Some rare in my catalina Log file (posible hack?)

outis · Apr 5, 2004

Hi there, yesterday my tomcat server shutdow it self( my oracle DB too), without apparent reason. verifying the root of this cause I found some particular lines in mi catalina log file that i can't to interpret my self so I need help
to understand these log lines.
I will apreciate your help and time.

/*Log lines */
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini'
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/...................../config.sys'
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/..................../boot.ini'
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/.................../boot.ini'
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/................../boot.ini'
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/................./boot.ini'
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/................/boot.ini'
2004-04-04 12:23:13 HttpProcessor[80][3] Invalid request URI: '/.............../boot.ini'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/............../boot.ini'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/............./boot.ini'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/............/boot.ini'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/.........../boot.ini'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/........../autoexec.bat'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/........../boot.ini'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/........./boot.ini'
2004-04-04 12:23:14 HttpProcessor[80][3] Invalid request URI: '/......../boot.ini'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/......./boot.ini'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/....../'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/....../'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/....../autoexec.bat'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/....../boot.ini'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/....../config.sys'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/...../boot.ini'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/..../boot.ini'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/..../config.sys'
2004-04-04 12:23:15 HttpProcessor[80][3] Invalid request URI: '/..../Windows/Admin.pwl'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/.../boot.ini'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../../../../../boot.ini'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../../../../boot.ini'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../../../boot.ini'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../../../Scandisk.log'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../../boot.ini'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../../winnt/repair/sam._'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../boot.ini'
2004-04-04 12:23:16 HttpProcessor[80][3] Invalid request URI: '/../../../../config.sys'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/../../../autoexec.bat'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/../../../boot.ini'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/../../../scandisk.log'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/../../boot.ini'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/../../windows/user.dat'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/../../winnt/win.ini'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/../boot.ini'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/..\..\..\..\..\..\autoexec.bat'
2004-04-04 12:23:17 HttpProcessor[80][3] Invalid request URI: '/..\..\..\..\..\autoexec.bat'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/..\..\..\..\autoexec.bat'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/..\..\..\autoexec.bat'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/..\..\..\winnt\repair\sam._'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/..\..\autoexec.bat'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/..\\..\\..\\..\\..\\..\autoexec.bat'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/..\\..\\..\winnt\repair\sam._'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/.html/............*/config.sys'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/.html/............./config.sys'
2004-04-04 12:23:18 HttpProcessor[80][3] Invalid request URI: '/.html/............/autoexec.bat'
2004-04-04 12:23:19 HttpProcessor[80][3] Invalid request URI: '/\../boot.ini'
2004-04-04 12:23:19 HttpProcessor[80][3] Invalid request URI: '/\../config.sys'
2004-04-04 12:23:19 HttpProcessor[80][3] Invalid request URI: '/_mem_bin/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:19 HttpProcessor[80][3] Invalid request URI: '/_mem_bin/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:19 HttpProcessor[80][3] Invalid request URI: '/_mem_bin/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:19 HttpProcessor[80][3] Invalid request URI: '/_mem_bin/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:20 HttpProcessor[80][3] Invalid request URI: '/_vti_bin/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:20 HttpProcessor[80][3] Invalid request URI: '/_vti_bin/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:21 HttpProcessor[80][3] Invalid request URI: '/_vti_bin/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:21 HttpProcessor[80][3] Invalid request URI: '/_vti_bin/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:23 HttpProcessor[80][3] Invalid request URI: '/a.asp/..\../..\../winnt/repair/sam'
2004-04-04 12:23:24 HttpProcessor[80][3] Invalid request URI: '/a.jsp//..//..//..//..//..//../winnt/win.ini'
2004-04-04 12:23:25 HttpProcessor[80][3] Invalid request URI: '/bin/scripts/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:25 HttpProcessor[80][3] Invalid request URI: '/bin/scripts/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:25 HttpProcessor[80][3] Invalid request URI: '/bin/scripts/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:25 HttpProcessor[80][3] Invalid request URI: '/bin/scripts/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:30 HttpProcessor[80][3] Invalid request URI: '/cgi-bin/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:30 HttpProcessor[80][3] Invalid request URI: '/cgi-bin/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:30 HttpProcessor[80][3] Invalid request URI: '/cgi-bin/..\\..\\..\\..\\..\\..\\winnt\system32\cmd.exe'
2004-04-04 12:23:37 HttpProcessor[80][3] Invalid request URI: '/default.asp%2e'
2004-04-04 12:23:37 HttpProcessor[80][3] Invalid request URI: '/default.asp%2e%41sp'
2004-04-04 12:23:42 HttpProcessor[80][3] Invalid request URI: '/index.asp%2e'
2004-04-04 12:23:42 HttpProcessor[80][3] Invalid request URI: '/index.asp%2e%41sp'
2004-04-04 12:23:43 HttpProcessor[80][3] Invalid request URI: '/index.php3.%5c../..%5cconf/httpd.conf'
2004-04-04 12:23:43 HttpProcessor[80][3] Invalid request URI: '/main.asp%2e'
2004-04-04 12:23:43 HttpProcessor[80][3] Invalid request URI: '/main.asp%2e%41sp'
2004-04-04 12:23:44 HttpProcessor[80][3] Invalid request URI: '/msadc/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:44 HttpProcessor[80][3] Invalid request URI: '/msadc/../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:44 HttpProcessor[80][3] Invalid request URI: '/msadc/..\../..\../..\../winnt/system32/cmd.exe'
2004-04-04 12:23:44 HttpProcessor[80][3] Invalid request URI: '/msadc/..\../..\../..\../winnt/system32/cmd.exe'
2004-04-04 12:23:44 HttpProcessor[80][3] Invalid request URI: '/msadc/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:45 HttpProcessor[80][3] Invalid request URI: '/msadc/..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:47 HttpProcessor[80][3] Invalid request URI: '/scripts/../../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:48 HttpProcessor[80][3] Invalid request URI: '/scripts/../../../../../winnt/system32/cmd.exe'
2004-04-04 12:23:48 HttpProcessor[80][3] Invalid request URI: '/scripts/../../cmd.exe'
2004-04-04 12:23:48 HttpProcessor[80][3] Invalid request URI: '/scripts/../../winnt/system32/cmd.exe'
2004-04-04 12:23:48 HttpProcessor[80][3] Invalid request URI: '/scripts/..\../winnt/system32/cmd.exe'
2004-04-04 12:23:48 HttpProcessor[80][3] Invalid request URI: '/scripts/..\..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:48 HttpProcessor[80][3] Invalid request URI: '/scripts/..\..\..\..\../winnt/system32/cmd.exe'
2004-04-04 12:23:58 HttpProcessor[80][10] Invalid request URI: '/../../../../../etc/passwd'
2004-04-04 12:23:58 HttpProcessor[80][10] Invalid request URI: '/../../../../etc/passwd'
2004-04-04 12:23:58 HttpProcessor[80][10] Invalid request URI: '/../../../etc/passwd'
2004-04-04 12:23:58 HttpProcessor[80][10] Invalid request URI: '/../../etc/passwd'
2004-04-04 12:23:58 HttpProcessor[80][10] Invalid request URI: '/../../passwd'
2004-04-04 12:23:58 HttpProcessor[80][10] Invalid request URI: '/../../shadow'
2004-04-04 12:24:21 HttpProcessor[80][10] Invalid request URI: '/index.js%2570'
2004-04-04 17:21:52 HttpProcessor[80][10] process.parse
java.io.IOException: Line too long
at org.apache.catalina.connector.http.SocketInputStream.readRequestLine(SocketInputStream.java:271)
at org.apache.catalina.connector.http.HttpProcessor.parseRequest(HttpProcessor.java:710)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:974)
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125)
at java.lang.Thread.run(Thread.java:536)

2004-04-04 17:58:51 HttpProcessor[80][10] process.parse
java.io.IOException: Line too long
at org.apache.catalina.connector.http.SocketInputStream.readRequestLine(SocketInputStream.java:271)
at org.apache.catalina.connector.http.HttpProcessor.parseRequest(HttpProcessor.java:710)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:974)
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125)
at java.lang.Thread.run(Thread.java:536)

2004-04-04 21:08:12 HttpProcessor[80][3] process.parse
java.io.IOException: Line too long
at org.apache.catalina.connector.http.SocketInputStream.readRequestLine(SocketInputStream.java:271)
at org.apache.catalina.connector.http.HttpProcessor.parseRequest(HttpProcessor.java:710)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:974)
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125)
at java.lang.Thread.run(Thread.java:536)

sedj · Apr 5, 2004

If this was not you - this is definetly a hack.

outis · Apr 5, 2004

Hi sedj I'am using apache tomcat 4.0.6 do you know about a some fix to prevent this kind of attacks, could you give me some pages or white papes that can help me.
Thanks in Advanced.

sedj · Apr 6, 2004

Security depends on the kind of organisation you are in (ie how much you can afford to set up).

I would :
- buy a hefty firewall
- cut down the information and programs required on your webserver - so remove all unrequired programs like telnet, ftp, ping.
- I would shift your webserver to Linux or UNIX, because there are not so many viruses for these servers, and also you can lock down specific ports and IPs simply (iptable)
- Lock down any access to any other box except your anything vital.
- Never mount your LAN to your webserver. If you must take files from a LAN, then use a secure protocol for transferring data like an RMI server with SSL.
- rename and move programs related to network information and access to places where hackers would not usually look.
- Be frugal with file permissions.
- Only allow one or two users access to the box and restrict their priviledges.

The list goes on and on.

To stop stupid requests like above (which obviously tomcat would not serve out, look into using tomcat filters (google it) which will redirect any pages you specify as being out of bounds etc.

sfkenh · Apr 20, 2004

I'm having the same problem you are. I found you through a Google search, which also revealed one other person reporting the same symptoms. The other posting is dated March 31, yours is dated April 5, and my trouble started somewhere during that time.

I think this is possibly a new virus or hack, and I propose that you, me and the other person join forces to share info and try to beat the thing.

The third guy is on a different message board, and I'm going to contact him next. I suggest that if we want to join forces, we exchange e-mail and phone numbers for more efficient contact.

By the way, the problem I share is the "java.io.IOException: Line too long". The "invalid request" errors may be coming from another source. I've been getting them off and on for years, and can explain more about them later. They are usually annoying, but not harmful.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Some rare in my catalina Log file (posible hack?)

outis

Programmer

sedj

Programmer

outis

Programmer

sedj

Programmer

sfkenh

Programmer

Similar threads

Part and Inventory Search

Sponsor