/w00tw00t.at.isc.sans.dfind:)

Are there many of this error message? If yes, that means attempts have been made to find known vulnerabilities in your server. It doesn't matter if you don't have anything matching those URLs on your server - the attackers/hackers will keep checking and trying until they find a backdoor to access your server. If your server is not secure, get ready for a serious headache.

 

Assuming that your server is secure, keep an eye as hackers keep coming back.

 

Greetings from Greece,

I'm sorry to dig this old thread up, but I'm having the exact same problem which causes one server to crash:

Code:

XXX.XXX.XXX.XXX - - [11/Jul/2008:18:28:57 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 406 "-" "-"

Is there any way to get rid of it? I'm getting it to many logs, many times a day. I added it in mod_sec for now in order for it not to use my server recourses.

 

Getting it here too:

Some more IPs doing the probes:
67.142.130.41
70.85.142.72

Is anyone else getting it from the same IPs? For the past two days, this same group of IPs have been taking turns every few hours.

If you have APF firewall:

Change the IP accordingly.


Seems one of them is coming from a server, and his PHP version is out of date. Maybe I ought to do a little probing myself and see how he likes it.

Also report these douchebags to their ISP! I just reported every one of mine. If they get their service cut, not much they can hack with no internet access.
Get their ISP abuse email: http://whois.domaintools.com/195.146.142.2 (Change IP accordingly)

Send a copy of the excerpts from your log where it shows them testing your site for the exploit.

 

It's a web vulnerability scanner DFind - that is its signature.

http://www.symantec.com/security_response/writeup.jsp?docid=2005-011411-1411-99

 

Don't waste your time trying to block the ip or reporting them to anyone.

If your machine is responding to them as errors or denied or blocked, then you are probably ok. If your machine is allowing attack requests to go through and get processed, then learn how to protect your machine with firewalls, mod_security and the various add on programs that watch for brute force intrusion or other hacking attempts.

Blocking individual ip's or reporting them to ISPs is a waste of time and effort. Most of the "hackers" are robots so their ip's will change all the time and most ISP's dont give a damn about anyone but themselves and wont do anything without a police report or a court order.

 

I would normally say reporting is a waste of time, but if this were the case AOL and the like wouldn't be blacklisting domains for spamming when their users use the "report spam" feature.

The odd ISP does care, but I suspect most do not. Took me less than 2 minutes to copy a line from my log and email each ISP, so no skin off my teeth if nothing happens of it. At least I tried.

Blocking the IPs should help, in my case. It's been the same group probing me for two days now.

One of them I happen to house my server on, so they'd better take an abuse complaint seriously.

 

Hello,

How to protect my machine vs Dfind ?

I search on google and the solution is to use fail2ban, but fail2ban is not integrated to cpanel/whm.

Any other solutions ?

 

In Windows, one could:

<<httpd.conf>>
SecRuleEngine On
SecRule REQUEST_URI "w00tw00t|r57.php|c99.php|xampp|typo3" "log,exec:/www/apache/modules/mod_security2/modsec.cmd"

<<modsec.cmd>>
echo %REMOTE_ADDR% %REQUEST_URI% >> logs\modsec.log
ipseccmd -w REG -p "Block" -r "Block %REMOTE_ADDR%" -f 0+%REMOTE_ADDR% -n BLOCK -x 1>>logs\modsec.log 2>&1