LISTING 1 EAServer Log Showing Class Loader Diagnostics

Dec 23 21:22:12 2002: JCL:JCL <4127408>: custom=
Dec 23 21:22:12 2002: JCL:setName <4127408>: Name changing
from 4127408 to Jaguar/JCM
Dec 23 21:22:12 2002: JCL:setDirs <Jaguar/JCM>:
_dirs=[Ljava.lang.String;@3c5982
Dec 23 21:22:12 2002: JCL:displayArray <Jaguar/JCM>: strs
= [Ljava.lang.String;@3c5982
Dec 23 21:22:12 2002: JCL:displayArray <Jaguar/JCM>:
strs.length = 3
Dec 23 21:22:12 2002: JCL:displayArray <Jaguar/JCM>:
strs[0] = C:\Program Files\Sybase\EAServer/java/classes/
Dec 23 21:22:12 2002: JCL:displayArray <Jaguar/JCM>:
strs[1] = C:\Program Files\Sybase\EAServer/html/classes/
Dec 23 21:22:12 2002: JCL:displayArray <Jaguar/JCM>:
strs[2] = C:\Program Files\Sybase\EAServer/java/lib/
Dec 23 21:22:12 2002: JCL:setCustomList <Jaguar/JCM>:
custom=
Dec 23 21:22:12 2002: JCL:loadClass <Jaguar/JCM>:
name=com.sybase.jaguar.jcm.JCM
Dec 23 21:22:12 2002: JCL:loadClass <Jaguar/JCM>:
name=com.sybase.jaguar.jcm.JCM, resolve=false
Dec 23 21:22:12 2002: JCL:loadClass <Jaguar/JCM>: ?class
DefName=com.sybase.jaguar.jcm.JCM,
name=com.sybase.jaguar.jcm.JCM, resolve=false
Dec 23 21:22:12 2002: JCL:loadClass <Jaguar/JCM>: ?class
DefName=com.sybase.jaguar.jcm.JCM,
name=com.sybase.jaguar.jcm.JCM, resolve=false, trySystem
ClassLoader=true
Dec 23 21:22:12 2002: JCL:loadClass <Jaguar/JCM>: Try from
our local cache
Dec 23 21:22:12 2002: JCL:inCustomList <Jaguar/JCM>:
name=com.sybase.jaguar.jcm.JCM
Dec 23 21:22:12 2002: JCL:inCustomList <Jaguar/JCM>:
len=0, rets=false
Dec 23 21:22:12 2002: JCL:loadClass <Jaguar/JCM>:
incustom=false
Dec 23 21:22:12 2002: JCL:loadClass <Jaguar/JCM>: try the
system class loader
Dec 23 21:22:12 2002: [Loaded com.sybase.jaguar.jcm.JCM
Dec 23 21:22:12 2002: from C:\Program Files\Sybase\
EAServer\java\lib\easserver.jar
Dec 23 21:22:12 2002: ]

LISTING 2 EAServer Log Showing a Lockout Situation

Dec 23 19: 03:10 2002: NO_PERMISSION: user jagadmin
(possible attack from ?65.57.230.61)
Dec 23 19: 03:10 2002: SystemException: NO_PERMISSION
(Manager/createSession -?@65.57.230.61)
Dec 23 19: 03:13 2002: NO_PERMISSION: user jagadmin
(account locked for 600 seconds)
Dec 23 19: 03:13 2002: SystemException: NO_PERMISSION
(Manager/createSession -?@65.57.230.61)

LISTING 3 Netstat Output Showing Active Ports

phoenix% netstat -a -P tcp TCP

Local Address Remote Address Swind Send-Q Rwind
Recv-Q State
phoenix.58616 hpsupp.6000 32768 0 8760 0
ESTABLISHED
phoenix.8080 *.* 0 0 0 0 LISTEN
phoenix.8081 *.* 0 0 0 0 LISTEN
phoenix.9000 *.* 0 0 0 0 LISTEN
phoenix.9001 *.* 0 0 0 0 LISTEN
phoenix.telnet otter.44460 24820 0 8760 0
ESTABLISHED

