Nginx and Apache wierd logs and ip's

[ASTRAPI]

Hello

I am using nginx plugin in front of Apache and today i found on nginx access.log:


151.1.182.163 - - [18/Sep/2011:08:15:28 +0300] "GET / HTTP/1.0" 200 151 "-" "-"
151.1.182.163 - - [18/Sep/2011:17:50:49 +0300] "GET / HTTP/1.0" 200 151 "-" "-"
69.162.74.37 - - [18/Sep/2011:18:56:22 +0300] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 166 "-" "-"
62.141.46.141 - - [19/Sep/2011:06:18:21 +0300] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 166 "-" "-"
24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
217.170.69.22 - - [21/Sep/2011:10:03:49 +0300] "GET /test.w00t:) HTTP/1.1" 400 166 "-" "-"
217.170.69.22 - - [21/Sep/2011:10:03:50 +0300] "GET /test.w00t:) HTTP/1.1" 400 166 "-" "-"


and for apache access_log:


127.0.0.1 - - [23/Sep/2011:18:17:24 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:17:58 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:18:15 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:18:36 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:19:08 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:19:28 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:19:36 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:20:00 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:20:01 +0300] "GET /whm-server-status HTTP/1.0" 499 0 "-" "-"
127.0.0.1 - - [23/Sep/2011:18:21:11 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:21:16 +0300] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [23/Sep/2011:18:21:22 +0300] "GET / HTTP/1.0" 200 111



Any ideas what are those and what i can do?

Thank you

[Martin A.]

http://www.techsoar.com/w00tw00t-at-isc-sans-dfind-apache-logs/

w00tw00t.at.ISC.SANS.DFind logs are the traces of DLink vulnerability scanner which is looking for flaws to exploit and get ‘root’ rights on the server. Unless you have a vulnerability, you are not prone to these attacks. You don’t have to freak out right at this moment but do a little research. I would advise these:

[Gary.]

Drop this command line in SSH:

iptables -I INPUT -d ***.***.***.*** -p tcp --dport 80 -m string --to 70 --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Replace ***.***.***.*** with your server IP.

The type in:

service iptables save

service iptables restart

Your server will now reject the w00tw00t scans....

=============================================================

What to do now ?

First of scan your server with rootkit, Change SSH port, Close all ports not needed, Install mod_security and ENABLE, You must use PubkeyAuthentication and dsiable any form of root logins from SSH, Check all whell groups make sure non is added.

Basicly spend a few hours checking your server over.

Unable to do the following, Drop me a message :)