SANS ISC: Reminder: Secure Your Tomcat Admin Interface - Internet Security | DShield

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

In our web application honeypots, we do see continuing scans for "/manager/html". While our honeypot doesn't (yet) fully simulate this Tomcat administrative interface, these scans are usually used to find unprotected Tomcat manager URLs. 

The full request:

GET /manager/html HTTP/1.1
Authorization: Basic
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: [host ip redacted]:8080
Cache-Control: no-cache

Today's top sources of these scans are:

222.186.21.117  (<-- by far the largest source) 
88.33.217.26
69.39.4.234
176.31.16.108
218.83.5.174
150.70.97.0/24
150.70.173.0/24   (maybe just block 150.70.0.0/16 ?)
121.8.241.145

OWASP got a brief guide on securing Tomcat: https://www.owasp.org/index.php/Securing_tomcat

See the "Securing Manager WebApp" for details on protecting your management interface.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn