LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-21-2012, 02:30 AM   #1
thelinuxist
Member
 
Registered: Nov 2012
Location: Munich, Germany
Distribution: CentOS, Debian, Fedora, Ubuntu, DSL (Whatever neccessary)
Posts: 61

Rep: Reputation: Disabled
CentOS5/Apache: Strange log entry: /w00tw00t.at.ISC.SANS.DFind:)


Greetings, dear fellow Linuxers,

I am using a CentOS5 root server with an Apache httpd running. It is used to power an online store for office furniture, so security is a critical topic here.
Every morning I receive the log files from logwatch via mail, and every morning they contain the following line:

Code:
    400 Bad Request
       /w00tw00t.at.ISC.SANS.DFind:): 2 Time(s)
That looks very much like a scripted attack by a bot, maybe some kind of a code injection, but to be honest, it does not look like any kind of code or script language I would know of.
I noticed that many people that have a web server also get these log entries, but I did not actually find any real explanation as most people just have posted their logfiles, but had other problems.

I use fail2ban, but i do not let it watch the error_log file from httpd, because it may lock out a potential customer by mistake (boss' logic, not mine) and it only would trigger after 5 failed attempts.

What is confusing me most is that it tries to call that URL twice a day, every day, and almost the same time. I am really curious about what is causing that - does anybody know it around here?

Thanks for your help in advance.
 
Old 11-21-2012, 02:38 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
well if you paste that uri into google you'll find "About 17,400 results" to read through.

TBH I would just ignore it, it's clearly not causing you any problems. Fail2Ban is certainly a viable option if you want to tune it properly - http://serverfault.com/questions/125...0tw00t-attacks but as your boss is saying no, ignore it.

Last edited by acid_kewpie; 11-21-2012 at 02:39 AM.
 
1 members found this post helpful.
Old 11-21-2012, 03:18 AM   #3
thelinuxist
Member
 
Registered: Nov 2012
Location: Munich, Germany
Distribution: CentOS, Debian, Fedora, Ubuntu, DSL (Whatever neccessary)
Posts: 61

Original Poster
Rep: Reputation: Disabled
Thank you for your information. What purpose do those requests serve? In my case, they seem to originate from Romania, but that is probably just a proxy or an infected computer whose owner does not even know what happens... Anyway, would just be nice to know what they were trying to achieve.

But it is reassuring that they don't seem to be a danger if they are blocked by httpd. Thanks again and have a nice day.
 
Old 11-21-2012, 03:30 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
it's just some sort of web scanner.
 
Old 11-21-2012, 04:32 AM   #5
thelinuxist
Member
 
Registered: Nov 2012
Location: Munich, Germany
Distribution: CentOS, Debian, Fedora, Ubuntu, DSL (Whatever neccessary)
Posts: 61

Original Poster
Rep: Reputation: Disabled
Well, that's reassuring indeed. As long as it only scans the web and doesn't do any damage - well, my server can handle 2 additional 400 errors, I think... And I can handle them as well. Thanks for your time, anyone.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/w00tw00t.at.ISC.SANS.DFind yuri16 Linux - Security 4 07-14-2009 07:55 PM
isc.sans.org -- Brute-force SSH Attacks on the Rise unixfool Linux - Security 3 05-17-2008 09:43 PM
Strange Apache HTTPD log entry cylarz Linux - Server 6 04-03-2008 07:46 AM
Cyber Security Awareness Month at isc.sans.org unixfool Linux - Security 2 11-02-2007 08:35 PM


All times are GMT -5. The time now is 02:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration