• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Paweł Baczyński
  • Piet Souris
  • Vijitha Kumara

Invalid JSP file

 
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello. Out of the blue, I received the following error...

...with root cause javax.servlet.jsp.JspTagException: Invalid JSP file ? at examples.ShowSource.doEndTag....

Would anybody know why this showed up all of the sudden? I changed nothign with Tomcat nor the JVM. Thank you so much for reading.
 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, this is the full trace... the ncf line in red is interesting. I think the server was upgraded to Windows 12 a few weeks ago but it seemed to be working. I noticed a slow down in performance but today, it is toast with these errors...


29-Oct-2019 02:35:37.478 SEVERE [http-nio-8080-exec-10] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [/examples] threw exception [An exception occurred processing [jsp/source.jsp] at line [21]

Unable to display JSP extract. Probably due to an XML parser bug (see Tomcat bug 48498 for details).

Stacktrace:] with root cause
javax.servlet.jsp.JspTagException: Invalid JSP file ?
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:444)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:501)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:844)

29-Oct-2019 02:35:37.478 INFO [http-nio-8080-exec-3] org.apache.catalina.core.ApplicationContext.log SessionListener: sessionCreated('435D932218B26836BC2E32780AC302C5')
29-Oct-2019 02:35:37.478 SEVERE [http-nio-8080-exec-3] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [/examples] threw exception [An exception occurred processing [jsp/source.jsp] at line [21]

Unable to display JSP extract. Probably due to an XML parser bug (see Tomcat bug 48498 for details).

Stacktrace:] with root cause
javax.servlet.jsp.JspTagException: Invalid JSP file /jsp/
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:444)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:501)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:844)

29-Oct-2019 02:35:40.932 INFO [http-nio-8080-exec-6] org.apache.catalina.core.ApplicationContext.log SessionListener: sessionCreated('3C37EBC4CD1AA9C037B9BDA83758C063')
29-Oct-2019 02:35:40.932 SEVERE [http-nio-8080-exec-6] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [/examples] threw exception [An exception occurred processing [jsp/source.jsp] at line [21]

Unable to display JSP extract. Probably due to an XML parser bug (see Tomcat bug 48498 for details).

Stacktrace:] with root cause
javax.servlet.jsp.JspTagException: Invalid JSP file %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:444)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:501)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:844)
 
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

From stack trace wrote:Invalid JSP file %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf



It looks likely that one of 2 things has happened

1) Your filesystem has been corrupted

2) Your system has been invaded by malware and one of the viral files planted itself in a place where it looked like a webapp component.

Best bet is to run as many anti-virus programs as you can on your hard drive, followed by a check-disk. Or, if you get disk I/O errors from the anti-virus, same thing, opposite order.

Sadly, there's probably a case 3), these days: if you're running Windows 10, all bets are off. I'm surprised that the Windows community isn't rioting in the streets after the last few (and very destructive) updates.

Life in the Linux world is a lot more peaceful, I must say. Not that we're immune, but the Unix-like OS's grew up in an unkind world and were hardened from the beginning.
 
Sheriff
Posts: 21817
104
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm guessing it's option 2. %2e means ., so the path is the URL encoded version of ../../../../system/autoexec.ncf. In other words - go back 4 times (which will go to the root if the current directory is at most 4 levels deep), then go into system, then try to access autoexec.ncf. I quick search shows that this file belongs to NetWare, so I'd be surprised this is caused by an I/O issue or botched Windows update.
 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rob Spoor wrote:I'm guessing it's option 2. %2e means ., so the path is the URL encoded version of ../../../../system/autoexec.ncf. In other words - go back 4 times (which will go to the root if the current directory is at most 4 levels deep), then go into system, then try to access autoexec.ncf. I quick search shows that this file belongs to NetWare, so I'd be surprised this is caused by an I/O issue or botched Windows update.



Except that going uphill and outside of a WAR is not possible under default Tomcat settings for security reasons. And as far as I know, Netware hasn't existed for 20 years, so what's this file doing on that machine? Best I could think of was an old Windows exploit. Either that or there are literally decades of cruft on it.
 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Would the following two also point to malware?...

javax.servlet.jsp.JspTagException: Invalid JSP file ?
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)

javax.servlet.jsp.JspTagException: Invalid JSP file /jsp/
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)

This is like a one guy development server inside secure firewall with vpn only access.

there are early versions of JVM and Tomcat 5 folders still sitting on the machine although Tomcat 9 is currently running om JVM 9. Could those early versions be the issue? Could i just manually remove/delete the file folders for tomcat 5 and the old JVMs?

thank you.
 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can - and I do - have many different copies/versions of Tomcat on a single computer. Likewise many different versions of Java. Unlike Internet Explorer, there is nothing that prevents all of them from being used at once. Well, other than the network. Only one Tomcat can be open on port 8080, so other Tomcats would have to be configured to listen on other ports.

