this software _could_ be used to do all sorts of despicable
> things to a web site.
As could be almost any other user agent - if your website allows
despicable things to be done to it.
> I guess it could also be used to 'build your own browser' so I'm not
> panicking just yet
>
> I have telnet and ftp disabled and access the server via ssh and scp.
>
> Is this likely to be some dismal little hacker trying to probe my defenses or
> am I worrying unnecessarily.
Maybe. But if your web server can really be compromised by a client that
does just what you intended when bringing the server online - i. e.
accessing it via HTTP - you have much more important things to worry
about than whether this client calls itself curl, Firefox, IE, telnet or
whatever.
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org