ASTRAPI Posted September 23, 2011 Posted September 23, 2011 Hello I am using nginx plugin in front of Apache and today i found on nginx access.log: 151.1.182.163 - - [18/Sep/2011:08:15:28 +0300] "GET / HTTP/1.0" 200 151 "-" "-" 151.1.182.163 - - [18/Sep/2011:17:50:49 +0300] "GET / HTTP/1.0" 200 151 "-" "-" 69.162.74.37 - - [18/Sep/2011:18:56:22 +0300] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 166 "-" "-" 62.141.46.141 - - [19/Sep/2011:06:18:21 +0300] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 166 "-" "-" 24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-" 24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-" 46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-" 46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-" 94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-" 94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-" 217.170.69.22 - - [21/Sep/2011:10:03:49 +0300] "GET /test.w00t:) HTTP/1.1" 400 166 "-" "-" 217.170.69.22 - - [21/Sep/2011:10:03:50 +0300] "GET /test.w00t:) HTTP/1.1" 400 166 "-" "-" and for apache access_log: 127.0.0.1 - - [23/Sep/2011:18:17:24 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:17:58 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:18:15 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:18:36 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:19:08 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:19:28 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:19:36 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:20:00 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:20:01 +0300] "GET /whm-server-status HTTP/1.0" 499 0 "-" "-" 127.0.0.1 - - [23/Sep/2011:18:21:11 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:21:16 +0300] "OPTIONS * HTTP/1.0" 200 - 127.0.0.1 - - [23/Sep/2011:18:21:22 +0300] "GET / HTTP/1.0" 200 111 Any ideas what are those and what i can do? Thank you
Martin A. Posted September 23, 2011 Posted September 23, 2011 http://www.techsoar.com/w00tw00t-at-isc-sans-dfind-apache-logs/w00tw00t.at.ISC.SANS.DFind logs are the traces of DLink vulnerability scanner which is looking for flaws to exploit and get ‘root’ rights on the server. Unless you have a vulnerability, you are not prone to these attacks. You don’t have to freak out right at this moment but do a little research. I would advise these:
Gary. Posted September 24, 2011 Posted September 24, 2011 Drop this command line in SSH:iptables -I INPUT -d ***.***.***.*** -p tcp --dport 80 -m string --to 70 --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP Replace ***.***.***.*** with your server IP. The type in:service iptables saveservice iptables restart Your server will now reject the w00tw00t scans.... ============================================================= What to do now ? First of scan your server with rootkit, Change SSH port, Close all ports not needed, Install mod_security and ENABLE, You must use PubkeyAuthentication and dsiable any form of root logins from SSH, Check all whell groups make sure non is added. Basicly spend a few hours checking your server over. Unable to do the following, Drop me a message :)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.