Concerning JIRA security log entries

Jeffery Eberwein March 11, 2014

We are seeing a number of the following entries in the atlassian-jira-security.log file, with various usernames:

2014-03-11 14:56:15,250 http-bio-8080-exec-3 anonymous 896x3750x1 - 120.192.31.167 /manager/html login : 'test' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-03-11 14:56:15,250 http-bio-8080-exec-3 anonymous 896x3750x1 - 120.192.31.167 /manager/html login : 'test' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

It is clear there is a brute force scenario going on, but what we are failing to understand is why JIRA is seemingly handling these attempts. From what it looks like the login attempt is to the Tomcat Manager (ie "/manager/html" and the fact that the usernames attempted are the deafult Tomcat accounts), however we don't even have the manager installed. ie the webapps folder is empty.

Attempting to get to "http://<jiraserver>/manager/html" just goes to the JIRA 404 page

Can anyone shed some light on this?

2 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
bascase-mirror May 3, 2019

We ran into the same issue, maybe it helps someone:

Jira also allows Basic authentication. So if you, for example, curl the given URL with username/password, you'll end up with the log entries above.

0 votes
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 11, 2014

Hi Justing, it seems to be that this request is comming from ip 120.192.31.167. Is this ip familiar to you? In case not, you may block it in your firewall and see if the messages stop showing in your logs.

Cheers

Jeffery Eberwein March 11, 2014

The IP is not familiar to us, it is also changing with each attempt. The question is not regarding that aspect though. What we need to understand is why JIRA is seemingly handling the requests to the (what we believe to be non-existent) Tomcat Manager ("/manager/html")

TAGS
AUG Leaders

Atlassian Community Events