We are seeing a number of the following entries in the atlassian-jira-security.log file, with various usernames:
2014-03-11 14:56:15,250 http-bio-8080-exec-3 anonymous 896x3750x1 - 120.192.31.167 /manager/html login : 'test' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-03-11 14:56:15,250 http-bio-8080-exec-3 anonymous 896x3750x1 - 120.192.31.167 /manager/html login : 'test' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
It is clear there is a brute force scenario going on, but what we are failing to understand is why JIRA is seemingly handling these attempts. From what it looks like the login attempt is to the Tomcat Manager (ie "/manager/html" and the fact that the usernames attempted are the deafult Tomcat accounts), however we don't even have the manager installed. ie the webapps folder is empty.
Attempting to get to "http://<jiraserver>/manager/html" just goes to the JIRA 404 page
Can anyone shed some light on this?
Community moderators have prevented the ability to post new answers.
We ran into the same issue, maybe it helps someone:
Jira also allows Basic authentication. So if you, for example, curl the given URL with username/password, you'll end up with the log entries above.
Hi Justing, it seems to be that this request is comming from ip 120.192.31.167. Is this ip familiar to you? In case not, you may block it in your firewall and see if the messages stop showing in your logs.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The IP is not familiar to us, it is also changing with each attempt. The question is not regarding that aspect though. What we need to understand is why JIRA is seemingly handling the requests to the (what we believe to be non-existent) Tomcat Manager ("/manager/html")
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.