Tomcat's raw distribution is in the form of a ZIP file, so un-installing it can be as simple as deleting the Tomcat directory. If you've installed it with Windows Installer (Add/Remove Programs), I recommend using that, however, since there might be some odd Windows-only registry entries or unusual files that the uninstaller knows to remove along with Tomcat itself.

You can also remove and re-install any Tomcat that you think might have become damaged, but of course you'll have to re-deploy any webapps to the new Tomcat.

Sometimes when Tomcat gets sick it's because its workfiles have been corrupted. Stop Tomcat, delete everything under TOMCAT_HOME/work, TOMCAT_HOME/temp, and TOMCAT_HOME/logs and restart. Delete and re-deploy any apps in the TOMCAT_HOME/webapps directory that might be damaged. Note that webapps may exist in 2 forms: as a WAR file and as the unzipped ("exploded") WAR directory with the same base name as the WAR file. You can delete both of them, although the WAR file is less likely to get damaged. If you don't delete the WAR file, Tomcat will re-explode it with a (hopefully!) clean copy of the war directory.
 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you so much. The open port is a great point for older Tomcat. Could it be a security risk to have JVM 5 sitting out on the server, with it's own java.exe?

It apparently turned out, for whatever reason, to be something with a temporary backup of three Lotus Notes databases. The resource usage went really high on the server and when I removed the backups, it seemed stable again.
 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Each and every file and program on a server is a potential security risk, so it's always better to delete unused resources. But it's not a major risk, especially if you're not using it.

I wonder why Google didn't suggest Notes for ".nsf" files. If anything, Lotus Notes has seen more recent use than Netware has.

Actually, IBM sold Notes just this last summer. It may pop up again someday. Although my impression of a Notes database is that MongoDB is awfully similar.
 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think netware has the "ncf" extension, notes databases are "nsf".

While going through the Tomcat 9 logs working on this, I noticed these two apparently "random" exceptions. This is from the backup prod server so there weren't any manual http requests that I am aware of (first issue below) and the war apps don't use cookies (second issue)...

I saw a guy on stackoverflow with the same exceptions post-upgrade to Tomcat 9 so I lifted his below. I see the same exact two exceptions...

It's weird as the servlets seem to be working ok and no request was made on this server, at least by an end user. I've read where the first exception might have to do with [] or {} in the request url but the log doesn't reveal any urls.


First issue:

30-Sep-2019 20:40:04.146 INFO [http-nio-8009-exec-24] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:415) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:292) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834)

Second issue:

02-Oct-2019 03:08:29.694 INFO [https-jsse-nio2-8443-exec-23] org.apache.tomcat.util.http.parser.Cookie.logInvalidHeader A cookie header was received [::7907=pub_site.1569985617; ezoab_7907=mod1; ezoref_7907=; ezoadgid_7907=-1] that contained an invalid cookie. That cookie will be ignored. Note: further occurrences of this error will be logged at DEBUG level.
 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm afraid you've got me on that one. The first would seem to indicate that an HTTP request that wasn't a GET, POST, DELETE, or other known HTTP method was requested (or that sheer random noise was sent as a request). The second could be a stale cookie. As long as they don't keep happening and no one complains that something's broken, I wouldn't worry.
 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ugh, the original jsp parsing errors returned.

I have Tomcat 9.0.11 running as the servie and a couple of older Tomcats sitting unstarted as services. Those shouldn't be exploited, right?

Maybe remove examples folder or will that cause an issue?

I asked the server people about running anti-malware and check disk, but I'm afraid this might cause a big ruckus over Tomcat security...
 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
While any file is a potential exploit, a file that's just sitting there is usually going to be less of a problem than a running service would be. It's still a good idea to completely uninstall anything you don't need, but if you think you might need to crank up one of those old cats in an emergency, you can be fairly confident.

Then again, you might want to just archive the directory in question to offline media. It's very hard to exploit things that aren't addressable by the computer. As I've said before, Tomcat itself is a single (zippable) directory. On Windows, there MIGHT be some registry entries and Windows Service definitions you'd want to save as well, but they shouldn't be essential. Registry entries can, of course, be serialized out as .reg files. Offhand I don't know how to do the same with service definitions. Still, you can probably got back to tomcat.apache org for the entire server package if you prefer. You'd still have to archive any WARs, config files, and additional to TOMCAT_HOME/lib, but that's fairly straightforward.

