Last Updated: 2015-04-20 12:58:40 UTC
by Johannes Ullrich (Version: 1)
In our web application honeypots, we do see continuing scans for "/manager/html". While our honeypot doesn't (yet) fully simulate this Tomcat administrative interface, these scans are usually used to find unprotected Tomcat manager URLs.
The full request:
GET /manager/html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: [host ip redacted]:8080
Today's top sources of these scans are:
184.108.40.206 (<-- by far the largest source)
220.127.116.11/24 (maybe just block 18.104.22.168/16 ?)
OWASP got a brief guide on securing Tomcat: https://www.owasp.org/index.php/Securing_tomcat
See the "Securing Manager WebApp" for details on protecting your management interface.
If you have more information or corrections regarding our diary, please share.