LinkBack URL
About LinkBacksI found access my apache access log /w00tw00t.at.isc.sans.dfind, What is this?
/w00tw00t.at.isc.sans.dfind:)
I found access my apache access log /w00tw00t.at.isc.sans.dfind
Are there many of this error message? If yes, that means attempts have been made to find known vulnerabilities in your server. It doesn't matter if you don't have anything matching those URLs on your server - the attackers/hackers will keep checking and trying until they find a backdoor to access your server. If your server is not secure, get ready for a serious headache.Originally Posted by MrNone
I found access my apache access log /w00tw00t.at.isc.sans.dfind
Andy Reed
RHCE and CCNA
ServerTune.com
Only 2 records i found. What i must do?
Assuming that your server is secure, keep an eye as hackers keep coming back.
Andy Reed
RHCE and CCNA
ServerTune.com
Greetings from Greece,
I'm sorry to dig this old thread up, but I'm having the exact same problem which causes one server to crash:
Is there any way to get rid of it? I'm getting it to many logs, many times a day. I added it in mod_sec for now in order for it not to use my server recourses.Code:XXX.XXX.XXX.XXX - - [11/Jul/2008:18:28:57 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 406 "-" "-"
Last edited by gvard; 07-11-2008 at 12:13 PM.
Getting it here too:
[Fri Jul 11 09:21:06 2008] [error] [client 195.146.142.2] client denied by server configuration: /home/xx/public_html/i$
$tion 14.23): /w00tw00t.at.ISC.SANS.DFind : )Some more IPs doing the probes:[Fri Jul 11 10:36:15 2008] [error] [client 89.106.8.232] client sent HTTP/1.1 request without hostname (see RFC2616 section 1$
$tion 14.23): /w00tw00t.at.ISC.SANS.DFind : )
67.142.130.41
70.85.142.72
Is anyone else getting it from the same IPs? For the past two days, this same group of IPs have been taking turns every few hours.
If you have APF firewall:
Change the IP accordingly.apf -d 70.85.142.72 single ip
Seems one of them is coming from a server, and his PHP version is out of date. Maybe I ought to do a little probing myself and see how he likes it.
Also report these douchebags to their ISP! I just reported every one of mine. If they get their service cut, not much they can hack with no internet access.
Get their ISP abuse email: http://whois.domaintools.com/195.146.142.2 (Change IP accordingly)
Send a copy of the excerpts from your log where it shows them testing your site for the exploit.
Last edited by bls24; 07-11-2008 at 04:19 PM.
It's a web vulnerability scanner DFind - that is its signature.
http://www.symantec.com/security_res...011411-1411-99
█ Jen Lepp, Customer Experience Manager
█ A Small Orange Homegrown Hosting | http://www.asmallorange.com
Don't waste your time trying to block the ip or reporting them to anyone.
If your machine is responding to them as errors or denied or blocked, then you are probably ok. If your machine is allowing attack requests to go through and get processed, then learn how to protect your machine with firewalls, mod_security and the various add on programs that watch for brute force intrusion or other hacking attempts.
Blocking individual ip's or reporting them to ISPs is a waste of time and effort. Most of the "hackers" are robots so their ip's will change all the time and most ISP's dont give a damn about anyone but themselves and wont do anything without a police report or a court order.
"A dog has raised it’s hind leg on the age of nevermore !"
-- Rolf
I would normally say reporting is a waste of time, but if this were the case AOL and the like wouldn't be blacklisting domains for spamming when their users use the "report spam" feature.
The odd ISP does care, but I suspect most do not. Took me less than 2 minutes to copy a line from my log and email each ISP, so no skin off my teeth if nothing happens of it. At least I tried.
Blocking the IPs should help, in my case. It's been the same group probing me for two days now.
One of them I happen to house my server on, so they'd better take an abuse complaint seriously.
Hello,
How to protect my machine vs Dfind ?
I search on google and the solution is to use fail2ban, but fail2ban is not integrated to cpanel/whm.
Any other solutions ?
In Windows, one could:
<<httpd.conf>>
SecRuleEngine On
SecRule REQUEST_URI "w00tw00t|r57.php|c99.php|xampp|typo3" "log,exec:/www/apache/modules/mod_security2/modsec.cmd"
<<modsec.cmd>>
echo %REMOTE_ADDR% %REQUEST_URI% >> logs\modsec.log
ipseccmd -w REG -p "Block" -r "Block %REMOTE_ADDR%" -f 0+%REMOTE_ADDR% -n BLOCK -x 1>>logs\modsec.log 2>&1
Reply With Quote