You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Evgeniy Strokin <ev...@yahoo.com> on 2001/12/13 19:04:51 UTC
somebody trying hack me, what they really wanted?
Hi,
tonight, somebody had tried hack our Tomcat 3.2.3 in win2000.
Here is the log:
2001-12-13 01:18:35 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 01:18:36 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 01:18:42 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
null
2001-12-13 01:18:46 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
null
2001-12-13 01:18:47 - Ctx( ): 404 R(
/scripts/..%255c../winnt/system32/cmd.exe)
null
2001-12-13 01:18:50 - Ctx( ): 404 R(
/_vti_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 01:18:51 - Ctx( ): 404 R(
/_mem_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 01:19:00 - Ctx( ): 404 R(
/msadc/..%255c../..%255c../..%255c/..%c1%1
c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
2001-12-13 01:19:00 - Ctx( ): 404 R( +
/scripts/..??../winnt/system32/cmd.exe
+ null) null
2001-12-13 01:19:01 - Ctx( ): 404 R(
/scripts/..%c0%2f../winnt/system32/cmd.exe
) null
2001-12-13 01:19:31 - ContextManager: SocketException reading request,
ignored -
java.net.SocketException: Connection reset by peer: JVM_recv in socket
input st
ream read
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
at java.lang.Thread.run(Unknown Source)
2001-12-13 01:50:41 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 01:50:41 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 01:51:09 - ContextManager: SocketException reading request,
ignored -
java.net.SocketException: Connection reset by peer: JVM_recv in socket
input st
ream read
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
at java.lang.Thread.run(Unknown Source)
2001-12-13 06:08:24 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 06:08:24 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 06:08:25 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
null
2001-12-13 06:08:25 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
null
2001-12-13 06:08:25 - Ctx( ): 404 R(
/scripts/..%255c../winnt/system32/cmd.exe)
null
2001-12-13 06:08:25 - Ctx( ): 404 R(
/_vti_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 06:08:26 - Ctx( ): 404 R(
/_mem_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 06:08:26 - Ctx( ): 404 R(
/msadc/..%255c../..%255c../..%255c/..%c1%1
c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
2001-12-13 06:08:26 - Ctx( ): 404 R( +
/scripts/..??../winnt/system32/cmd.exe
+ null) null
2001-12-13 06:08:26 - Ctx( ): 404 R(
/scripts/..%c0%2f../winnt/system32/cmd.exe
) null
2001-12-13 06:08:26 - Ctx( ): 404 R( +
/scripts/..?»../winnt/system32/cmd.exe
+ null) null
2001-12-13 06:08:27 - Ctx( ): 404 R( +
/scripts/..??../winnt/system32/cmd.exe
+ null) null
2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable to
deco
de servlet path, using encoded version. path =
/scripts/..%%35%63../winnt/syste
m32/cmd.exe
2001-12-13 06:08:27 - Ctx( ): 404 R( +
/scripts/..%%35%63../winnt/system32/cmd
.exe + null) null
2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable to
deco
de servlet path, using encoded version. path =
/scripts/..%%35c../winnt/system3
2/cmd.exe
2001-12-13 06:08:27 - Ctx( ): 404 R( +
/scripts/..%%35c../winnt/system32/cmd.e
xe + null) null
2001-12-13 06:08:28 - Ctx( ): 404 R(
/scripts/..%25%35%63../winnt/system32/cmd.exe) null
2001-12-13 06:08:28 - Ctx( ): 404 R(
/scripts/..%252f../winnt/system32/cmd.exe)
null
2001-12-13 06:18:21 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 06:18:22 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 06:26:40 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 06:26:52 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 06:27:01 - ContextManager: SocketException reading request,
ignored -
java.net.SocketException: Connection reset by peer: JVM_recv in socket
input st
ream read
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
at java.lang.Thread.run(Unknown Source)
Is it something serious or they had tried run NIMDA virus files or something
like that?
What do you think?
Best regards,
Jenya Strokin
-------------------------------------------------
Only a young and very healthy cretin can believe,
as if the world is an objective reality
not dependent on our consciousness.
--------------------------------------------------
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: somebody trying hack me, what they really wanted?
Posted by Paul DuBois <pa...@snake.net>.
It's a Code Red or Nimba attack, probably from an infected IIS server.
On Thu, Dec 13, 2001 at 01:04:51PM -0500, Evgeniy Strokin wrote:
> Hi,
> tonight, somebody had tried hack our Tomcat 3.2.3 in win2000.
> Here is the log:
>
> 2001-12-13 01:18:35 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 01:18:36 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 01:18:42 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 01:18:46 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
[snip]
>
> Is it something serious or they had tried run NIMDA virus files or something
> like that?
