[OT] Re: tomcat hackers ...

[Joel <re...@ddcom.co.jp>]

> >Hello, I've been getting some things in my logs like ...

Always good to see people reading their logs.

> 217.20.113.110 - - [13/Feb/2005:09:41:39 -0500] "GET 

You could look that IP address up, try either dig or nslookup (or on Mac
OS X there iseven a GUI network utility with an easy interface to
looking up domain names).

> /Myapp/../Myapp/../Myapp/../Myapp/../Myapp/../Myapp/../Myapp/../hosting.html 

If every /.. is balanced by a preceding /Myapp, that's going nowhere in
particular fast. I'd explain it, but calculate the path out yourself.
Then check it from outside, say, from your home box, just so you get
comfortable with it. Try putting an extra ../ various places.

If the path substring were 32Kbytes long or longer, you could guess it
was an attempt at hiding a buffer overflow. Also, attempts at getting a
shell on a MSWxxx box tend to end in command.com or something.lib, so it
doesn't look like that. 

The one remaining danger, if /hosting.html is supposed to be restricted
access, it might be an attempt to hide an access to it.

> HTTP/1.1" 200 5564 "-" "Mozilla/4.0 (compatible; MSIE 5.16; Mac_PowerPC)"

Bleagh. Talk about a browser no one should be using any more, ...

> What is this guy getting from this ? Am I just paranoid or what ???

Like I say, you can always put the url together from your logs and try
it from an external box to see.

Paranoia is good. But you should follow up on it yourself.

--
Joel Rees   <re...@ddcom.co.jp>
digitcom, inc.   株式会社デジコム
Kobe, Japan   +81-78-672-8800
** <http://www.ddcom.co.jp> **


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org