Wednesday, August 19, 2009

Seeing w00tw00t.at.ISC.SANS.DFind in Apache logs

SkyHi @ Wednesday, August 19, 2009
I started seeing these ERROR logs in apache this morning. Somebody is trying to see if a file named “w00tw00t.at.ISC.SANS.DFind” exists on the server or not. A little research revealed, I am not the only one targeted to these attacks but there were others (example: from Webmasterworld, from Sans)

w00tw00t.at.ISC.SANS.DFind logs are the traces of DLink vulnerability scanner which is looking for flaws to exploit and get ‘root’ rights on the server. Unless you have a vulnerability, you are not prone to these attacks. You don’t have to freak out right at this moment but do a little research. I would advise these:

* Check your /public_html/ or /http_docs/ folder to see if those files really exist or not.
* If you have root rights on your server, check the processes running on your server:
# ps -ef
If you don’t have the root rights, contact with your hosting company.
* # lsof will show you the open files on the server. If you know for a fact that; sshd, httpd, mysqld,cpanel are running on the server and they are safe. You can try:
# lsof | egrep -v "(sshd|httpd|mysqld|cpanel)"
This will quickly reveal the open files on the server and by skimming through the list, you can identify weird names like “./httpd, ./ps, ./w00t”. Then you can find out where those processes are running from and delete them. You need to first delete the process and then kill the process to off load them from memory.
* I would suggest disabling ftp server and any other server that you can not keep up with the updates and not very mission critical.

As far as I can see from my log files, there are different variations of traces of this scanner:
w00tw00t.at.ISC.SANS
w00tw00t.at.ISC.SANS.DFind
w00tw00t.at.ISC.SANS.test0

The full spec looks like this:

[error] [client 216.168.43.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

These are the attacker bees that I captured in last 2-3 days:

[error] [client 124.60.128.27] (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)


[error] [client 97.74.120.70] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 128.121.239.210] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 74.7.26.59] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 163.117.157.226] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.test0
[error] [client 91.190.93.141] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 207.210.233.50] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 67.19.254.226] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.test0
[error] [client 61.119.173.150] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 75.127.91.174] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 173.45.84.136] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 216.168.43.234] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 173.45.84.136] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind