LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-13-2009, 10:17 PM   #1
yuri16
Member
 
Registered: Jan 2009
Location: Philippines
Posts: 59

Rep: Reputation: 15
Question /w00tw00t.at.ISC.SANS.DFind


Hi,

I couldn't run our web portal, so when I checked the error logs of apache2..i got these errors:

Code:
[Thu Jul 09 23:43:19 2009] [error] [client 211.95.78.79] File does not exist: /home/www/cgi-bin
[Sun Jul 12 22:23:05 2009] [error] [client 84.55.115.55] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Jul 12 22:50:31 2009] [error] [client 64.9.195.251] File does not exist: /home/www/roundcube
[Sun Jul 12 22:50:32 2009] [error] [client 64.9.195.251] File does not exist: /home/www/webmail
[Mon Jul 13 06:08:46 2009] [error] [client 69.64.50.43] File does not exist: /home/www/_vti_bin
[Mon Jul 13 10:30:46 2009] [error] [client 221.10.0.114] File does not exist: /home/www/manager
[Mon Jul 13 15:59:07 2009] [error] [client 202.99.48.212] File does not exist: /home/www/\xc0\xaf
[Mon Jul 13 19:45:42 2009] [error] [client 200.234.200.149] File does not exist: /home/www/spk.txt
[Mon Jul 13 20:00:02 2009] [error] [client 200.234.200.149] File does not exist: /home/www/_vti_bin
[Tue Jul 14 10:44:05 2009] [error] [client 60.161.13.44] File does not exist: /home/www/user
The files mentioned that "does not exist" are really don't exist.
And what does this mean:?

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind

Thanks for any help.
 
Old 07-13-2009, 11:39 PM   #2
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Search for /w00tw00t.at.ISC.SANS.DFind on the web. With the fact that your portal no longer works, I think your box is under attack and they might have succeeded (but I'm not sure about the latter).

Last edited by Wim Sturkenboom; 07-14-2009 at 12:00 AM.
 
Old 07-14-2009, 02:55 AM   #3
yuri16
Member
 
Registered: Jan 2009
Location: Philippines
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Wim Sturkenboom View Post
Search for /w00tw00t.at.ISC.SANS.DFind on the web. With the fact that your portal no longer works, I think your box is under attack and they might have succeeded (but I'm not sure about the latter).
I don't know what else I can do? What do you suggest?
Should I reformat my web portal? (that should be my last resort)
 
Old 07-14-2009, 05:02 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
DFind (http://isc.sans.org/diary.html?storyid=900) appears to be a vulnerability scanner for mcrsft wndws. What you could do is fill in your distribution details in your control panel (so any advice may be better suitable for the distro you run), mention if the machine is remote hosted or not, post the software+versions that make up your "web portal" and see if you can run commands from this checklist: http://web.archive.org/web/200801092...checklist.html. The error lines you have posted do not explain why your web portal won't run. Best list processes, open files, network connections and users, then shut those services down or firewall them while you work things out.
 
Old 07-14-2009, 07:55 PM   #5
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Moved: This thread is more suitable in <Linux-Security> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
isc.sans.org -- Brute-force SSH Attacks on the Rise unixfool Linux - Security 3 05-17-2008 09:43 PM
Cyber Security Awareness Month at isc.sans.org unixfool Linux - Security 2 11-02-2007 08:35 PM
SANs with apache Super7 Linux - Networking 3 09-22-2006 02:58 PM
Sans font andy_england1985 Linux - Newbie 6 06-22-2005 07:40 AM
Sans font glume Mandriva 0 04-16-2004 07:57 AM


All times are GMT -5. The time now is 07:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration