You can read further Information on what DFind hacktool does here
#W00tw00t at isc sans dfind mod#
Some alternative methods to filter IPs issuing GET /w00tw00t.at.:) to Apache is through fail2ban, denyhosts or blockhosts or Apache mod security filters. Some common way to keep the iptables rule loaded on system boot is by adding /iptables-restore to /etc/rc.local Then you can load up /root/iptables_rules.txt with :ĭebian:~# /sbin/iptables-restore < /root/iptables_rules.txt Anyways generally it is wise to filter IPs doing the request anyways since, they could try a various script kiddie cracking tools, port scanners and even some of them might be hosts attempting DoS or DDoS.Īlso it is useful to store for later the rule with:ĭebian:~# /sbin/iptables-save > /root/iptables_rules.txt So I don't know whether filtering /w00tw00t.at.:) is good or bad practice. Of course on busy servers checking each incoming IP client TCP/IP request for a certain string might not be very efficient and even can be a possible bottleneck. What above command does is it greps the 1st 70 bytes and checks, whether it contains string '/w00tw00t.at.:)', whether string is matched it jumps to DROP rule filtering the IP. Once in a while, it is not an issue however if you get too many of this messages it is sometimes useful to filter them with a simple iptables ruleĭebian:~# /sbin/iptables -A INPUT -p tcp -m tcp -dport 80 -m string -string "GET /w00tw00t.at.ISC.SANS." -algo bm -to 70 -j DROP Usually, for servers getting in Apache error.log GET /w00tw00t.at.:) In /var/log/apache2/error.log It is due to a script kiddie port scanner, usually such requests originate from Turkia, Romania ,Russia. Client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.:)
0 kommentar(er)