It's actually a very good idea to delete TOMCAT_HOME/webapps/examples. They are not needed for anything other than themselves and yes, they're a potential exploit point. Some people also clear out TOMCAT_HOME/webapps/ROOT, which contains the Tomcat web admin UI app. For that matter, some people completely replace ROOT's contents with a webapp of their own. /ROOT isn't magic - it's just that you cannot name a file "/" (at least in Unix/Linux/MacOS), so the webapp context "/" uses ROOT as its directory name.
 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks so much. The server admin renamed examples and that exception did go away. I'm still worried about that dead cookie thing, I think that is somehow related to all this.

I know this is long but I'm seeing this weird set of lines n the log, maybe a glimpse will indicate something, like is this some sort of hack attempt?...all the GETs, 200 and 404s?...

Actually, I see lotus notes files in there, this thing is scrolling the file directories it looks like. Now that I've gone back, I see these types of entries since the install...maybe I'm being paranoid over the cookie and the thing using examples.

The 111.11.11.111 is a fake ip I put in there...

111.11.11.111 - - [07/Nov/2019:02:30:53 -0500] "GET //perl.exe?-v HTTP/1.1" 404 1086
111.11.11.111 - - [07/Nov/2019:02:30:53 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:53 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:53 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:53 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:53 -0500] "GET /login?redirects=10 HTTP/1.1" 404 1078
111.11.11.111 - - [07/Nov/2019:02:30:54 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:54 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1494107155 HTTP/1.1" 404 1087
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet991665113. HTTP/1.1" 404 1087
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet2041817301.asp HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet664732588.aspx HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet600815077.html HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet363404008.htm HTTP/1.1" 404 1090
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1016239117.shtm HTTP/1.1" 404 1092
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1577129873.shtml HTTP/1.1" 404 1093
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1456605888.jsp HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1040198048.jspx HTTP/1.1" 404 1092
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1976071744.php HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet715448670.php3 HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet570167550.php4 HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1687952712.php5 HTTP/1.1" 404 1092
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet1643283870.php6 HTTP/1.1" 404 1092
111.11.11.111 - - [07/Nov/2019:02:30:55 -0500] "GET /niet379062877.cfm HTTP/1.1" 404 1090
111.11.11.111 - - [07/Nov/2019:02:30:56 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:56 -0500] "GET /cgi-bin/com5.pl HTTP/1.1" 404 1092
111.11.11.111 - - [07/Nov/2019:02:30:56 -0500] "GET /forum.php HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:30:56 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:56 -0500] "GET /header.php HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET /login.php HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET /pluto/portal/ HTTP/1.1" 404 1094
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET /sitemap.xml HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET /sitemap/sitemap.xml HTTP/1.1" 404 1096
111.11.11.111 - - [07/Nov/2019:02:30:57 -0500] "GET /map/sitemap.xml HTTP/1.1" 404 1092
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /account.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /accounts.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /admin4.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /agentrunner.nsf HTTP/1.1" 404 1088
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /AgentRunner.nsf HTTP/1.1" 404 1088
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /archive/a_domlog.nsf HTTP/1.1" 404 1097
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /archive/l_domlog.nsf HTTP/1.1" 404 1097
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /bookmark.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /books.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /busytime.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /calendar.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /catalog.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /cersvr.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /certlog.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /certsrv.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /collect4.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /cpa.nsf HTTP/1.1" 404 1080
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /database.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /db.nsf HTTP/1.1" 404 1079
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /dbdirman.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /decsadm.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /default.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /doladmin.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /domcfg.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /domguide.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /domino.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /domlog.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /events4.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /group.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /groups.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /hidden.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /iNotes/Forms5.nsf HTTP/1.1" 404 1094
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /lccon.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /ldap.nsf HTTP/1.1" 404 1081
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /lndfr.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /log.nsf HTTP/1.1" 404 1080
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /loga4.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /mab.nsf HTTP/1.1" 404 1080
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /mail.box HTTP/1.1" 404 1081
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /mail/admin.nsf HTTP/1.1" 404 1091
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /mailw46.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:02 -0500] "GET /mtabtbls.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /name.nsf HTTP/1.1" 404 1081
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /names.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /nntppost.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /notes.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /ntsync4.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /private.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /products.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /proghelp/KBCCV11.nsf HTTP/1.1" 404 1097
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /public.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /qstart.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /quickstart/qstart50.nsf HTTP/1.1" 404 1100
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /quickstart/wwsample.nsf HTTP/1.1" 404 1100
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /reports.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /sample/faqw46.nsf HTTP/1.1" 404 1094
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /sample/framew46.nsf HTTP/1.1" 404 1096
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /secret.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /secure.nsf HTTP/1.1" 404 1083
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /setup.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /smtpibwq.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /smtpobwq.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /smtptbls.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /software.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /statmail.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /statrep.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /statsrep.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /stats675.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /user.nsf HTTP/1.1" 404 1081
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /users.nsf HTTP/1.1" 404 1082
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /webadmin.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /welcome.nsf HTTP/1.1" 404 1084
111.11.11.111 - - [07/Nov/2019:02:31:03 -0500] "GET /zmevladm.nsf HTTP/1.1" 404 1085
111.11.11.111 - - [07/Nov/2019:02:31:06 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:31:06 -0500] "GET null null" 400 -
111.11.11.111 - - [07/Nov/2019:02:31:07 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:31:07 -0500] "GET /portal/page/portal/Design_Time_PG/Welcome HTTP/1.1" 404 1130
111.11.11.111 - - [07/Nov/2019:02:31:07 -0500] "GET /page/portal/Design_Time_PG/Welcome HTTP/1.1" 404 1119
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET / HTTP/1.1" 200 11450
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1129
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1133
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV1_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV2_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV3_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV4_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV5_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV6_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV7_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV8_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134
111.11.11.111 - - [07/Nov/2019:02:31:08 -0500] "GET /portal/portal/DEV9_PORTAL_DEMO.ORG_CHART.SHOW HTTP/1.1" 404 1134

 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, the "niet" stuff looks like possibly someone trying to find an exploit. You should log the source IP address.

But it also looks like a Notes client system thinks that you are a Lotus Notes server. Possibly your machine's IP address used to be used by one and there's still one or more clients that are running (possibly automated) against it. Here again, log the IP address and see if you can't find out where it's coming from.
 
Saloon Keeper
Posts: 2754
359
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All that traffic looks like something/someone trying to find vulnerabilities to exploit your platform.

For example, the URLs with PORTAL_DEMO.ORG_CHART.SHOW are for a PL/SQL injection vulnerability described here.  The Lotus URLs have keywords used by Metasploit to find vulnerable Lotus Domino servers - the key words listed here.

As Tim says, check the IP address and find where the traffic is originating from.  The IP address shown in the log that you posted is in private address space, so either the traffic is originating from inside your network, or more-likely, the source-IP is getting rewritten by a edge firewall or proxy, in which case, you will need to check the logs on that device to see the actual outside address.

When you find the offending IP address, send an email to the Abuse contact for that IP range to inform them about the attack.  Provide supporting information such as logs with timestamps and IP address with your report.


 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello. Thanks so much for your assistance. They just told me the IP is for their Tenable Nessus vulnerability scanner, so I guess it looks like their testing vulnerabilities with all those GETS.

What I'm still concerned about is the thing going into the examples folder. Renaming it seems to make it go away but I don't like that something is in there. I was told Mcafee is full on with the server and I jsut don't get how any malware could be injected in some innocuous dev server behind a firewall/vpn/etc. Those log entries have no origin ip and I don't know if it could be some sort of other vulnerability scan.

I have seen quicker performance after renaming the examples folder.

 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
TOMCAT_HOME/webapps/examples is simply a pre-installed webapp. Delete the entire folder and its counterparts in TOMCAT_HOME/work and TOMCAT_HOME/temp. It really has no place on a production server, since, as its name indicates, it's just a set of example JSPs and servlets designed to show programmers how JEE works. And it is a security risk.
 
Tommy Griffith
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you. I renamed them but I will delete them all together. I'd really like to find out what is trying to access it. I don't know if it's related to the vulnerability software, because it is only on the development server. I guess the only way to know would be anti-virus, nothing can be captured in the Tomcat log, right?

javax.servlet.jsp.JspTagException: Invalid JSP file ?
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)

javax.servlet.jsp.JspTagException: Invalid JSP file /jsp/
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)

javax.servlet.jsp.JspTagException: Invalid JSP file %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf
at examples.ShowSource.doEndTag(ShowSource.java:46)
at org.apache.jsp.jsp.source_jsp._jspService(source_jsp.java:130)

 
Tim Holloway
Saloon Keeper
Posts: 21248
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The standard Tomcat log won't show where requests come from, but if you activate the Tomcat logging Valve, it will write a file in much the same format that's used by servers like Apache httpd, and that includes the requester's FQDN or IP address.
 
If I had asked people what they wanted, they would have said faster horses - Ford. Tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!