LISTING 4 IIOP Request Packet Issued from Client Application

IIOP putMessage Hexadecimal [padding] (interpretation) ISO 8859-1 encoding
putOctet < 47 (71) G
putOctet < 49 (73) I
putOctet < 4F (79) O
putOctet < 50 (80) P
putOctet < 01 (1) .
putOctet < 01 (1) .
putBoolean < 01 (TRUE) .
putOctet < 00 (0) .
putULong < 00000000 (0) ....
putMessage | GIOP version = 1.1
| flags = 1 ('<' little endian)
| message type = 0 (Request)
putRequest | service context length:
putULong < 00000000 (0) ....
putRequest | request id:
putULong < 00000000 (0) ....
putRequest | response expected:
putBoolean < 01 (TRUE) .
putRequest | reserved:
putOctet < 00 (0) .
putOctet < 00 (0) .
putOctet < 00 (0) .
putRequest | object key:
putULong < 02000000 (2) ....
putOctets < 4D00 M.
putRequest | operation:
putULong < 00000E000000 [2] (14) ......
putString < 63726561746553657373696F6E00 createSession.
putRequest | requesting principal:
putULong < 000000000000 [2] (0) ......
putRequest | request body:
putULong < 09000000 (9) ....
putString < 6A616761646D696E00 jagadmin.
putULong < 00000007000000 [3] (7) .......
putString < 62616470776400 badpwd.
endMessage | message size = 71 (after 12 byte header)

LISTING 5 IIOP Response Packet Sent to Client Application

IIOP putMessage Hexadecimal [padding] (interpretation)
ISO 8859-1 encoding
getOctet < 47 (71) G
getOctet < 49 (73) I
getOctet < 4F (79) O
getOctet < 50 (80) P
getOctet < 01 (1) .
getOctet < 01 (1) .
getOctet < 01 (1) .
getOctet < 01 (1) .
getULong < 3C000000 (60) <...
getMessage | GIOP version = 1.1
| flags = 1 ('<' little endian)
| message type = 1 (Reply)
| message size = 60 (after 12 byte header)
getReply | service context:
getRequest | service context length:
getULong < 00000000 (0) ....
getReply | request id:
getULong < 00000000 (0) ....
getReply | reply status:
getULong < 02000000 (2) ....
getULong < 24000000 (36) $...
getString < 49444C3A6F6D672E6F72672F434F5242412F4E
4F5F5045524D495353494F4E3A312E3000 IDL:omg.org/CORBA/
NO _PERMISSION:1.0.
getULong < 00000000 (0) ....
getULong < 01000000 (1) ....

LISTING 6 HTTPRequest Log in Extended Log File Format

#Version: 1.0
#Date: 2002-12-21 18:50:40
#Fields: s-ip date time cs-request cs-status cs-bytes
cs(Cookie) cs(Referer)
199.95.51.242 2002-12-21 18:50:40 "GET /ir/CtsServlet.html
HTTP/1.1" 200 318 - "
http://porkchop:8080/ir/index.html"
199.95.51.242 2002-12-21 18:50:43 "GET
/ir/CtsServlet__ServletService.html HTTP/
1.1" 200 436 - "http://porkchop:8080/ir/CtsServlet.html"
199.95.51.242 2002-12-21 18:50:49 "GET /ir/
CosTransactions.html HTTP/1.1" 200 43
6 - "http://porkchop:8080/ir/index.html"
199.95.51.242 2002-12-21 18:52:14 "GET /webapp/index.html
HTTP/1.1" 404 369 - -
199.95.51.242 2002-12-21 18:55:58 "GET /customer/index.jsp
HTTP/1.1" 404 361 -