/w00tw00t.at.ISC.SANS.DFind

yuri16 · 07-13-2009, 10:17 PM

Hi,

I couldn't run our web portal, so when I checked the error logs of apache2..i got these errors:

Code:

[Thu Jul 09 23:43:19 2009] [error] [client 211.95.78.79] File does not exist: /home/www/cgi-bin
[Sun Jul 12 22:23:05 2009] [error] [client 84.55.115.55] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Jul 12 22:50:31 2009] [error] [client 64.9.195.251] File does not exist: /home/www/roundcube
[Sun Jul 12 22:50:32 2009] [error] [client 64.9.195.251] File does not exist: /home/www/webmail
[Mon Jul 13 06:08:46 2009] [error] [client 69.64.50.43] File does not exist: /home/www/_vti_bin
[Mon Jul 13 10:30:46 2009] [error] [client 221.10.0.114] File does not exist: /home/www/manager
[Mon Jul 13 15:59:07 2009] [error] [client 202.99.48.212] File does not exist: /home/www/\xc0\xaf
[Mon Jul 13 19:45:42 2009] [error] [client 200.234.200.149] File does not exist: /home/www/spk.txt
[Mon Jul 13 20:00:02 2009] [error] [client 200.234.200.149] File does not exist: /home/www/_vti_bin
[Tue Jul 14 10:44:05 2009] [error] [client 60.161.13.44] File does not exist: /home/www/user

The files mentioned that "does not exist" are really don't exist.
And what does this mean:?

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind

Thanks for any help.

Wim Sturkenboom · 07-13-2009, 11:39 PM

Search for /w00tw00t.at.ISC.SANS.DFind on the web. With the fact that your portal no longer works, I think your box is under attack and they might have succeeded (but I'm not sure about the latter).

yuri16 · 07-14-2009, 02:55 AM

Quote:

Originally Posted by Wim Sturkenboom

Search for /w00tw00t.at.ISC.SANS.DFind on the web. With the fact that your portal no longer works, I think your box is under attack and they might have succeeded (but I'm not sure about the latter).

I don't know what else I can do? What do you suggest?
Should I reformat my web portal? (that should be my last resort)

unSpawn · 07-14-2009, 05:02 AM

DFind (http://isc.sans.org/diary.html?storyid=900) appears to be a vulnerability scanner for mcrsft wndws. What you could do is fill in your distribution details in your control panel (so any advice may be better suitable for the distro you run), mention if the machine is remote hosted or not, post the software+versions that make up your "web portal" and see if you can run commands from this checklist: http://web.archive.org/web/200801092...checklist.html. The error lines you have posted do not explain why your web portal won't run. Best list processes, open files, network connections and users, then shut those services down or firewall them while you work things out.

GrapefruiTgirl · 07-14-2009, 07:55 PM

Moved: This thread is more suitable in <Linux-Security> and has been moved accordingly to help your thread/question get the exposure it deserves.