You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ismael López Quintero <il...@gmail.com> on 2019/01/15 10:24:48 UTC
RE: Tomcat 8.0.46
Sorry by the late to answer but I've been ill.
The system were down on 2018/11/28 at night. It seems that is was a Chinese attack (by the logged ips). Now I will show them...
These lines are from localhost_access_log_2018_11_28.txt
85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET /api/webapi/chatucp/historicchats?idUser=4&idCustomer=1 HTTP/1.1" 200 656
85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET /api/webapi/usersextcontact?idUser=4&idCustomer=1 HTTP/1.1" 200 477
85.137.148.55 - - [28/Nov/2018:22:38:44 +0000] "GET /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - // Last known IP
177.66.148.196 - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200 11452 // Chinesse IP
180.97.106.164 - - [28/Nov/2018:22:45:30 +0000] "-" 400 - // Chinesse IP
60.217.72.12 - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200 11452 // Chinesse IP
In catalina.out for that day, I can find this crash:
28-Nov-2018 22:45:30.227 INFO [http-nio-80-exec-149] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
at org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:233)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1045)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
It seems that call "-" is not well parsed (obviously).
I can't find any info for syslog for that crash in those days.
Do you have any idea of the problem? It seems that Tomcat can crash when no GET, POST, PUT, DELETE... request is done. The "-" request seems to take Tomcat down.
In have created a cron recurrent service to check if Tomcat is listening in port 443, but I would like to solve this issue.
Thank you.
--
Fdo.: Ismael López Quintero.
Ingeniero de Software.
Correo electrónico: ilopezquint@gmail.com.
Sitio Web: http://www.desarrolladorsoftware.com/
Huelva. España.
-----Mensaje original-----
De: Ismael López Quintero [mailto:ilopezquint@gmail.com]
Enviado el: miércoles, 12 de diciembre de 2018 10:32
Para: 'Tomcat Users List' <us...@tomcat.apache.org>
Asunto: RE: Tomcat 8.0.46
Great! I will give more info. Please, forgive me by the content shape faults. I'm new to this mail list.
I'll write ASAP.
Thank you!
PD: My system is Debian 8.
--
Fdo.: Ismael López Quintero.
Ingeniero de Software.
Correo electrónico: ilopezquint@gmail.com.
Sitio Web: http://www.desarrolladorsoftware.com/
Huelva. España.
-----Mensaje original-----
De: Christopher Schultz [mailto:chris@christopherschultz.net]
Enviado el: miércoles, 12 de diciembre de 2018 5:07
Para: users@tomcat.apache.org
Asunto: Re: Tomcat 8.0.46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ismael,
On 12/11/18 08:45, Ismael López Quintero wrote:
> Hello! Crash: stop working. Process running and listenning in net
> ports 80 and 443 (SSL). After crashing, no process exist.
So... nothing in the Tomcat logs that says the process is going down?
For example, usually Java OOME will show in catalina.out, but the JVM will not actually terminate.
My guess is Linux OOME killer (or similar). Check your syslog for "oome" (lowercase) if you are on Linux.
If you are *not* on Linux, that would seem to be very important information is you want to get some help.
Your original post was of the form "it didn't work; what went wrong?".
We need much more information if we are going to be able to help you.
- -chris
> -----Mensaje original----- De: Mark Thomas [mailto:markt@apache.org]
> Enviado el: martes, 11 de diciembre de
> 2018 14:05 Para: users@tomcat.apache.org Asunto: Re: Tomcat 8.0.46
>
> On 11/12/2018 12:38, Ismael López Quintero wrote:
>> Hello!
>>
>>
>>
>> My Tomcat installation crashed some days ago. It is deployed to
>> serve a REST API using Jersey. Looking at localhost_access_log daily
>> file, just before crashing it received the next requests…
>>
>>
>>
>> X.X.X.X - - [28/Nov/2018:22:38:44 +0000] "GET
>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - ß-
>> This is the last known call before crashing
>>
>> X.X.X.X - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200
>> 11452
>>
>> X.X.X.X - - [28/Nov/2018:22:45:30 +0000] "-" 400 -
>>
>> X.X.X.X - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200
>> 11452
>>
>>
>>
>> Crashed.
>>
>>
>>
>> IP addresses are named X.X.X.X to protect callers privacy, but it
>> seems that the last three ones are owned by attackers (IPs are
>> geolocated in China). If you want I can give them (IPs).
>>
>>
>>
>> Everything is going ok in Tomcat, but this.
>>
>>
>>
>> Have you got any idea?
>
> Define "crashed".
>
> Mark
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwQiUYACgkQHPApP6U8
pFgWiA/8DhfO4ZlnmqWRjmjG3ihRfEXFKh6ScsVpW4uEXN7d+NP2F4HUNe7BHSyq
fieBH1PM3ytj9DTvJ875w1QCy4mC52lKNtWMXOu1ZfCwklBeMPlrtgZn7mkm4iSi
AYnhlDrwTIy3iLAFN44OBTAOf7TMwVQBJ4LA6tmbzUbM+5BldpO5Q4x/fBVtGQS7
Am+jQyyz5ZisNcMpK2Y2UGKmEHucuPkymCXKNt5892rJArI2oQAqAj6GjatvZW/Z
cJ6K6ghxJuwvNHDIPhOVYzkeVqFIBBnrODKnwomc66PF1QDBHC7q0ZghJugYH98g
WoyX7kmS+sh9OWRqnZ3lGEphWiU2+IvdMyxBhToXVPmtTXHQCIvWfz0OWImWvmPX
bzNS7RJYn8Y/0ne0FOxgjqdpNd1c4n7/Eyj4T4oSCydZyqBX+hIFI9rMuscTz2QZ
gTveYkoS1iaPKmrDACvMQlztzExD1j4BJ2Zp7pgdv6JN0vJ2CMeXCb5q1gUmJ4iC
PJ5BHBc+3VFnY3wFweVcQpvPKy32C8HoZrzhWenzQhPOi4ZnTILCePRS79Cc8mth
eRMZh/uxjiAl9Q8ffEKKyo9kfuOmUPCQvQKunQhzmppQxB26luPoT/YZ8bAwDtGn
0IeU061hHZ9Bn4eUzjz4sGzQ/LWpsNMBDqgCrUAkst67KtZxtA0=
=2I3s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8.0.46
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ismael,
On 1/15/19 05:24, Ismael López Quintero wrote:
> Sorry by the late to answer but I've been ill.
>
> The system were down on 2018/11/28 at night. It seems that is was a
> Chinese attack (by the logged ips). Now I will show them...
>
> These lines are from localhost_access_log_2018_11_28.txt
>
> 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
> /api/webapi/chatucp/historicchats?idUser=4&idCustomer=1 HTTP/1.1"
> 200 656 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
> /api/webapi/usersextcontact?idUser=4&idCustomer=1 HTTP/1.1" 200
> 477 85.137.148.55 - - [28/Nov/2018:22:38:44 +0000] "GET
> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1"
200 - // Last known IP
The above are all from Spain.
> 177.66.148.196 - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1"
> 200 11452 // Chinesse IP
No, this is Brazil.
> 180.97.106.164 - - [28/Nov/2018:22:45:30 +0000] "-" 400 - //
> Chinesse IP 60.217.72.12 - - [28/Nov/2018:23:48:30 +0000] "GET /
> HTTP/1.1" 200 11452 // Chinesse IP
These are from China. A request for "-"? Odd, but it was refused so
that's good, right?
I wouldn't call this an "attack". People from Brazil and China were
making requests to your web server. Presumably, you put it on the
internet so users could make web requests, right?
> In catalina.out for that day, I can find this crash:
>
> 28-Nov-2018 22:45:30.227 INFO [http-nio-80-exec-149]
> org.apache.coyote.http11.AbstractHttp11Processor.process Error
> parsing HTTP request header Note: further occurrences of HTTP
> header parsing errors will be logged at DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in
> method name. HTTP method names must be tokens at
> org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(Abstr
actNioInputBuffer.java:233)
>
>
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11P
rocessor.java:1045)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(A
bstractProtocol.java:684)
>
>
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint
.java:1539)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint
.java:1495)
>
>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.jav
a:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
java:624)
>
>
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThrea
d.java:61)
> at java.lang.Thread.run(Thread.java:748)
>
> It seems that call "-" is not well parsed (obviously).
Right.
> I can't find any info for syslog for that crash in those days.
Nothing crashed.
> Do you have any idea of the problem? It seems that Tomcat can
> crash when no GET, POST, PUT, DELETE... request is done. The "-"
> request seems to take Tomcat down.
ORLY? What evidence do you have of Tomcat being brought down by the
simplest of requests? Your own log file shows that Tomcat served a
request *after* the request for "-", so there is actually evidence
that Tomcat *survived* the "attack".
> In have created a cron recurrent service to check if Tomcat is
> listening in port 443, but I would like to solve this issue.
Something else is definitely going on. Search your system logs for
"oom". Or reboots for that matter.
- -chris
> -----Mensaje original----- De: Ismael López Quintero
> [mailto:ilopezquint@gmail.com] Enviado el: miércoles, 12 de
> diciembre de 2018 10:32 Para: 'Tomcat Users List'
> <us...@tomcat.apache.org> Asunto: RE: Tomcat 8.0.46
>
> Great! I will give more info. Please, forgive me by the content
> shape faults. I'm new to this mail list.
>
> I'll write ASAP.
>
> Thank you!
>
> PD: My system is Debian 8.
>
> -- Fdo.: Ismael López Quintero. Ingeniero de Software. Correo
> electrónico: ilopezquint@gmail.com. Sitio Web:
> http://www.desarrolladorsoftware.com/ Huelva. España.
>
> -----Mensaje original----- De: Christopher Schultz
> [mailto:chris@christopherschultz.net] Enviado el: miércoles, 12 de
> diciembre de 2018 5:07 Para: users@tomcat.apache.org Asunto: Re:
> Tomcat 8.0.46
>
> Ismael,
>
> On 12/11/18 08:45, Ismael López Quintero wrote:
>> Hello! Crash: stop working. Process running and listenning in net
>> ports 80 and 443 (SSL). After crashing, no process exist.
>
> So... nothing in the Tomcat logs that says the process is going
> down? For example, usually Java OOME will show in catalina.out, but
> the JVM will not actually terminate.
>
> My guess is Linux OOME killer (or similar). Check your syslog for
> "oome" (lowercase) if you are on Linux.
>
> If you are *not* on Linux, that would seem to be very important
> information is you want to get some help.
>
> Your original post was of the form "it didn't work; what went
> wrong?". We need much more information if we are going to be able
> to help you.
>
> -chris
>
>> -----Mensaje original----- De: Mark Thomas
>> [mailto:markt@apache.org] Enviado el: martes, 11 de diciembre de
>> 2018 14:05 Para: users@tomcat.apache.org Asunto: Re: Tomcat
>> 8.0.46
>
>> On 11/12/2018 12:38, Ismael López Quintero wrote:
>>> Hello!
>>>
>>>
>>>
>>> My Tomcat installation crashed some days ago. It is deployed
>>> to serve a REST API using Jersey. Looking at
>>> localhost_access_log daily file, just before crashing it
>>> received the next requests…
>>>
>>>
>>>
>>> X.X.X.X - - [28/Nov/2018:22:38:44 +0000] "GET
>>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - ß-
>>> This is the last known call before crashing
>>>
>>> X.X.X.X - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200
>>> 11452
>>>
>>> X.X.X.X - - [28/Nov/2018:22:45:30 +0000] "-" 400 -
>>>
>>> X.X.X.X - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200
>>> 11452
>>>
>>>
>>>
>>> Crashed.
>>>
>>>
>>>
>>> IP addresses are named X.X.X.X to protect callers privacy, but
>>> it seems that the last three ones are owned by attackers (IPs
>>> are geolocated in China). If you want I can give them (IPs).
>>>
>>>
>>>
>>> Everything is going ok in Tomcat, but this.
>>>
>>>
>>>
>>> Have you got any idea?
>
>> Define "crashed".
>
>> Mark
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlw97FcACgkQHPApP6U8
pFhUkxAAiD3/ajJ8u06YF9bVPIPYDyLh+Hz4AkMTq+x7eiNxszVeaohEyqFzfIBq
vFl/xnd923cZSAU34QT7LJALo8JQiP/J1rvE/HH5xCKkclAPZKkUs11palDohTpV
/19oWWhS2CXsEbdhrDCAI8zWMEQx46reyzrMwYWfERE8ET3g48scZTCvHWVhSMo+
GgbRY3EMlk4vUfm3ProgTN9AY3qCxgZJJ5XknGlvlJQKeoJaqCbO9NQ3FSjFdrwH
e4vvHx3fzl6+jtDQbCqiaPEzTTOlyGm+gf0cfbNRUCJbK0yLtI8fUT4PJYT0gLwu
6iAkFVaayL/4iDtbLujYhqOkGsjfaw4RONu7+9iA60jdZLvcRyfRcyT0CGndozhh
CID7enVVA8NksVUMSKTHv6nNf+yRdDmO1SdFvrLkRqUwI49ZDrzfjvHd7UVQh7bu
dDRVMVuSf1NSHG2kHjlbHn/dBCQ5BCCinLMyNxZkuhRV9JzbRYszWjLozZ3e7R6g
BlDbHcw1aeYwFTS+frYxpsPHeoPnkkMs513xLFHbGHI5aii54lYJcVkDRXzcTzTF
7sAR3fU6l/ltjp8OXwK+XeAkrZ0wISJQfxk8q3SjerEacZ1cDH1beXA4jXXl5fh3
Jul1lIDTixtEdeNud4zxYugjWiRNDIh16nAOrUvbqePLVtU2P5E=
=dlgM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8.0.46
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ismael,
On 1/15/19 06:32, Ismael López Quintero wrote:
> Great, then I must think that it must be an OOME error.
Don't guess: verify. It may take some time, but it's definitely worth
tracking this down to determine the real cause. Otherwise, you are
"solving" problems that do not exist, which is a waste of time.
Search your logs. Solve the mystery. Fix the problem.
- -chris
> -----Mensaje original----- De: Mark Thomas
> [mailto:markt@apache.org] Enviado el: martes, 15 de enero de 2019
> 11:43 Para: users@tomcat.apache.org Asunto: Re: Tomcat 8.0.46
>
> On 15/01/2019 10:24, Ismael López Quintero wrote:
>> Sorry by the late to answer but I've been ill.
>>
>> The system were down on 2018/11/28 at night. It seems that is was
>> a Chinese attack (by the logged ips). Now I will show them...
>>
>> These lines are from localhost_access_log_2018_11_28.txt
>>
>> 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
>> /api/webapi/chatucp/historicchats?idUser=4&idCustomer=1 HTTP/1.1"
>> 200 656 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
>> /api/webapi/usersextcontact?idUser=4&idCustomer=1 HTTP/1.1" 200
>> 477 85.137.148.55 - - [28/Nov/2018:22:38:44 +0000] "GET
>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - // Last
>> known IP 177.66.148.196 - - [28/Nov/2018:22:40:38 +0000] "GET /
>> HTTP/1.1" 200 11452 // Chinesse IP 180.97.106.164 - -
>> [28/Nov/2018:22:45:30 +0000] "-" 400 - // Chinesse IP
>> 60.217.72.12 - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1"
>> 200 11452 // Chinesse IP
>>
>> In catalina.out for that day, I can find this crash:
>>
>> 28-Nov-2018 22:45:30.227 INFO [http-nio-80-exec-149]
>> org.apache.coyote.http11.AbstractHttp11Processor.process Error
>> parsing HTTP request header Note: further occurrences of HTTP
>> header parsing errors will be logged at DEBUG level.
>> java.lang.IllegalArgumentException: Invalid character found in
>> method name. HTTP method names must be tokens at
>> org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(Abst
ractNioInputBuffer.java:233)
>>
>>
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11P
rocessor.java:1045)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:684)
>>
>>
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint
.java:1539)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoin
t.java:1495)
>>
>>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.jav
a:1149)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:624)
>>
>>
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThrea
d.java:61)
>> at java.lang.Thread.run(Thread.java:748)
>
> That is not a crash. It is simply an invalid request that Tomcat
> has rejected. It will have no impact on the processing of future
> requests.
>
>
>> It seems that call "-" is not well parsed (obviously).
>>
>> I can't find any info for syslog for that crash in those days.
>>
>> Do you have any idea of the problem? It seems that Tomcat can
>> crash when no GET, POST, PUT, DELETE... request is done. The "-"
>> request seems to take Tomcat down.
>
> There is no evidence (that has been presented in this thread) to
> support that conclusion.
>
> Further, the above logs show that this conclusion is incorrect
> since the access log shows at least one request is processed after
> the "-" request.
