I have noticed numerous entries in Tomcat's local_access_log for various resources coming from IP address 127.0.0.1. These are clearly attempts to hack in. For example, here is a request to get access to the "manager" app:
127.0.0.1 - - [30/Apr/2015:13:35:13 +0000] "GET /manager/html HTTP/1.1" 401 2474
here is another one:
127.0.0.1 - - [30/Apr/2015:21:23:37 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 1016
When decoded, the URL is this:
127.0.0.1 - - [30/Apr/2015:21:23:37 0000] "POST /cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env="yes" -d cgi.fix_pathinfo=1 -d auto_prepend_file=php://input -n HTTP/1.1" 404 1016
There are lots of such entries, all from IP address 127.0.0.1. Obviously, since this is the address of localhost, I can't block it. More over, I am not sure if there is something that I can do about it. Is there possibly an exploit that should be patched up? For instance, is there a version of Tomcat that has a related vulnerability? I am running Tomcat 8.
Much thanks for any advice!
UPDATE: thanks for the suggestion about a proxy. Turned out that httpd was indeed installed and not surprisingly, there are suspicious request. For example:
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
This is not a windows system so cmd.exe has not place for it...
If you have a proxy server running on your computer, that will often receive requests and then call the primary server using the localhost (127.0.0.1) interface.
This could explain why you're logging these requests.
Related
We are using a webserver with ElasticBeanstalk from 2019.,
the platform is
tomcat 8.5 with java8 running on 64 bit Amazon Linux. httpd as proxy
recently (from Jan 30th) we started getting Service Unavailable issues if go to the endpoint from time to time. and if we refresh 2-3 times it will get resolved on its own.
then I download full logs. under elasticbeanstalk-error_log I can see
[Mon Feb 28 10:00:58.338035 2022] [proxy:error] [pid 14882:tid 139757313533696] (13)Permission denied: AH02454: HTTP: attempt to connect to Unix domain socket /var/run/httpd/ (localhost) failed
[Mon Feb 28 10:00:58.338078 2022] [proxy_http:error] [pid 14882:tid 139757313533696] [client <private-ip-here>:12566] AH01114: HTTP: failed to make connection to backend: httpd-UDS, referer: http://<custom-end-point>/1/<name.jsp>?s=sec$$4P!&refresh=300
[Mon Feb 28 10:43:40.663468 2022] [proxy:error] [pid 14882:tid 139757120071424] (13)Permission denied: AH02454: HTTP: attempt to connect to Unix domain socket /var/run/httpd/ (localhost) failed
[Mon Feb 28 10:43:40.663518 2022] [proxy_http:error] [pid 14882:tid 139757120071424] [client <private-ip-here>:21136] AH01114: HTTP: failed to make connection to backend: httpd-UDS
repeated multiple times from Jan30th.
and when I look at access.log
I can see 503 error log exactly at the same time when permission denied error logs in elasticbeanstalk-error_log
And I looked at the running process using ps -aux | grep HTTPd and ps -aux | grep tomcat
both are running from 2019 and have no restarts.
what more I can do to troubleshoot these issuesWe are running a web application written in Java(tomcat8) hosted in AWS ElastcBeanStalk
Some weeks back we started getting 503 error randomly
When we checked the elasticbeanstalk-erorr_logs
[Thu Mar 03 13:22:12.906144 2022] [proxy:error] [pid 14882:tid 139757338711808] (13)Permission denied: AH02454: HTTP: attempt to connect to Unix domain socket /var/run/httpd/ (localhost) failed
[Thu Mar 03 13:22:12.906202 2022] [proxy_http:error] [pid 14882:tid 139757338711808] [client 172.31.17.0:61382] AH01114: HTTP: failed to make connection to backend: httpd-UDS, referer: http://our-domain.com/1/callBackLog.jsp
The error logs are suggesting connection error with backend unix socket
When we checked in /var/run/httpd/ folder, there were no unix sockets(.sock files)
But in apache httpd config
<VirtualHost *:80>
<Proxy *>
Require all granted
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
the proxy backend is ip address not unix socket
As per the config httpd should connect to backend ip address(localhost:8080) but why is it complaining about unix socket
Have anyone faced similar issues?
============= UPDATE
The error logs are suggesting connection error with backend unix socket
When we checked in /var/run/httpd/ folder, there were no unix sockets(.sock files)
But in apache httpd config
<VirtualHost *:80>
<Proxy *>
Require all granted
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
the proxy backend is ip address not unix socket
As per the config httpd should connect to backend ip address(localhost:8080) but why is it complaining about unix socket
Have anyone faced similar issues?
I have a node.js application running on openshift. After testing my code on a local environment I pushed it up to my instance on openshift. After doing so, I went to check those changes on the public site and my browser reported that I was getting too many redirects. I tried to look at my haproxy status and even that was getting too many redirects.
I have done some investigation and here is what I've found:
I checked my nodejs logs and my node server started successfully (no errors)
I've ssh'd into my machine and ran curl -vvv $OPENSHIFT_NODEJS_IP:8080 and I was returned my index.html as I should.
When I run curl -vvv http://minutepolitics-minutepolitics.rhcloud.com/ I get this response:
RESPONSE:
Hostname was NOT found in DNS cache
Trying 54.81.203.46...
