Greetings, dear fellow Linuxers,
I am using a CentOS5 root server with an Apache httpd running. It is used to power an online store for office furniture, so security is a critical topic here.
Every morning I receive the log files from logwatch via mail, and every morning they contain the following line:
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 2 Time(s)
That looks very much like a scripted attack by a bot, maybe some kind of a code injection, but to be honest, it does not look like any kind of code or script language I would know of.
I noticed that many people that have a web server also get these log entries, but I did not actually find any real explanation as most people just have posted their logfiles, but had other problems.
I use fail2ban, but i do not let it watch the error_log file from httpd, because it may lock out a potential customer by mistake (boss' logic, not mine) and it only would trigger after 5 failed attempts.
What is confusing me most is that it tries to call that URL twice a day, every day, and almost the same time. I am really curious about what is causing that - does anybody know it around here?
Thanks for your help in advance.