LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-25-2013, 04:31 AM   #1
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Rep: Reputation: Disabled
Exclamation Problems with w00tw00t


I have big troubles with my server. I'm running a Ubuntu Server 12.04 system using two physical NIC's and this morning i found the annoying error of "w00tw00t.at.isc.sans.win32" in both my apache2 error.log and other_vhosts_access.log

Luckily i've got a second NIC to access my server on but when trying to connect to the first NIC i cant find the server.

When checking www.whatsmyip.org i have a new IP each time. How can i remove this extremely annoying bug? It seems that w00tw00t has crapped all over my iptables but i cant find anything on my server.
 
Old 02-25-2013, 05:16 AM   #2
descendant_command
Member
 
Registered: Mar 2012
Posts: 802

Rep: Reputation: 182Reputation: 182
So what, exactly, does the log entry say?

If your IP is changing it is usually because you are on a dynamic allocation plan.
If your hosts DNS A record points to an IP you no longer occupy, then no, you won't be able to connect by domain name.
This is unrelated to your log entries.

Also, none of this has anything to do with iptables.
 
Old 02-25-2013, 05:17 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Quote:
Originally Posted by junkyhlm View Post
this morning i found the annoying error of "w00tw00t.at.isc.sans.win32" in both my apache2 error.log and other_vhosts_access.log (..) How can i remove this extremely annoying bug? It seems that w00tw00t has crapped all over my iptables but i cant find anything on my server.
It's not an error, it's a remote vulnerability scanner (see ye aulde http://isc.sans.org/diary.html?storyid=900) and I don't see what iptables has to do with it.


Quote:
Originally Posted by junkyhlm View Post
Luckily i've got a second NIC to access my server on but when trying to connect to the first NIC i cant find the server.
Huh?


Quote:
Originally Posted by junkyhlm View Post
When checking www.whatsmyip.org i have a new IP each time.
Use some free dynamic DNS service?
 
Old 02-25-2013, 05:21 AM   #4
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Ok but when looking up one of the it's that www.whatsmyip.org says I have I originates in China and when reading about w00tw00t one of the taglines is that it's using spoofed IP's from China, India etc.

I want to know why I can't connect to my external ip.
 
Old 02-25-2013, 06:02 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Quote:
Originally Posted by junkyhlm View Post
when looking up one of the ip's that www.whatsmyip.org says I have I originates in China
Unless you know you rented a virtual, shared or whatever server in the PRC (who would anyway?) you're probably doing something wrong.


Quote:
Originally Posted by junkyhlm View Post
when reading about w00tw00t one of the taglines is that it's using spoofed IP's from China, India etc.
If you look at your access_log and error_log you'll probably note all return codes are all 4xx ones like 404, 403, etc, etc meaning the scanner doesn't find anything. Bottom line is that as long as you only run supported, current software releases, have hardened your server and your web stack and regularly audit the machine you've got (almost) nothing to fear from any remote scanners.


Quote:
Originally Posted by junkyhlm View Post
I want to know why I can't connect to my external ip.
Are they both connected? Did you check your servers network configuration and 'ifconfig' or 'ip link show' output for which external IP addresses it has? Does your web server / SSH daemon listen on those addresses?
 
Old 02-25-2013, 06:12 AM   #6
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Nothing listens to the connections. My configuration is as follows:

Eth0
Behind router (DLink DIR-655)
This is the iface that apache uses for the webbservern.

Eth1
Backup entrance that I don't usually use.

When checking the log files I saw the w00tw00t entries and started to read about them. Shortly after I wasn't able to connect to my eth0 ext ip. Then i tried to look up my ip since I thought that I had gotten a new one, at www.whatsmyip.org since that site seemed to be the only one that reported the eth0 ip.

When checking the router status i had a working ip but I could not connect the server on it. I will check my router settings when I get home (since I retarded the fucker and now I can't access the ui any more).
 
Old 02-25-2013, 07:40 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Quote:
Originally Posted by junkyhlm View Post
I retarded the fucker
...and there you have it. Ace assessment BTW but please mind your language, TIA.
 
1 members found this post helpful.
Old 02-25-2013, 07:42 AM   #8
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
...and there you have it. Ace assessment BTW but please mind your language, TIA.
Haha sorry. It should say "restarted" and yeah I will mind my language but I'm frustrated. Sorry.
 
Old 02-25-2013, 08:06 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
It's prolly your phones auto-completion fscking up ;-p
 
Old 02-25-2013, 08:09 AM   #10
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
It's prolly your phones auto-completion fscking up ;-p
True that ;-) I'll get back to this thread when Ok we home and can debug my network.
 
Old 02-26-2013, 03:58 AM   #11
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
It seems like it was my router that was faulty and evil. And w0tw00t was just a coincidence.
 
  


Reply

Tags
networking, ubuntu 12.04


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] CentOS5/Apache: Strange log entry: /w00tw00t.at.ISC.SANS.DFind:) thelinuxist Linux - Security 4 11-21-2012 04:32 AM
/w00tw00t.at.ISC.SANS.DFind yuri16 Linux - Security 4 07-14-2009 07:55 PM
Problems, problems, problems. Lets start with the soundcard Kre8ive Linux - Newbie 5 08-07-2003 01:20 AM
Problems, problems, problems. Lets start with the ES 1868 AudioDrive Kre8ive Linux - Newbie 1 08-06-2003 07:04 PM


All times are GMT -5. The time now is 08:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration