GET /w00tw00t.at.ISC.SANS.DFind

GET /w00tw00t.at.ISC.SANS.DFind
GET /w00tw00t.at.ISC.SANS.DFind

These are one of the most common vulnerability scanners you will see in Apache access log.

94.242.217.34 – – [12/Feb/2013:10:28:11 +0000] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 408

Above is a typical line which you will see in the access log file – usr/local/apache/log/access_log (CentOS).

These could be serious security vulnerability in your Linux server depending on what happens after such GET commands. If you see that any of files are being accessed after these commands then you are vulnerable. If none of files are accessed then you are safe however you need to patch this up.

Apache rejects such requests as they do not contain hostname, see the 2nd last error code 400. Which means that you are not hacked so you don’t need to worry too much.

If you see the error_log then you will find following errors.

[Tue Feb 12 10:28:11 2013] [error] [client 94.242.217.34] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Extract the unique IP addresses

Here is a simple command (I’m sure linux experts could write a much better command) which will extract all the unique IP addresses from which these scanners originate.

[sourcecode]cat /usr/local/apache/logs/access_log | grep "GET /w00tw00t.at.ISC.SANS.DFind" | cut -f1 -d’ ‘ | sort | uniq -u > w00tlogs_unique_ips.txt[/sourcecode]

This command will extract Unique IP Addresses and saves it in w00tlogs_unique_ips.txt file.

If you do IP trace for these IP Addresses then you will find them originating from various countries so just knowing origin of IP addresses is no good.

How to stop GET /w00tw00t.at.ISC.SANS.DFind attacks

The very first thing you as non-expert admin would do is to report these attacks to your server host provider. Most of decent web host providers would have some sort of protections to block these attacks. Just pass them the list of IP addresses which you have extracted from above command and ask them if they could do about it.

Fail2Ban

Install and configure Fail2Ban. As name suggests this utility blocks the IP addresses from failed malicious attacks by adding IP addresses to firewall.

Snort

Snort is network intrusion prevention and detection system. Install it as well.

Install mod_security

First check if you have mod_security installed on your server or not by using these commands.

[sourcecode]cat /etc/httpd/conf/httpd.conf | grep mod_security[/sourcecode]

If you see any entry like the followings then mod_security is enabled on your server.

[sourcecode]LoadModule security_module modules/mod_security.so[/sourcecode]

Further Readings

http://spamcleaner.org/en/misc/w00tw00t.html

Webhosting Talk thread


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *