Problems with w00tw00t
 

I have big troubles with my server. I'm running a Ubuntu Server 12.04 system using two physical NIC's and this morning i found the annoying error of "w00tw00t.at.isc.sans.win32" in both my apache2 error.log and other_vhosts_access.log

Luckily i've got a second NIC to access my server on but when trying to connect to the first NIC i cant find the server.

When checking www.whatsmyip.org i have a new IP each time. How can i remove this extremely annoying bug? It seems that w00tw00t has crapped all over my iptables but i cant find anything on my server.

So what, exactly, does the log entry say?

If your IP is changing it is usually because you are on a dynamic allocation plan.
If your hosts DNS A record points to an IP you no longer occupy, then no, you won't be able to connect by domain name.
This is unrelated to your log entries.

Also, none of this has anything to do with iptables.

It's not an error, it's a remote vulnerability scanner (see ye aulde http://isc.sans.org/diary.html?storyid=900) and I don't see what iptables has to do with it.


Huh?


Use some free dynamic DNS service?

Ok but when looking up one of the it's that www.whatsmyip.org says I have I originates in China and when reading about w00tw00t one of the taglines is that it's using spoofed IP's from China, India etc.

I want to know why I can't connect to my external ip.

Unless you know you rented a virtual, shared or whatever server in the PRC (who would anyway?) you're probably doing something wrong.


If you look at your access_log and error_log you'll probably note all return codes are all 4xx ones like 404, 403, etc, etc meaning the scanner doesn't find anything. Bottom line is that as long as you only run supported, current software releases, have hardened your server and your web stack and regularly audit the machine you've got (almost) nothing to fear from any remote scanners.


Are they both connected? Did you check your servers network configuration and 'ifconfig' or 'ip link show' output for which external IP addresses it has? Does your web server / SSH daemon listen on those addresses?

Nothing listens to the connections. My configuration is as follows:

Eth0
Behind router (DLink DIR-655)
This is the iface that apache uses for the webbservern.

Eth1
Backup entrance that I don't usually use.

When checking the log files I saw the w00tw00t entries and started to read about them. Shortly after I wasn't able to connect to my eth0 ext ip. Then i tried to look up my ip since I thought that I had gotten a new one, at www.whatsmyip.org since that site seemed to be the only one that reported the eth0 ip.

When checking the router status i had a working ip but I could not connect the server on it. I will check my router settings when I get home (since I retarded the fucker and now I can't access the ui any more).

...and there you have it. Ace assessment BTW but please mind your language, TIA.

Haha sorry. It should say "restarted" and yeah I will mind my language but I'm frustrated. Sorry.

It's prolly your phones auto-completion fscking up ;-p

True that ;-) I'll get back to this thread when Ok we home and can debug my network.

It seems like it was my router that was faulty and evil. And w0tw00t was just a coincidence.