> What do you think?
>
> Best regards,
> Jenya Strokin
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: somebody trying hack me, what they really wanted?
Posted by "Dr. Evil" <dr...@sidereal.kz>.
I get those all the time. I wish I could put a sign on my computer
that says, "You're wasting your time. This machine is running
Tomcat/Linux. Find someone running Windows". On a more serious note,
this is a computer hacking attack, and it comes accross state lines.
Could I get the FBI to investigate these things? I'm sure this is a
Federal crime.
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: somebody trying hack me, what they really wanted?
Posted by David Cassidy <dc...@hotgen.com>.
NIMDA
...
Just put a file there for it to get ;-)
D
Evgeniy Strokin wrote:
> Hi,
> tonight, somebody had tried hack our Tomcat 3.2.3 in win2000.
> Here is the log:
>
> 2001-12-13 01:18:35 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 01:18:36 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 01:18:42 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 01:18:46 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 01:18:47 - Ctx( ): 404 R(
> /scripts/..%255c../winnt/system32/cmd.exe)
> null
> 2001-12-13 01:18:50 - Ctx( ): 404 R(
> /_vti_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 01:18:51 - Ctx( ): 404 R(
> /_mem_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 01:19:00 - Ctx( ): 404 R(
> /msadc/..%255c../..%255c../..%255c/..%c1%1
> c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
> 2001-12-13 01:19:00 - Ctx( ): 404 R( +
> /scripts/..??../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 01:19:01 - Ctx( ): 404 R(
> /scripts/..%c0%2f../winnt/system32/cmd.exe
> ) null
> 2001-12-13 01:19:31 - ContextManager: SocketException reading request,
> ignored -
> java.net.SocketException: Connection reset by peer: JVM_recv in socket
> input st
> ream read
> at java.net.SocketInputStream.socketRead(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.io.BufferedInputStream.fill(Unknown Source)
> at java.io.BufferedInputStream.read(Unknown Source)
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
> dapter.java:115)
> at
> org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
> letInputStream.java:106)
> at
> org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
> tInputStream.java:128)
> at
> javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
> )
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
> pRequestAdapter.java:129)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
> n(HttpConnectionHandler.java:198)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
> 416)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
> :501)
> at java.lang.Thread.run(Unknown Source)
>
> 2001-12-13 01:50:41 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 01:50:41 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 01:51:09 - ContextManager: SocketException reading request,
> ignored -
> java.net.SocketException: Connection reset by peer: JVM_recv in socket
> input st
> ream read
> at java.net.SocketInputStream.socketRead(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.io.BufferedInputStream.fill(Unknown Source)
> at java.io.BufferedInputStream.read(Unknown Source)
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
> dapter.java:115)
> at
> org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
> letInputStream.java:106)
> at
> org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
> tInputStream.java:128)
> at
> javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
> )
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
> pRequestAdapter.java:129)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
> n(HttpConnectionHandler.java:198)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
> 416)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
> :501)
> at java.lang.Thread.run(Unknown Source)
>
> 2001-12-13 06:08:24 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 06:08:24 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 06:08:25 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 06:08:25 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 06:08:25 - Ctx( ): 404 R(
> /scripts/..%255c../winnt/system32/cmd.exe)
> null
> 2001-12-13 06:08:25 - Ctx( ): 404 R(
> /_vti_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R(
> /_mem_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R(
> /msadc/..%255c../..%255c../..%255c/..%c1%1
> c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R( +
> /scripts/..??../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R(
> /scripts/..%c0%2f../winnt/system32/cmd.exe
> ) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R( +
> /scripts/..?»../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 06:08:27 - Ctx( ): 404 R( +
> /scripts/..??../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable to
> deco
> de servlet path, using encoded version. path =
> /scripts/..%%35%63../winnt/syste
> m32/cmd.exe
> 2001-12-13 06:08:27 - Ctx( ): 404 R( +
> /scripts/..%%35%63../winnt/system32/cmd
> .exe + null) null
> 2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable to
> deco
> de servlet path, using encoded version. path =
> /scripts/..%%35c../winnt/system3
> 2/cmd.exe
> 2001-12-13 06:08:27 - Ctx( ): 404 R( +
> /scripts/..%%35c../winnt/system32/cmd.e
> xe + null) null
> 2001-12-13 06:08:28 - Ctx( ): 404 R(
> /scripts/..%25%35%63../winnt/system32/cmd.exe) null
> 2001-12-13 06:08:28 - Ctx( ): 404 R(
> /scripts/..%252f../winnt/system32/cmd.exe)
> null
> 2001-12-13 06:18:21 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 06:18:22 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 06:26:40 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 06:26:52 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 06:27:01 - ContextManager: SocketException reading request,
> ignored -
> java.net.SocketException: Connection reset by peer: JVM_recv in socket
> input st
> ream read
> at java.net.SocketInputStream.socketRead(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.io.BufferedInputStream.fill(Unknown Source)
> at java.io.BufferedInputStream.read(Unknown Source)
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
> dapter.java:115)
> at
> org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
> letInputStream.java:106)
> at
> org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
> tInputStream.java:128)
> at
> javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
> )
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
> pRequestAdapter.java:129)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
> n(HttpConnectionHandler.java:198)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
> 416)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
> :501)
> at java.lang.Thread.run(Unknown Source)
>
> Is it something serious or they had tried run NIMDA virus files or something
> like that?