>
>> In have created a cron recurrent service to check if Tomcat is
>> listening in port 443, but I would like to solve this issue.
>
> See Chris's previous response.
>
> Mark
>
>
>>
>> Thank you.
>>
>> -- Fdo.: Ismael López Quintero. Ingeniero de Software. Correo
>> electrónico: ilopezquint@gmail.com. Sitio Web:
>> http://www.desarrolladorsoftware.com/ Huelva. España.
>>
>> -----Mensaje original----- De: Ismael López Quintero
>> [mailto:ilopezquint@gmail.com] Enviado el: miércoles, 12 de
>> diciembre de 2018 10:32 Para: 'Tomcat Users List'
>> <us...@tomcat.apache.org> Asunto: RE: Tomcat 8.0.46
>>
>> Great! I will give more info. Please, forgive me by the content
>> shape faults. I'm new to this mail list.
>>
>> I'll write ASAP.
>>
>> Thank you!
>>
>> PD: My system is Debian 8.
>>
>> -- Fdo.: Ismael López Quintero. Ingeniero de Software. Correo
>> electrónico: ilopezquint@gmail.com. Sitio Web:
>> http://www.desarrolladorsoftware.com/ Huelva. España.
>>
>> -----Mensaje original----- De: Christopher Schultz
>> [mailto:chris@christopherschultz.net] Enviado el: miércoles, 12
>> de diciembre de 2018 5:07 Para: users@tomcat.apache.org Asunto:
>> Re: Tomcat 8.0.46
>>
>> Ismael,
>>
>> On 12/11/18 08:45, Ismael López Quintero wrote:
>>> Hello! Crash: stop working. Process running and listenning in
>>> net ports 80 and 443 (SSL). After crashing, no process exist.
>>
>> So... nothing in the Tomcat logs that says the process is going
>> down? For example, usually Java OOME will show in catalina.out,
>> but the JVM will not actually terminate.
>>
>> My guess is Linux OOME killer (or similar). Check your syslog for
>> "oome" (lowercase) if you are on Linux.
>>
>> If you are *not* on Linux, that would seem to be very important
>> information is you want to get some help.
>>
>> Your original post was of the form "it didn't work; what went
>> wrong?". We need much more information if we are going to be able
>> to help you.
>>
>> -chris
>>
>>> -----Mensaje original----- De: Mark Thomas
>>> [mailto:markt@apache.org] Enviado el: martes, 11 de diciembre
>>> de 2018 14:05 Para: users@tomcat.apache.org Asunto: Re: Tomcat
>>> 8.0.46
>>
>>> On 11/12/2018 12:38, Ismael López Quintero wrote:
>>>> Hello!
>>>>
>>>>
>>>>
>>>> My Tomcat installation crashed some days ago. It is deployed
>>>> to serve a REST API using Jersey. Looking at
>>>> localhost_access_log daily file, just before crashing it
>>>> received the next requests…
>>>>
>>>>
>>>>
>>>> X.X.X.X - - [28/Nov/2018:22:38:44 +0000] "GET
>>>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 -
>>>> ß- This is the last known call before crashing
>>>>
>>>> X.X.X.X - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1"
>>>> 200 11452
>>>>
>>>> X.X.X.X - - [28/Nov/2018:22:45:30 +0000] "-" 400 -
>>>>
>>>> X.X.X.X - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1"
>>>> 200 11452
>>>>
>>>>
>>>>
>>>> Crashed.
>>>>
>>>>
>>>>
>>>> IP addresses are named X.X.X.X to protect callers privacy,
>>>> but it seems that the last three ones are owned by attackers
>>>> (IPs are geolocated in China). If you want I can give them
>>>> (IPs).
>>>>
>>>>
>>>>
>>>> Everything is going ok in Tomcat, but this.
>>>>
>>>>
>>>>
>>>> Have you got any idea?
>>
>>> Define "crashed".
>>
>>> Mark
>>
>>> --------------------------------------------------------------------
- -
>>
>>
>>
>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>> --------------------------------------------------------------------
- -
>>
>>
>>
>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlw97KMACgkQHPApP6U8
pFgqqhAAwuBakd3P97k/INS2Siujrkg26mMW7NQSvRhq/RiDAtOZygA9Li4QwvJk
GrECpsX/LSN/n6VY1Yh5lQR9nHvIkeuaetzYI9G6yGS9HXPaYqYU7+nroPB8A3YZ
wXH02w+JS4WT1R7bOFhgccoExgOGSIc6gl/wJXI5QjZumS1Adg/eR8F2PN8Zt1eY
16yOdR774eKyjMzHl/L37yYbsDL1e0Fp5VGCRPqpIBG8ZXiPDps4dn1LGD0WKzbU
Xc7cPCqjX7fY1npjU7aUKqI66IvxWTWzXz/Vbe/kdVy4BBG293pEPH8oQRcxEO3W
0elDNBvSHiOBsmzTWHdXESRXmWTAfLLbefsvRy2iT9obFepc6CGEl6DmTOL96far
rQaq7T7p39K66mX1kL0nII5dO+IErLDubzt579FyCnuDOLlCWp4104N89jEXYFGa
aftHm7xScfeWqNA2j1Bu/G1tkcUErVX6K4mxC5tSsEQP+r/O0V7OQC4IV1P2XZ/H
hX1tZ9/S7toZlgB7Bba73c55+NPSNnJKglUfAE0/mwjhMh7/7QOmtNjbO86MnDpO
qeeM8jJ2w6eynxxibD/nuOD+hTbOCVHjZeSVkGI2BVhS376NzrGiHBmufmX668o2
RNFiO/68vhBglRn8JZBlYUPmwmdChEPFFc96pTyxBsZotbGbcNo=
=Chzr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 8.0.46
Posted by Ismael López Quintero <il...@gmail.com>.
Great, then I must think that it must be an OOME error.
Thank you so much.
--
Fdo.: Ismael López Quintero.
Ingeniero de Software.
Correo electrónico: ilopezquint@gmail.com.
Sitio Web: http://www.desarrolladorsoftware.com/
Huelva. España.
-----Mensaje original-----
De: Mark Thomas [mailto:markt@apache.org]
Enviado el: martes, 15 de enero de 2019 11:43
Para: users@tomcat.apache.org
Asunto: Re: Tomcat 8.0.46
On 15/01/2019 10:24, Ismael López Quintero wrote:
> Sorry by the late to answer but I've been ill.
>
> The system were down on 2018/11/28 at night. It seems that is was a Chinese attack (by the logged ips). Now I will show them...
>
> These lines are from localhost_access_log_2018_11_28.txt
>
> 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
> /api/webapi/chatucp/historicchats?idUser=4&idCustomer=1 HTTP/1.1" 200
> 656
> 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET
> /api/webapi/usersextcontact?idUser=4&idCustomer=1 HTTP/1.1" 200 477
> 85.137.148.55 - - [28/Nov/2018:22:38:44 +0000] "GET
> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - // Last known
> IP
> 177.66.148.196 - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200
> 11452 // Chinesse IP
> 180.97.106.164 - - [28/Nov/2018:22:45:30 +0000] "-" 400 - // Chinesse
> IP
> 60.217.72.12 - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200
> 11452 // Chinesse IP
>
> In catalina.out for that day, I can find this crash:
>
> 28-Nov-2018 22:45:30.227 INFO [http-nio-80-exec-149]
> org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing
> HTTP request header
> Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
> at org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:233)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1045)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
That is not a crash. It is simply an invalid request that Tomcat has rejected. It will have no impact on the processing of future requests.
> It seems that call "-" is not well parsed (obviously).
>
> I can't find any info for syslog for that crash in those days.
>
> Do you have any idea of the problem? It seems that Tomcat can crash when no GET, POST, PUT, DELETE... request is done. The "-" request seems to take Tomcat down.
There is no evidence (that has been presented in this thread) to support that conclusion.
Further, the above logs show that this conclusion is incorrect since the access log shows at least one request is processed after the "-" request.
> In have created a cron recurrent service to check if Tomcat is listening in port 443, but I would like to solve this issue.
See Chris's previous response.
Mark
>
> Thank you.
>
> --
> Fdo.: Ismael López Quintero.
> Ingeniero de Software.
> Correo electrónico: ilopezquint@gmail.com.
> Sitio Web: http://www.desarrolladorsoftware.com/
> Huelva. España.
