LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Problems with w00tw00t (http://www.linuxquestions.org/questions/linux-networking-3/problems-with-w00tw00t-4175451596/)

junkyhlm 02-25-2013 04:31 AM

Problems with w00tw00t
 
I have big troubles with my server. I'm running a Ubuntu Server 12.04 system using two physical NIC's and this morning i found the annoying error of "w00tw00t.at.isc.sans.win32" in both my apache2 error.log and other_vhosts_access.log

Luckily i've got a second NIC to access my server on but when trying to connect to the first NIC i cant find the server.

When checking www.whatsmyip.org i have a new IP each time. How can i remove this extremely annoying bug? It seems that w00tw00t has crapped all over my iptables but i cant find anything on my server.

descendant_command 02-25-2013 05:16 AM

So what, exactly, does the log entry say?

If your IP is changing it is usually because you are on a dynamic allocation plan.
If your hosts DNS A record points to an IP you no longer occupy, then no, you won't be able to connect by domain name.
This is unrelated to your log entries.

Also, none of this has anything to do with iptables.

unSpawn 02-25-2013 05:17 AM

Quote:

Originally Posted by junkyhlm (Post 4899130)
this morning i found the annoying error of "w00tw00t.at.isc.sans.win32" in both my apache2 error.log and other_vhosts_access.log (..) How can i remove this extremely annoying bug? It seems that w00tw00t has crapped all over my iptables but i cant find anything on my server.

It's not an error, it's a remote vulnerability scanner (see ye aulde http://isc.sans.org/diary.html?storyid=900) and I don't see what iptables has to do with it.


Quote:

Originally Posted by junkyhlm (Post 4899130)
Luckily i've got a second NIC to access my server on but when trying to connect to the first NIC i cant find the server.

Huh?


Quote:

Originally Posted by junkyhlm (Post 4899130)
When checking www.whatsmyip.org i have a new IP each time.

Use some free dynamic DNS service?

junkyhlm 02-25-2013 05:21 AM

Ok but when looking up one of the it's that www.whatsmyip.org says I have I originates in China and when reading about w00tw00t one of the taglines is that it's using spoofed IP's from China, India etc.

I want to know why I can't connect to my external ip.

unSpawn 02-25-2013 06:02 AM

Quote:

Originally Posted by junkyhlm (Post 4899154)
when looking up one of the ip's that www.whatsmyip.org says I have I originates in China

Unless you know you rented a virtual, shared or whatever server in the PRC (who would anyway?) you're probably doing something wrong.


Quote:

Originally Posted by junkyhlm (Post 4899154)
when reading about w00tw00t one of the taglines is that it's using spoofed IP's from China, India etc.

If you look at your access_log and error_log you'll probably note all return codes are all 4xx ones like 404, 403, etc, etc meaning the scanner doesn't find anything. Bottom line is that as long as you only run supported, current software releases, have hardened your server and your web stack and regularly audit the machine you've got (almost) nothing to fear from any remote scanners.


Quote:

Originally Posted by junkyhlm (Post 4899154)
I want to know why I can't connect to my external ip.

Are they both connected? Did you check your servers network configuration and 'ifconfig' or 'ip link show' output for which external IP addresses it has? Does your web server / SSH daemon listen on those addresses?

junkyhlm 02-25-2013 06:12 AM

Nothing listens to the connections. My configuration is as follows:

Eth0
Behind router (DLink DIR-655)
This is the iface that apache uses for the webbservern.

Eth1
Backup entrance that I don't usually use.

When checking the log files I saw the w00tw00t entries and started to read about them. Shortly after I wasn't able to connect to my eth0 ext ip. Then i tried to look up my ip since I thought that I had gotten a new one, at www.whatsmyip.org since that site seemed to be the only one that reported the eth0 ip.

When checking the router status i had a working ip but I could not connect the server on it. I will check my router settings when I get home (since I retarded the fucker and now I can't access the ui any more).

unSpawn 02-25-2013 07:40 AM

Quote:

Originally Posted by junkyhlm (Post 4899189)
I retarded the fucker

...and there you have it. Ace assessment BTW but please mind your language, TIA.

junkyhlm 02-25-2013 07:42 AM

Quote:

Originally Posted by unSpawn (Post 4899237)
...and there you have it. Ace assessment BTW but please mind your language, TIA.

Haha sorry. It should say "restarted" and yeah I will mind my language but I'm frustrated. Sorry.

unSpawn 02-25-2013 08:06 AM

It's prolly your phones auto-completion fscking up ;-p

junkyhlm 02-25-2013 08:09 AM

Quote:

Originally Posted by unSpawn (Post 4899261)
It's prolly your phones auto-completion fscking up ;-p

True that ;-) I'll get back to this thread when Ok we home and can debug my network.

junkyhlm 02-26-2013 03:58 AM

It seems like it was my router that was faulty and evil. And w0tw00t was just a coincidence.


All times are GMT -5. The time now is 07:18 AM.