Tim Holloway wrote:You're kinder than I am. I would have blocked the IP at the firewall.
If they're trying to break in via Tomcat, they may well be trying to break into other services, too.
Tim Holloway wrote:It's a mystery to me as well. Like I said, Tomcat will cheerfully delete an entire webapp, but selected parts?
What would be nice is if you had a tool that could detect the filesystem delete operation and point back to the offender, but if there's a generally available tool out there for that, I don't know what it is. For Linux, you could probably set up a dtrace, though.