Connected to minutepolitics-minutepolitics.rhcloud.com (54.81.203.46) port 80 (#0)
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: minutepolitics-minutepolitics.rhcloud.com
Accept: */*
HTTP/1.1 302 Found
Date: Thu, 23 Oct 2014 03:26:06 GMT
Server Apache/2.2.15 (Red Hat) is not blacklisted
Server: Apache/2.2.15 (Red Hat)
Vary: Host
X-Powered-By: PHP/5.3.3
Location: http://minutepolitics-minutepolitics.rhcloud.com/
Connection: close
Accept-Ranges: none
Content-Length: 0
Content-Type: text/html
Closing connection 0
Also, when I ssh into my machine and run /etc/init.d/haproxy start the output is: Starting haproxy: [ALERT] 294/230821 (134951) : Starting frontend main: cannot bind socket [FAILED]
From here, I don't know what to do or try to get this working again.
Any and all help will be greatly apprecaited! Thanks!!
Due to application requirements, I have an externally accessible CouchDB instance. I would like to see what IP addresses are attempting to authenticate with my database. By checking the couchdb.log file, I can see failed authentication attempts. They look similar to this.
[Mon, 29 Sep 2014 13:43:32 GMT] [info] [<0.28472.7>] 127.0.0.1 - - GET
/offline_master/ 401
However, no matter where I connect from, it seems that the IP address that is logged is always 127.0.0.1. Am I mis-understanding how this works? I would really like to see the IP address that is attempting to connect.
The 127.0.0.1 is the address couchDB is bound to. It's there because you can set up couchdb to respond differently depending on what host name is being used.
The only way to get the client ip address is by turning the logging level to "debug". You can do this in the configuration page in futon.
You get records like this (client IP is on 1st line):
[Tue, 30 Sep 2014 00:14:27 GMT] [debug] [<0.451.4>] 'GET' / {1,1} from "192.168.1.52"
Headers: [{'Accept',"*/*"},
{'Host',"localhost:5984"},
{'User-Agent',"curl/7.30.0"}]
[Tue, 30 Sep 2014 00:14:27 GMT] [debug] [<0.451.4>] OAuth Params: []
[Tue, 30 Sep 2014 00:14:27 GMT] [info] [<0.451.4>] 127.0.0.1 - - GET / 200
Be careful with this. The debug logs are extremely verbose. It doesn't take long to fill up a hard drive.
It is possible to set log levels by module. The module you need to set is couch_httpd. Set the default for the rest to "error" or "fatal".
See: 3.6.2 Per module logging
I'm having a setup with MCollective 1.2.0, Puppet 2.6.4 and an
provision-agent. Most of the time this works great, but sometimes
(every 10th node or so) I experience, that signing-requests of puppet-
agents are not getting signed on the master.
In this case every request of the puppet agent to the "/production/certificate/..." fails with an HTTP-Error 404.
The problem is also hard to analyze because the logoutput is not very
detailed.
Puppet-Agent:
Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Creating a new SSL key for ...
Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Caching certificate for ca
Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Creating a new SSL certificate request for ...
Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Certificate
Request fingerprint (md5): 6A:3F:63:8A:59:2C:F6:C9:5E:56:5F:39:16:FF:19:BE
Puppet-Master:
"GET /production/certificate/a.b.c.d HTTP/1.1" 404
"GET /production/certificate_request/a.b.c.d HTTP/1.1" 404
"GET /production/certificate/a.b.c.d HTTP/1.1" 404
"GET /production/certificate/a.b.c.d HTTP/1.1" 404
"GET /production/certificate/a.b.c.d HTTP/1.1" 404
"GET /production/certificate/a.b.c.d HTTP/1.1" 404
... last message repeats endlessly
Does anyone have a glue about that?
Markus
this URL www.jinfuwu.com can be access in windows browser,windows telnet,
but in my ubuntu server, i can't get this page:
telnet (ubuntu):
root#ubuntu:~# telnet www.jinfuwu.com 80
Trying 121.199.111.176...
Connected to www.jinfuwu.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.jinfuwu.com
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sun, 05 Dec 2010 01:34:33 GMT
Accept-Ranges: bytes
ETag: "f671fd911c94cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sun, 05 Dec 2010 10:03:21 GMT
Content-Length: 1214Connection closed by foreign host.
wget (ubuntu):
root#ubuntu:~# wget http://www.jinfuwu.com
--18:10:29-- http://www.jinfuwu.com/
=> `index.html.2'
Resolving www.jinfuwu.com... 121.199.111.176
Connecting to www.jinfuwu.com|121.199.111.176|:80... connected.
HTTP request sent, awaiting response...
Read error (Connection reset by peer) in headers.
Retrying.
....
but in my windows ,i using telnet command, i can get the page
telnet (windows7):
run:
telnet www.jinfuwu.com 80
paste:
GET / HTTP/1.1
Host: www.jinfuwu.com
and press doubles Enter,i can see the page HTML code.
google it:
site:jinfuwu.com
google can access this site
can you tell me why?
btw: also www.joytg.com,same question
thanks a lot :)
Did some further digging for you and found the root cause is due to misconfigured routers. You can read about it all here.
The workaround that article mentions is to:
echo 0 > /proc/sys/net/ipv4/tcp_default_win_scale
However, this file has changed and on newer setups you need to instead:
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
You will need to be root when running that though.
$ wget http://www.jinfuwu.com
--2010-12-05 12:58:39-- http://www.jinfuwu.com/
Resolving www.jinfuwu.com... 121.199.111.176
Connecting to www.jinfuwu.com|121.199.111.176|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12145 (12K) [text/html]
Saving to: `index.html'
100%[====================================================>] 12,145 5.19K/s in 2.3s
2010-12-05 12:58:43 (5.19 KB/s) - `index.html' saved [12145/12145]
FWIW, I can get the page just fine using wget or curl from MacPorts.