Results 1 to 12 of 12

Thread: /w00tw00t.at.isc.sans.dfind:)

  1. #1
    Registered Member
    Join Date
    Sep 2004
    Posts
    38

    Default /w00tw00t.at.isc.sans.dfind:)

    I found access my apache access log /w00tw00t.at.isc.sans.dfind, What is this?

  2. #2
    Registered Member
    Join Date
    Sep 2004
    Posts
    38

    Default


  3. #3
    Registered Member cPanel Partner NOC Badge AndyReed's Avatar
    Join Date
    May 2004
    Location
    Minneapolis, MN
    Posts
    2,223

    Default

    Quote Originally Posted by MrNone
    I found access my apache access log /w00tw00t.at.isc.sans.dfind, What is this?
    Are there many of this error message? If yes, that means attempts have been made to find known vulnerabilities in your server. It doesn't matter if you don't have anything matching those URLs on your server - the attackers/hackers will keep checking and trying until they find a backdoor to access your server. If your server is not secure, get ready for a serious headache.
    Andy Reed
    CCNA, RHCE, and Ubuntu Technologist
    ServerTune.com

  4. #4
    Registered Member
    Join Date
    Sep 2004
    Posts
    38

    Default

    Only 2 records i found. What i must do?

  5. #5
    Registered Member cPanel Partner NOC Badge AndyReed's Avatar
    Join Date
    May 2004
    Location
    Minneapolis, MN
    Posts
    2,223

    Default

    Quote Originally Posted by MrNone
    Only 2 records i found. What i must do?
    Assuming that your server is secure, keep an eye as hackers keep coming back.
    Andy Reed
    CCNA, RHCE, and Ubuntu Technologist
    ServerTune.com

  6. #6
    Registered Member cPanel Partner NOC Badge
    Join Date
    Dec 2003
    Location
    Athens/GREECE
    Posts
    193
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    Greetings from Greece,

    I'm sorry to dig this old thread up, but I'm having the exact same problem which causes one server to crash:


    Code:
    XXX.XXX.XXX.XXX - - [11/Jul/2008:18:28:57 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 406 "-" "-"
    Is there any way to get rid of it? I'm getting it to many logs, many times a day. I added it in mod_sec for now in order for it not to use my server recourses.
    Last edited by gvard; 07-11-2008 at 11:13 AM.
    Sincerely,

    George Vardikos
    HyperHosting Internet Services

  7. #7
    Registered Member
    Join Date
    May 2007
    Posts
    78

    Thumbs down

    Getting it here too:
    [Fri Jul 11 09:21:06 2008] [error] [client 195.146.142.2] client denied by server configuration: /home/xx/public_html/i$
    $tion 14.23): /w00tw00t.at.ISC.SANS.DFind : )
    [Fri Jul 11 10:36:15 2008] [error] [client 89.106.8.232] client sent HTTP/1.1 request without hostname (see RFC2616 section 1$
    $tion 14.23): /w00tw00t.at.ISC.SANS.DFind : )
    Some more IPs doing the probes:
    67.142.130.41
    70.85.142.72

    Is anyone else getting it from the same IPs? For the past two days, this same group of IPs have been taking turns every few hours.

    If you have APF firewall:
    apf -d 70.85.142.72 single ip
    Change the IP accordingly.


    Seems one of them is coming from a server, and his PHP version is out of date. Maybe I ought to do a little probing myself and see how he likes it.

    Also report these douchebags to their ISP! I just reported every one of mine. If they get their service cut, not much they can hack with no internet access.
    Get their ISP abuse email: http://whois.domaintools.com/195.146.142.2 (Change IP accordingly)

    Send a copy of the excerpts from your log where it shows them testing your site for the exploit.
    Last edited by bls24; 07-11-2008 at 03:19 PM.

  8. #8
    Registered Member jenlepp's Avatar
    Join Date
    Jul 2005
    Location
    Liberty Hill, TX
    Posts
    116
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    It's a web vulnerability scanner DFind - that is its signature.

    http://www.symantec.com/security_res...011411-1411-99
    Jen Lepp
    Director of Customer Service
    A Small Orange Homegrown Hosting | http://www.asmallorange.com

  9. #9
    Registered Member nyjimbo's Avatar
    Join Date
    Jan 2003
    Location
    New York
    Posts
    1,120

    Default

    Don't waste your time trying to block the ip or reporting them to anyone.

    If your machine is responding to them as errors or denied or blocked, then you are probably ok. If your machine is allowing attack requests to go through and get processed, then learn how to protect your machine with firewalls, mod_security and the various add on programs that watch for brute force intrusion or other hacking attempts.

    Blocking individual ip's or reporting them to ISPs is a waste of time and effort. Most of the "hackers" are robots so their ip's will change all the time and most ISP's dont give a damn about anyone but themselves and wont do anything without a police report or a court order.
    "A dog has raised itís hind leg on the age of nevermore !"
    -- Rolf

  10. #10
    Registered Member
    Join Date
    May 2007
    Posts
    78

    Default

    I would normally say reporting is a waste of time, but if this were the case AOL and the like wouldn't be blacklisting domains for spamming when their users use the "report spam" feature.

    The odd ISP does care, but I suspect most do not. Took me less than 2 minutes to copy a line from my log and email each ISP, so no skin off my teeth if nothing happens of it. At least I tried.

    Blocking the IPs should help, in my case. It's been the same group probing me for two days now.

    One of them I happen to house my server on, so they'd better take an abuse complaint seriously.

  11. #11
    Registered Member
    Join Date
    Jun 2009
    Posts
    21

    Default

    Hello,

    How to protect my machine vs Dfind ?

    I search on google and the solution is to use fail2ban, but fail2ban is not integrated to cpanel/whm.

    Any other solutions ?

  12. #12
    Registered User
    Join Date
    Apr 2010
    Posts
    1

    Default

    In Windows, one could:

    <<httpd.conf>>
    SecRuleEngine On
    SecRule REQUEST_URI "w00tw00t|r57.php|c99.php|xampp|typo3" "log,exec:/www/apache/modules/mod_security2/modsec.cmd"

    <<modsec.cmd>>
    echo %REMOTE_ADDR% %REQUEST_URI% >> logs\modsec.log
    ipseccmd -w REG -p "Block" -r "Block %REMOTE_ADDR%" -f 0+%REMOTE_ADDR% -n BLOCK -x 1>>logs\modsec.log 2>&1

Similar Threads

  1. /w00tw00t.at.isc.sans.dfind:)
    By MrNone in forum cPanel & WHM Discussions
    Replies: 9
    Last Post: 07-11-2008, 03:58 PM
  2. Portsentry to block w00tw00t port scans?
    By jols in forum cPanel & WHM Discussions
    Replies: 0
    Last Post: 06-25-2007, 09:42 PM
bargain