W00tw00t.at.ISC.SANS.DFind:)
From Flo's Knowledge in a Nutshell
Jump to: navigation, search
Introduction
I do a periodical check of my logfiles and I was nerved by a scriptkiddie tool calles DFind, which has the fingerprint W00tw00t.at.ISC.SANS.DFind:)
Approach
* Scan Logfiles
* Block relevant IP adresses
* Cleanup Logfiles
Implementation
* Script is located unter /etc/cron.hourly
#!/bin/sh
IPTABLES="/sbin/iptables"
#wootwootiptables
for ip in `cat /var/log/apache2/error.log |grep w00tw00t | awk '{print $8}' | sed 's/]//g' | sort -ug` ; do
countoff=$[$countoff+1]
countwoot=$[$countwoot+1]
$IPTABLES -I INPUT -s $ip -j DROP
$IPTABLES -I OUTPUT -s $ip -j DROP
done
#cleanup the logfiles
sed -i '/w00tw00t/ d' /var/log/apache2/error.log
sed -i '/w00tw00t/ d' /var/log/apache2/access.log
=============================================
=============================================
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere dc-east.prod2.pdxdns.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70
DROP tcp -- anywhere dc-west.prod1.pdxdns.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70
DROP tcp -- anywhere n3twork.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70
DROP tcp -- anywhere catalyst.pdxdns.net tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70
My Blog List
-
What Is Alma Linux? A Free and Open-Source Enterprise Grade OS - The release of AlmaLinux created quite a buzz in the Linux community back in February of 2021. The distro is a forever-free alternative to Red Hat Enterp...18 hours ago
-
How to configure AWS SES with Postfix MTA on Debian Linux - [image: See all Amazon AWS web services related articles/faq] AWS SES (Amazon Simple Email Service) is a cloud-based email-sending service that is both rel...6 days ago
-
PaloAlto init-cfg.txt Bootstrap Config file Layout with Examples - When you install and configure the PaloAlto firewall, when the firewall boots up for the first time, it does the bootstrapping process. PaloAlto uses the s...1 year ago
-
Clusterssh – Administer multiple ssh or rsh shells simultaneously - Sponsored Link The command opens an administration console and an xterm to all specified hosts. Any text typed into the administration console is replicate...3 years ago
-
Web Application Vulnerability Scanning Tools - Web Application Vulnerability Scanning Tools Nessus http://www.tenable.com/products/nessus PortSwigger https://portswigger.net/ qualys https://www.qualys....5 years ago
-
What You Don’t Know About Linux Open Source Could Be Costing to More Than You Think - Guest post by Marc Fisher If you would like to test out Linux before completely switching it as your everyday driver, there are a number of means by which ...6 years ago
-
Resolving Sysprep problems with App-X packages (Part 1) - This is the first of two articles explaining how to fix systems that won't Sysprep if Windows Native/App-X applications have been removed and Windows patches.6 years ago
-
V2V Communications security considerations - The future of vehicles, road infrastructure and driving are changing. We are progressing with vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) ...6 years ago
-
10 UNIX / Linuz Size Command Examples for ObjectFiles - Linux size is part of GNU binutils. This utility is very helpful for programmers to analyze the data from the executable files (or object files). By defaul...9 years ago
-
Updating VMware Tools on Red Hat Enterprise/Scientific/CentOS Linux 6 for VMware ESXi 5 - In a previous post I discussed installing the open source VMware tools for Red Hat Enterprise/Scientific/CentOS Linux 6 from a yum package repository provi...12 years ago
