The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/w00tw00t.at.isc.sans.dfind:)

Discussion in 'Security' started by MrNone, Mar 18, 2006.

  1. MrNone

    MrNone Active Member

    Joined:
    Sep 25, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    I found access my apache access log /w00tw00t.at.isc.sans.dfind:), What is this?
     
  2. MrNone

    MrNone Active Member

    Joined:
    Sep 25, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Are there many of this error message? If yes, that means attempts have been made to find known vulnerabilities in your server. It doesn't matter if you don't have anything matching those URLs on your server - the attackers/hackers will keep checking and trying until they find a backdoor to access your server. If your server is not secure, get ready for a serious headache.
     
  4. MrNone

    MrNone Active Member

    Joined:
    Sep 25, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Only 2 records i found. What i must do?
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Assuming that your server is secure, keep an eye as hackers keep coming back.
     
  6. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Greetings from Greece,

    I'm sorry to dig this old thread up, but I'm having the exact same problem which causes one server to crash:


    Code:
    XXX.XXX.XXX.XXX - - [11/Jul/2008:18:28:57 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 406 "-" "-"
    
    Is there any way to get rid of it? I'm getting it to many logs, many times a day. I added it in mod_sec for now in order for it not to use my server recourses.
     
    #6 gvard, Jul 11, 2008
    Last edited: Jul 11, 2008
  7. bls24

    bls24 Well-Known Member

    Joined:
    May 12, 2007
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Getting it here too:
    Some more IPs doing the probes:
    67.142.130.41
    70.85.142.72

    Is anyone else getting it from the same IPs? For the past two days, this same group of IPs have been taking turns every few hours.

    If you have APF firewall:
    Change the IP accordingly.


    Seems one of them is coming from a server, and his PHP version is out of date. Maybe I ought to do a little probing myself and see how he likes it.

    Also report these douchebags to their ISP! I just reported every one of mine. If they get their service cut, not much they can hack with no internet access. :)
    Get their ISP abuse email: http://whois.domaintools.com/195.146.142.2 (Change IP accordingly)

    Send a copy of the excerpts from your log where it shows them testing your site for the exploit.
     
    #7 bls24, Jul 11, 2008
    Last edited: Jul 11, 2008
  8. jenlepp

    jenlepp Well-Known Member

    Joined:
    Jul 4, 2005
    Messages:
    116
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Liberty Hill, TX
    cPanel Access Level:
    DataCenter Provider
  9. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Don't waste your time trying to block the ip or reporting them to anyone.

    If your machine is responding to them as errors or denied or blocked, then you are probably ok. If your machine is allowing attack requests to go through and get processed, then learn how to protect your machine with firewalls, mod_security and the various add on programs that watch for brute force intrusion or other hacking attempts.

    Blocking individual ip's or reporting them to ISPs is a waste of time and effort. Most of the "hackers" are robots so their ip's will change all the time and most ISP's dont give a damn about anyone but themselves and wont do anything without a police report or a court order.
     
  10. bls24

    bls24 Well-Known Member

    Joined:
    May 12, 2007
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    I would normally say reporting is a waste of time, but if this were the case AOL and the like wouldn't be blacklisting domains for spamming when their users use the "report spam" feature.

    The odd ISP does care, but I suspect most do not. Took me less than 2 minutes to copy a line from my log and email each ISP, so no skin off my teeth if nothing happens of it. At least I tried. :)

    Blocking the IPs should help, in my case. It's been the same group probing me for two days now.

    One of them I happen to house my server on, so they'd better take an abuse complaint seriously.
     
  11. katamiaw

    katamiaw Member

    Joined:
    Jun 18, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    How to protect my machine vs Dfind ?

    I search on google and the solution is to use fail2ban, but fail2ban is not integrated to cpanel/whm.

    Any other solutions ?
     
  12. javaman

    javaman Registered

    Joined:
    Apr 15, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    In Windows, one could:

    <<httpd.conf>>
    SecRuleEngine On
    SecRule REQUEST_URI "w00tw00t|r57.php|c99.php|xampp|typo3" "log,exec:/www/apache/modules/mod_security2/modsec.cmd"

    <<modsec.cmd>>
    echo %REMOTE_ADDR% %REQUEST_URI% >> logs\modsec.log
    ipseccmd -w REG -p "Block" -r "Block %REMOTE_ADDR%" -f 0+%REMOTE_ADDR% -n BLOCK -x 1>>logs\modsec.log 2>&1
     
Loading...
Similar Threads - w00tw00t isc sans
  1. meljc
    Replies:
    4
    Views:
    457

Share This Page