> What do you think?
>
> Best regards,
> Jenya Strokin
> -------------------------------------------------
> Only a young and very healthy cretin can believe,
> as if the world is an objective reality
> not dependent on our consciousness.
> --------------------------------------------------
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: somebody trying hack me, what they really wanted?
Posted by Amine AMAR <a....@dns1.caciopee.com>.
I'm on two different servers
----- Original Message -----
From: "E B" <he...@yahoo.co.uk>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, December 14, 2001 9:28 AM
Subject: Re: somebody trying hack me, what they really wanted?
> just for statistics, how many of you run tomcat
> directly without apache/iis, with your machine
> being on the internet.
>
> All the responses for this thread indicate they
> do so. Be careful, I know of one machine which
> was compromised and which had tomcat on 80.
> although I am not sure that hack was through
> tomcat.
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: somebody trying hack me, what they really wanted?
Posted by Denis Balazuc <de...@trader.com>.
I do
----- Original Message -----
From: "E B" <he...@yahoo.co.uk>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, December 14, 2001 04:28 AM
Subject: Re: somebody trying hack me, what they really wanted?
> just for statistics, how many of you run tomcat
> directly without apache/iis, with your machine
> being on the internet.
>
> All the responses for this thread indicate they
> do so. Be careful, I know of one machine which
> was compromised and which had tomcat on 80.
> although I am not sure that hack was through
> tomcat.
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: somebody trying hack me, what they really wanted?
Posted by E B <he...@yahoo.co.uk>.
just for statistics, how many of you run tomcat
directly without apache/iis, with your machine
being on the internet.
All the responses for this thread indicate they
do so. Be careful, I know of one machine which
was compromised and which had tomcat on 80.
although I am not sure that hack was through
tomcat.
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: somebody trying hack me, what they really wanted?
Posted by Dom <do...@free.fr>.
My linux server has been attacked too for a couple of weeks. I don't care
Dom
----- Original Message -----
From: "Jim Urban" <ji...@netsteps.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, December 13, 2001 7:07 PM
Subject: RE: somebody trying hack me, what they really wanted?
> You was hacked by one of those Nimba type worm viruses. Be glad you were
> not running IIS, you could have been in big trouble.
>
> Jim
>
> -----Original Message-----
> From: Evgeniy Strokin [mailto:evgeniy_strokin@yahoo.com]
> Sent: Thursday, December 13, 2001 12:05 PM
> To: tomcat-user@jakarta.apache.org
> Subject: somebody trying hack me, what they really wanted?
>
>
> Hi,
> tonight, somebody had tried hack our Tomcat 3.2.3 in win2000.
> Here is the log:
>
> 2001-12-13 01:18:35 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 01:18:36 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 01:18:42 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 01:18:46 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 01:18:47 - Ctx( ): 404 R(
> /scripts/..%255c../winnt/system32/cmd.exe)
> null
> 2001-12-13 01:18:50 - Ctx( ): 404 R(
> /_vti_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 01:18:51 - Ctx( ): 404 R(
> /_mem_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 01:19:00 - Ctx( ): 404 R(
> /msadc/..%255c../..%255c../..%255c/..%c1%1
> c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
> 2001-12-13 01:19:00 - Ctx( ): 404 R( +
> /scripts/..??../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 01:19:01 - Ctx( ): 404 R(
> /scripts/..%c0%2f../winnt/system32/cmd.exe
> ) null
> 2001-12-13 01:19:31 - ContextManager: SocketException reading request,
> ignored -
> java.net.SocketException: Connection reset by peer: JVM_recv in socket
> input st
> ream read
> at java.net.SocketInputStream.socketRead(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.io.BufferedInputStream.fill(Unknown Source)
> at java.io.BufferedInputStream.read(Unknown Source)
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
> dapter.java:115)
> at
> org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
> letInputStream.java:106)
> at
> org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
> tInputStream.java:128)
> at
> javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
> )
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
> pRequestAdapter.java:129)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
> n(HttpConnectionHandler.java:198)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
> 416)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
> :501)
> at java.lang.Thread.run(Unknown Source)
>
> 2001-12-13 01:50:41 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 01:50:41 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 01:51:09 - ContextManager: SocketException reading request,
> ignored -
> java.net.SocketException: Connection reset by peer: JVM_recv in socket
> input st
> ream read
> at java.net.SocketInputStream.socketRead(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.io.BufferedInputStream.fill(Unknown Source)
> at java.io.BufferedInputStream.read(Unknown Source)
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
> dapter.java:115)
> at
> org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
> letInputStream.java:106)
> at
> org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
> tInputStream.java:128)
> at
> javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
> )
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
> pRequestAdapter.java:129)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
> n(HttpConnectionHandler.java:198)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
> 416)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
> :501)
> at java.lang.Thread.run(Unknown Source)
>
> 2001-12-13 06:08:24 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 06:08:24 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 06:08:25 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 06:08:25 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
> null
> 2001-12-13 06:08:25 - Ctx( ): 404 R(
> /scripts/..%255c../winnt/system32/cmd.exe)
> null
> 2001-12-13 06:08:25 - Ctx( ): 404 R(
> /_vti_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R(
> /_mem_bin/..%255c../..%255c../..%255c../wi
> nnt/system32/cmd.exe) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R(
> /msadc/..%255c../..%255c../..%255c/..%c1%1
> c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R( +
> /scripts/..??../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R(
> /scripts/..%c0%2f../winnt/system32/cmd.exe
> ) null
> 2001-12-13 06:08:26 - Ctx( ): 404 R( +
> /scripts/..?»../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 06:08:27 - Ctx( ): 404 R( +
> /scripts/..??../winnt/system32/cmd.exe
> + null) null
> 2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable
to
> deco
> de servlet path, using encoded version. path =
> /scripts/..%%35%63../winnt/syste
> m32/cmd.exe
> 2001-12-13 06:08:27 - Ctx( ): 404 R( +
> /scripts/..%%35%63../winnt/system32/cmd
> .exe + null) null
> 2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable
to
> deco
> de servlet path, using encoded version. path =
> /scripts/..%%35c../winnt/system3
> 2/cmd.exe
> 2001-12-13 06:08:27 - Ctx( ): 404 R( +
> /scripts/..%%35c../winnt/system32/cmd.e
> xe + null) null
> 2001-12-13 06:08:28 - Ctx( ): 404 R(
> /scripts/..%25%35%63../winnt/system32/cmd.exe) null
> 2001-12-13 06:08:28 - Ctx( ): 404 R(
> /scripts/..%252f../winnt/system32/cmd.exe)
> null
> 2001-12-13 06:18:21 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 06:18:22 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 06:26:40 - Ctx( ): 404 R( + /scripts/root.exe + null) null
> 2001-12-13 06:26:52 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
> 2001-12-13 06:27:01 - ContextManager: SocketException reading request,
> ignored -
> java.net.SocketException: Connection reset by peer: JVM_recv in socket
> input st
> ream read
> at java.net.SocketInputStream.socketRead(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at java.io.BufferedInputStream.fill(Unknown Source)
> at java.io.BufferedInputStream.read(Unknown Source)
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
> dapter.java:115)
> at
> org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
> letInputStream.java:106)
> at
> org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
> tInputStream.java:128)
> at
> javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
> )
> at
> org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
> pRequestAdapter.java:129)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
> n(HttpConnectionHandler.java:198)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
> 416)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
> :501)
> at java.lang.Thread.run(Unknown Source)
>
> Is it something serious or they had tried run NIMDA virus files or
something
> like that?
> What do you think?
>
> Best regards,
> Jenya Strokin
> -------------------------------------------------
> Only a young and very healthy cretin can believe,
> as if the world is an objective reality
> not dependent on our consciousness.
> --------------------------------------------------
>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
RE: somebody trying hack me, what they really wanted?
Posted by Jim Urban <ji...@netsteps.net>.
You was hacked by one of those Nimba type worm viruses. Be glad you were
not running IIS, you could have been in big trouble.
Jim
-----Original Message-----
From: Evgeniy Strokin [mailto:evgeniy_strokin@yahoo.com]
Sent: Thursday, December 13, 2001 12:05 PM
To: tomcat-user@jakarta.apache.org
Subject: somebody trying hack me, what they really wanted?
Hi,
tonight, somebody had tried hack our Tomcat 3.2.3 in win2000.
Here is the log:
2001-12-13 01:18:35 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 01:18:36 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 01:18:42 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
null
2001-12-13 01:18:46 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
null
2001-12-13 01:18:47 - Ctx( ): 404 R(
/scripts/..%255c../winnt/system32/cmd.exe)
null
2001-12-13 01:18:50 - Ctx( ): 404 R(
/_vti_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 01:18:51 - Ctx( ): 404 R(
/_mem_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 01:19:00 - Ctx( ): 404 R(
/msadc/..%255c../..%255c../..%255c/..%c1%1
c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
2001-12-13 01:19:00 - Ctx( ): 404 R( +
/scripts/..??../winnt/system32/cmd.exe
+ null) null
2001-12-13 01:19:01 - Ctx( ): 404 R(
/scripts/..%c0%2f../winnt/system32/cmd.exe
) null
2001-12-13 01:19:31 - ContextManager: SocketException reading request,
ignored -
java.net.SocketException: Connection reset by peer: JVM_recv in socket
input st
ream read
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
at java.lang.Thread.run(Unknown Source)
2001-12-13 01:50:41 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 01:50:41 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 01:51:09 - ContextManager: SocketException reading request,
ignored -
java.net.SocketException: Connection reset by peer: JVM_recv in socket
input st
ream read
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
at java.lang.Thread.run(Unknown Source)
2001-12-13 06:08:24 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 06:08:24 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 06:08:25 - Ctx( ): 404 R( + /c/winnt/system32/cmd.exe + null)
null
2001-12-13 06:08:25 - Ctx( ): 404 R( + /d/winnt/system32/cmd.exe + null)
null
2001-12-13 06:08:25 - Ctx( ): 404 R(
/scripts/..%255c../winnt/system32/cmd.exe)
null
2001-12-13 06:08:25 - Ctx( ): 404 R(
/_vti_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 06:08:26 - Ctx( ): 404 R(
/_mem_bin/..%255c../..%255c../..%255c../wi
nnt/system32/cmd.exe) null
2001-12-13 06:08:26 - Ctx( ): 404 R(
/msadc/..%255c../..%255c../..%255c/..%c1%1
c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe) null
2001-12-13 06:08:26 - Ctx( ): 404 R( +
/scripts/..??../winnt/system32/cmd.exe
+ null) null
2001-12-13 06:08:26 - Ctx( ): 404 R(
/scripts/..%c0%2f../winnt/system32/cmd.exe
) null
2001-12-13 06:08:26 - Ctx( ): 404 R( +
/scripts/..?»../winnt/system32/cmd.exe
+ null) null
2001-12-13 06:08:27 - Ctx( ): 404 R( +
/scripts/..??../winnt/system32/cmd.exe
+ null) null
2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable to
deco
de servlet path, using encoded version. path =
/scripts/..%%35%63../winnt/syste
m32/cmd.exe
2001-12-13 06:08:27 - Ctx( ): 404 R( +
/scripts/..%%35%63../winnt/system32/cmd
.exe + null) null
2001-12-13 06:08:27 - ContextManager: RequestImpl.setServletPath: Unable to
deco
de servlet path, using encoded version. path =
/scripts/..%%35c../winnt/system3
2/cmd.exe
2001-12-13 06:08:27 - Ctx( ): 404 R( +
/scripts/..%%35c../winnt/system32/cmd.e
xe + null) null
2001-12-13 06:08:28 - Ctx( ): 404 R(
/scripts/..%25%35%63../winnt/system32/cmd.exe) null
2001-12-13 06:08:28 - Ctx( ): 404 R(
/scripts/..%252f../winnt/system32/cmd.exe)
null
2001-12-13 06:18:21 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 06:18:22 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 06:26:40 - Ctx( ): 404 R( + /scripts/root.exe + null) null
2001-12-13 06:26:52 - Ctx( ): 404 R( + /MSADC/root.exe + null) null
2001-12-13 06:27:01 - ContextManager: SocketException reading request,
ignored -
java.net.SocketException: Connection reset by peer: JVM_recv in socket
input st
ream read
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:198)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:501)
at java.lang.Thread.run(Unknown Source)
Is it something serious or they had tried run NIMDA virus files or something
like that?
What do you think?
Best regards,
Jenya Strokin
-------------------------------------------------
Only a young and very healthy cretin can believe,
as if the world is an objective reality
not dependent on our consciousness.
--------------------------------------------------
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>