DevTest log files showing malformed HTTP requests, attempts to breach an HTTP server and CPU spikes to 100%
search cancel

DevTest log files showing malformed HTTP requests, attempts to breach an HTTP server and CPU spikes to 100%

book

Article ID: 70603

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

DevTest components log files are showing suspicious network activity inbound. At the same time the CPU usage spikes to 100%. No load tests are being executed during this time.

Environment

All DevTest supported releases.

Resolution

Looking at DevTest components log files we see WARN and Exceptions with malformed HTTP requests, attempts to breach an HTTP server or HTML injection.

The messages below were extract from DevTest components log files:

 

WARN org.eclipse.jetty.http.HttpParser - bad HTTP parsed: 400 Illegal character 0x16 for HttpChannelOverHttp@1596a137{r=0,c=false,a=IDLE,uri=null} 

WARN org.eclipse.jetty.util.URIUtil - /%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/winnt/win.ini org.eclipse.jetty.util.Utf8Appendable$NotUtf8Exception: Not valid UTF8! byte C0 in state 0 

WARN org.eclipse.jetty.http.HttpParser - bad HTTP parsed: 400 Bad URI for HttpChannelOverHttp@4504b139{r=1,c=false,a=IDLE,uri=//{RegistryHost}:1505/../../../../../../../../../../../../etc/passwd} 

WARN  org.eclipse.jetty.http.HttpParser - bad HTTP parsed: 400 No URI for HttpChannelOverHttp@53dc26fa{r=0,c=false,a=IDLE,uri=null}

WARN  org.eclipse.jetty.http.HttpParser - bad HTTP parsed: 400 Bad URI for HttpChannelOverHttp@314a35a7{r=13,c=false,a=IDLE,uri=//{PortalHost}:1507}

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? "Unrecognized SSL message, plaintext connection?". 

WARN com.itko.lisa.test.LisaException - LisaException detail java.lang.IllegalArgumentException: Incoming request is not HTTP. exception is java.lang.IllegalArgumentException: Incoming request is not HTTP.

ERROR com.itko.lisa.vse.sio.PortServer - An error occurred in our main selector loop. 

java.lang.NumberFormatException: For input string: "ffffffff" 

INFO  System.out                     - Oct 27, 2016 2:04:15 PM sun.rmi.transport.tcp.TCPTransport$AcceptLoop executeAcceptLoop

INFO  System.out                     - WARNING: RMI TCP Accept-0: accept loop for ServerSocket[addr=0.0.0.0/0.0.0.0,localport=40727] throws

INFO  System.out                     - java.io.IOException: The server sockets created using the LocalRMIServerSocketFactory only accept connections from clients running on the host where the RMI remote objects have been exported.

 

These exceptions indicates that DevTest does not recognize the requests that are being sent to it.

You may have 3 or 4 VSE's started with the same name and Portal does not recognize it.  Add unique name for each VSE's in that case. 

This type of exceptions happen when a vulnerability scan runs against DevTest server.

The scan will try to test and explore any vulnerability in the ports that are listening in the server.

Since the components do not recognize the requests being sent to its ports it will show these errors.

Powered by Wolken Software