I recently upgraded a server to Railo 4 and noticed my catalina folder started to fill up with random folder names, e.g.
C:\railo\tomcat\conf\Catalina\acoaqnyfnl (or whatever the equivalent is on Linux)
Every time I checked back the number of randomly created folders had increased exponentially, I ended up with thousands of them before I found the cause. This can cause multiple issues if left to grow, affecting the performance of Railo and Tomcat and your server in general once you get seriously large numbers of files or folders.
I poste don twitter a few times but unfortunately not one single person in the Railo community had a clue on this one so I was rather stumped initially.
Then it dawned on me, this folder normally only contains an entry/folder for each of your virtual hosts, so I went and checked another server and noticed that not only did it contain a folder for each virtual host, but also for any other domain alias that pointed at those virtual hosts, even if they were not defined in the server.xml.
Once I realised this then the reason why the folders were being created became obvious, any host header that is used to access any Railo site on your server will cause a new folder to be created in c:\railo\tomcat\conf\Catalina, at this point I don't actually know why this happens only that it does. Previously I thought that any aliases had to be defined in the virtual host config, but this is obviously not the case.
So the next question is why are all those host headers getting through?
This one was simple too, the default website on IIS is set to respond on <ALL Undefined> by default, meaning that it doesn't expect any host header and will display the default website for anything that points to any IP on the server if there is no other site with a valid entry for that host header. And of course Railo is installed to the default website as the default webapp.
So the next question was, why all the random folder names, which clearly were not normal host headers as they were not domain names. My first thought was that it could be bots trying to hack the server using randomly generated host names, so I checked my IIS logs and found a bunch of entries like this.
2013-02-06 07:08:10 W3SVC1 BTI-APP1 184.108.40.206 HEAD / - 80 – 220.127.116.11 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_8_2)+AppleWebKit/537.17+(KHTML,+like+Gecko)+Chrome/24.0.1312.57+Safari/537.17 - - kcqtvklylt 200 0 0 259 249 3430
As you can see the request was coming form a MAC and was using the host header "kcqtvklylt", which explains the folder names.
Whether this was dodgy or not I really could not tell, the logs did not show any specific filenames being requested or any query strings such as sql injection, but I guess it certainly could be a trojan or malware of some sort scanning servers for open ports, which seems more likely than a hacker using a Mac
The solution was simply to put a host header on the default website to stop these requests even getting through the web server, once I did that the problem went away and no more randomly created folders.
and the moral of this tale, if you are running Railo or anything else on Tomcat, always use host headers (bindings) for all your sites, do not have any setup to allow <all undefined> or "*" without any host header at all.