Tomcat Hack Attempt: Attempt was made to authenticate the locked user
Jun 28, 2013 1:04:27 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"
Jun 28, 2013 1:04:27 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"
Jun 28, 2013 1:51:08 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Jun 28, 2013 1:51:55 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Jun 28, 2013 1:51:55 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Jun 28, 2013 1:52:36 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Jun 28, 2013 1:52:36 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
I'm seeing several hundred attempts like the above. Is someone trying to hack my site? Should I be worried?
Answer
Welcome to the internet. Your server most likely is connected to the internet, thus it will catch all kind of background noise. The smarter bots will try the standard accounts for the platform you're running, others will just blindly fire random requests.
Did something happen? Not in the lines that you have in this logfile - did the bots succeed in other cases? Who knows.
This is the reason why #1 in all hardening documents is: Eliminate default accounts. Unfortunately this is not yet #1 in all software development procedures, but there are less and less default accounts that could be used by this kind of exploits.
It also demonstrates nicely why you shouldn't have one of the 100 most popular passwords on easily guessable account names.