>
> -----Mensaje original-----
> De: Ismael López Quintero [mailto:ilopezquint@gmail.com] Enviado el:
> miércoles, 12 de diciembre de 2018 10:32
> Para: 'Tomcat Users List' <us...@tomcat.apache.org>
> Asunto: RE: Tomcat 8.0.46
>
> Great! I will give more info. Please, forgive me by the content shape faults. I'm new to this mail list.
>
> I'll write ASAP.
>
> Thank you!
>
> PD: My system is Debian 8.
>
> --
> Fdo.: Ismael López Quintero.
> Ingeniero de Software.
> Correo electrónico: ilopezquint@gmail.com.
> Sitio Web: http://www.desarrolladorsoftware.com/
> Huelva. España.
>
> -----Mensaje original-----
> De: Christopher Schultz [mailto:chris@christopherschultz.net]
> Enviado el: miércoles, 12 de diciembre de 2018 5:07
> Para: users@tomcat.apache.org
> Asunto: Re: Tomcat 8.0.46
>
> Ismael,
>
> On 12/11/18 08:45, Ismael López Quintero wrote:
>> Hello! Crash: stop working. Process running and listenning in net
>> ports 80 and 443 (SSL). After crashing, no process exist.
>
> So... nothing in the Tomcat logs that says the process is going down?
> For example, usually Java OOME will show in catalina.out, but the JVM will not actually terminate.
>
> My guess is Linux OOME killer (or similar). Check your syslog for "oome" (lowercase) if you are on Linux.
>
> If you are *not* on Linux, that would seem to be very important information is you want to get some help.
>
> Your original post was of the form "it didn't work; what went wrong?".
> We need much more information if we are going to be able to help you.
>
> -chris
>
>> -----Mensaje original----- De: Mark Thomas [mailto:markt@apache.org]
>> Enviado el: martes, 11 de diciembre de
>> 2018 14:05 Para: users@tomcat.apache.org Asunto: Re: Tomcat 8.0.46
>
>> On 11/12/2018 12:38, Ismael López Quintero wrote:
>>> Hello!
>>>
>>>
>>>
>>> My Tomcat installation crashed some days ago. It is deployed to
>>> serve a REST API using Jersey. Looking at localhost_access_log daily
>>> file, just before crashing it received the next requests…
>>>
>>>
>>>
>>> X.X.X.X - - [28/Nov/2018:22:38:44 +0000] "GET
>>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - ß-
>>> This is the last known call before crashing
>>>
>>> X.X.X.X - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200
>>> 11452
>>>
>>> X.X.X.X - - [28/Nov/2018:22:45:30 +0000] "-" 400 -
>>>
>>> X.X.X.X - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200
>>> 11452
>>>
>>>
>>>
>>> Crashed.
>>>
>>>
>>>
>>> IP addresses are named X.X.X.X to protect callers privacy, but it
>>> seems that the last three ones are owned by attackers (IPs are
>>> geolocated in China). If you want I can give them (IPs).
>>>
>>>
>>>
>>> Everything is going ok in Tomcat, but this.
>>>
>>>
>>>
>>> Have you got any idea?
>
>> Define "crashed".
>
>> Mark
>
>> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8.0.46
Posted by Mark Thomas <ma...@apache.org>.
On 15/01/2019 10:24, Ismael López Quintero wrote:
> Sorry by the late to answer but I've been ill.
>
> The system were down on 2018/11/28 at night. It seems that is was a Chinese attack (by the logged ips). Now I will show them...
>
> These lines are from localhost_access_log_2018_11_28.txt
>
> 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET /api/webapi/chatucp/historicchats?idUser=4&idCustomer=1 HTTP/1.1" 200 656
> 85.137.148.55 - - [28/Nov/2018:22:38:41 +0000] "GET /api/webapi/usersextcontact?idUser=4&idCustomer=1 HTTP/1.1" 200 477
> 85.137.148.55 - - [28/Nov/2018:22:38:44 +0000] "GET /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - // Last known IP
> 177.66.148.196 - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200 11452 // Chinesse IP
> 180.97.106.164 - - [28/Nov/2018:22:45:30 +0000] "-" 400 - // Chinesse IP
> 60.217.72.12 - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200 11452 // Chinesse IP
>
> In catalina.out for that day, I can find this crash:
>
> 28-Nov-2018 22:45:30.227 INFO [http-nio-80-exec-149] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
> Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
> at org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:233)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1045)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
That is not a crash. It is simply an invalid request that Tomcat has
rejected. It will have no impact on the processing of future requests.
> It seems that call "-" is not well parsed (obviously).
>
> I can't find any info for syslog for that crash in those days.
>
> Do you have any idea of the problem? It seems that Tomcat can crash when no GET, POST, PUT, DELETE... request is done. The "-" request seems to take Tomcat down.
There is no evidence (that has been presented in this thread) to support
that conclusion.
Further, the above logs show that this conclusion is incorrect since the
access log shows at least one request is processed after the "-" request.
> In have created a cron recurrent service to check if Tomcat is listening in port 443, but I would like to solve this issue.
See Chris's previous response.
Mark
>
> Thank you.
>
> --
> Fdo.: Ismael López Quintero.
> Ingeniero de Software.
> Correo electrónico: ilopezquint@gmail.com.
> Sitio Web: http://www.desarrolladorsoftware.com/
> Huelva. España.
>
> -----Mensaje original-----
> De: Ismael López Quintero [mailto:ilopezquint@gmail.com]
> Enviado el: miércoles, 12 de diciembre de 2018 10:32
> Para: 'Tomcat Users List' <us...@tomcat.apache.org>
> Asunto: RE: Tomcat 8.0.46
>
> Great! I will give more info. Please, forgive me by the content shape faults. I'm new to this mail list.
>
> I'll write ASAP.
>
> Thank you!
>
> PD: My system is Debian 8.
>
> --
> Fdo.: Ismael López Quintero.
> Ingeniero de Software.
> Correo electrónico: ilopezquint@gmail.com.
> Sitio Web: http://www.desarrolladorsoftware.com/
> Huelva. España.
>
> -----Mensaje original-----
> De: Christopher Schultz [mailto:chris@christopherschultz.net]
> Enviado el: miércoles, 12 de diciembre de 2018 5:07
> Para: users@tomcat.apache.org
> Asunto: Re: Tomcat 8.0.46
>
> Ismael,
>
> On 12/11/18 08:45, Ismael López Quintero wrote:
>> Hello! Crash: stop working. Process running and listenning in net
>> ports 80 and 443 (SSL). After crashing, no process exist.
>
> So... nothing in the Tomcat logs that says the process is going down?
> For example, usually Java OOME will show in catalina.out, but the JVM will not actually terminate.
>
> My guess is Linux OOME killer (or similar). Check your syslog for "oome" (lowercase) if you are on Linux.
>
> If you are *not* on Linux, that would seem to be very important information is you want to get some help.
>
> Your original post was of the form "it didn't work; what went wrong?".
> We need much more information if we are going to be able to help you.
>
> -chris
>
>> -----Mensaje original----- De: Mark Thomas [mailto:markt@apache.org]
>> Enviado el: martes, 11 de diciembre de
>> 2018 14:05 Para: users@tomcat.apache.org Asunto: Re: Tomcat 8.0.46
>
>> On 11/12/2018 12:38, Ismael López Quintero wrote:
>>> Hello!
>>>
>>>
>>>
>>> My Tomcat installation crashed some days ago. It is deployed to
>>> serve a REST API using Jersey. Looking at localhost_access_log daily
>>> file, just before crashing it received the next requests…
>>>
>>>
>>>
>>> X.X.X.X - - [28/Nov/2018:22:38:44 +0000] "GET
>>> /api/webapi/logout?idUser=4&idCustomer=1 HTTP/1.1" 200 - ß-
>>> This is the last known call before crashing
>>>
>>> X.X.X.X - - [28/Nov/2018:22:40:38 +0000] "GET / HTTP/1.1" 200
>>> 11452
>>>
>>> X.X.X.X - - [28/Nov/2018:22:45:30 +0000] "-" 400 -
>>>
>>> X.X.X.X - - [28/Nov/2018:23:48:30 +0000] "GET / HTTP/1.1" 200
>>> 11452
>>>
>>>
>>>
>>> Crashed.
>>>
>>>
>>>
>>> IP addresses are named X.X.X.X to protect callers privacy, but it
>>> seems that the last three ones are owned by attackers (IPs are
>>> geolocated in China). If you want I can give them (IPs).
>>>
>>>
>>>
>>> Everything is going ok in Tomcat, but this.
>>>
>>>
>>>
>>> Have you got any idea?
>
>> Define "crashed".
>
>> Mark
>
>> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org