W00tw00t.at.ISC.SANS.DFind:)
From Flo's Knowledge in a Nutshell
Jump to: navigation, search
Introduction
I do a periodical check of my logfiles and I was nerved by a scriptkiddie tool calles DFind, which has the fingerprint W00tw00t.at.ISC.SANS.DFind:)
Approach
* Scan Logfiles
* Block relevant IP adresses
* Cleanup Logfiles
Implementation
* Script is located unter /etc/cron.hourly
#!/bin/sh
IPTABLES="/sbin/iptables"
#wootwootiptables
for ip in `cat /var/log/apache2/error.log |grep w00tw00t | awk '{print $8}' | sed 's/]//g' | sort -ug` ; do
countoff=$[$countoff+1]
countwoot=$[$countwoot+1]
$IPTABLES -I INPUT -s $ip -j DROP
$IPTABLES -I OUTPUT -s $ip -j DROP
done
#cleanup the logfiles
sed -i '/w00tw00t/ d' /var/log/apache2/error.log
sed -i '/w00tw00t/ d' /var/log/apache2/access.log
=============================================
=============================================
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere dc-east.prod2.pdxdns.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70
DROP tcp -- anywhere dc-west.prod1.pdxdns.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70
DROP tcp -- anywhere n3twork.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70
DROP tcp -- anywhere catalyst.pdxdns.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70