« Botnet running on MIPS CPU devices.
A /16 netblock banned from teamfurry.com »

Scans for default Tomcat admin passwords

I went through some sinkhole stats and spotted a few scans that looked like this: “GET/manager/html HTTP/1.1″.

That path by itself didn’t give much hits in Google so I took a look at the whole request:

Tue Mar 24 03:28:41 EET 2009 - /213.27.140.33:1473 - GET /manager/html HTTP/1.1
Referer: http://xxx.xxx.xxx.xx:8080/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
Host: xxx.xxx.xxx.xx:8080
Connection: Close
Cache-Control: no-cache
Authorization: Basic YWRtaW46YWRtaW4=

I’ve got these hits from a handful of IP’s, all to a single IP so I reckon they might be scanning pretty much everywhere. They’re trying to identify Apache Tomcat installations that have default passwords in place. If my memory serves me correct Tomcat hasn’t had a default password in ages. If anyone has a clue what they’re trying to push to affected servers please shoot me a mail to

toni(_a_t_) teamfurry.com

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Tuesday, March 24th, 2009 at 8:01 am and is filed under General InfoSec. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.