You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2008/04/24 19:12:55 UTC
Re: hackers sending long URLs to probe site?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lloyd,
For future reference, please don't "hijack" a thread. You replied to
another message on the list to ask this one. In the future, please
create a brand new message.
DIGLLOYD INC wrote:
| But I see tons of 404 errors, with someone/thing from 62.42.21.210
| (ono.com) doing:
|
| http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
|
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
Are you sure this isn't a problem with your own site accidentally
generating URLs that are double- or triple-length? You should record the
"referer" (sic) header to see where the links are coming from. If
they're coming from your site, you might want to check your own software.
| I also see illegal requests like this from several sites:
|
| /diglloyd/blog-images/?S=A
That looks like a URL generated by Apache httpd's "index" feature. I've
never used Tomcat's DefaultServlet to serve directory indexes (so I'm
not sure if it uses the same URL syntax for file sorting, etc.), but is
it possible that you are serving directory indexes from Tomcat? If so,
then this looks like a legitimate request.
| Is there a weakness in Tomcat being probed here?
Perhaps. But I don't believe there are any known weaknesses around this
part of the code. I wouldn't worry about it.
| What is the best way to block such things?
You could write a filter that checks for certain URL patterns and
replies with a 403 (Forbidden) response code.
| Ignore them since they just return 404 error anyway?
That's what I would do.
| Write a filter to insert a long delay for blatantly wrong requests?
Definitely don't do that -- you'd be creating a DOS vector. :(
| I'm not sure if that ono.com represents a single user or an entire ISP,
| so I'm loathe to block it entirely.
Lessee...
$ nslookup 62.42.21.210
Server: 192.168.1.40
Address: 192.168.1.40#53
Non-authoritative answer:
210.21.42.62.in-addr.arpa name = 62.42.21.210.dyn.user.ono.com.
Authoritative answers can be found from:
21.42.62.in-addr.arpa nameserver = dns03.ono.com.
21.42.62.in-addr.arpa nameserver = dns01.ono.com.
21.42.62.in-addr.arpa nameserver = dns02.ono.com.
Looks like an ISP. You are probably being visited (or scanned?) by
someone within their network. They probably own a whole class B network
or more, so you would go crazy blocking IPs individually.
I would just ignore them unless they start to be a significant portion
of your traffic.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6
r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn
=xv8f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: hackers sending long URLs to probe site?
Posted by DIGLLOYD INC <di...@diglloyd.com>.
It's certainly something nefarious...one of my paths contains
"diglloyd/free", and I see URLs containing 100 or 200 of that string
repeated...
On Apr 30, 2008, at 1:58 PM, David Delbecq wrote:
> DIGLLOYD INC a écrit :
>> Christopher,
>>
>> Thank you. This is helpful. Sorry about the "hijacked thread", I
>> didn't think of that.
>>
>> Yes, I've double-checked that my site isn't generating the bad
>> links. It's all static HTML and I've searched for any duplications,
>> "../../" type things, etc. I don't currently generate any URLs, and
>> the sheer length of the duplication rules out any basic mistakes in
>> static html.
>>
>> I have directory indexes turned off, confirmed by seeing 404 codes
>> on certain directories in which I don't have index files
>> (intentionally).
>>
>> Lloyd
> A bit late to respond, but it might also be a worm infected computer
> trying to probe your server to check if it can be used as an attack
> vector. However, am more used to worms checking for urls containing
> cmd.exe, which probes for security holes in IIS.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: hackers sending long URLs to probe site?
Posted by David Delbecq <de...@oma.be>.
DIGLLOYD INC a écrit :
> Christopher,
>
> Thank you. This is helpful. Sorry about the "hijacked thread", I
> didn't think of that.
>
> Yes, I've double-checked that my site isn't generating the bad links.
> It's all static HTML and I've searched for any duplications, "../../"
> type things, etc. I don't currently generate any URLs, and the sheer
> length of the duplication rules out any basic mistakes in static html.
>
> I have directory indexes turned off, confirmed by seeing 404 codes on
> certain directories in which I don't have index files (intentionally).
>
> Lloyd
A bit late to respond, but it might also be a worm infected computer
trying to probe your server to check if it can be used as an attack
vector. However, am more used to worms checking for urls containing
cmd.exe, which probes for security holes in IIS.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: hackers sending long URLs to probe site?
Posted by DIGLLOYD INC <di...@diglloyd.com>.
Christopher,
Thank you. This is helpful. Sorry about the "hijacked thread", I
didn't think of that.
Yes, I've double-checked that my site isn't generating the bad links.
It's all static HTML and I've searched for any duplications, "../../"
type things, etc. I don't currently generate any URLs, and the sheer
length of the duplication rules out any basic mistakes in static html.
I have directory indexes turned off, confirmed by seeing 404 codes on
certain directories in which I don't have index files (intentionally).
Lloyd
On Apr 24, 2008, at 10:12 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lloyd,
>
> For future reference, please don't "hijack" a thread. You replied to
> another message on the list to ask this one. In the future, please
> create a brand new message.
>
> DIGLLOYD INC wrote:
> | But I see tons of 404 errors, with someone/thing from 62.42.21.210
> | (ono.com) doing:
> |
> | http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
> |
> http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
>
>
> Are you sure this isn't a problem with your own site accidentally
> generating URLs that are double- or triple-length? You should record
> the
> "referer" (sic) header to see where the links are coming from. If
> they're coming from your site, you might want to check your own
> software.
>
> | I also see illegal requests like this from several sites:
> |
> | /diglloyd/blog-images/?S=A
>
> That looks like a URL generated by Apache httpd's "index" feature.
> I've
> never used Tomcat's DefaultServlet to serve directory indexes (so I'm
> not sure if it uses the same URL syntax for file sorting, etc.), but
> is
> it possible that you are serving directory indexes from Tomcat? If so,
> then this looks like a legitimate request.
>
> | Is there a weakness in Tomcat being probed here?
>
> Perhaps. But I don't believe there are any known weaknesses around
> this
> part of the code. I wouldn't worry about it.
>
> | What is the best way to block such things?
>
> You could write a filter that checks for certain URL patterns and
> replies with a 403 (Forbidden) response code.
>
> | Ignore them since they just return 404 error anyway?
>
> That's what I would do.
>
> | Write a filter to insert a long delay for blatantly wrong requests?
>
> Definitely don't do that -- you'd be creating a DOS vector. :(
>
> | I'm not sure if that ono.com represents a single user or an entire
> ISP,
> | so I'm loathe to block it entirely.
>
> Lessee...
>
> $ nslookup 62.42.21.210
> Server: 192.168.1.40
> Address: 192.168.1.40#53
>
> Non-authoritative answer:
> 210.21.42.62.in-addr.arpa name = 62.42.21.210.dyn.user.ono.com.
>
> Authoritative answers can be found from:
> 21.42.62.in-addr.arpa nameserver = dns03.ono.com.
> 21.42.62.in-addr.arpa nameserver = dns01.ono.com.
> 21.42.62.in-addr.arpa nameserver = dns02.ono.com.
>
> Looks like an ISP. You are probably being visited (or scanned?) by
> someone within their network. They probably own a whole class B
> network
> or more, so you would go crazy blocking IPs individually.
>
> I would just ignore them unless they start to be a significant portion
> of your traffic.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6
> r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn
> =xv8f
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org