w00tw00t.at.ISC.SANS.DFind:) Qu'est ce ?

jargonf.org : Signature laissée dans les logs des serveurs HTTP par un logiciel scanner nommé DFind, surtout utilisé par des script kiddies.

Se débarrasser de w00tw00t.at.ISC.SANS.DFind:)

Mare des scans tel que le très classique "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" dont voici un extrait de log apache :

95.168.176.102 - - [25/Oct/2009:06:38:38 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET //phpmyadmin/ HTTP/1.1" 404 268 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET //mysql/ HTTP/1.1" 404 264 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET // HTTP/1.1" 200 56 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET //chat/ HTTP/1.1" 404 263 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
89.97.44.22 - - [25/Oct/2009:11:33:37 +0100] "GET /~stat/index.html HTTP/1.1" 404 331 "-" "-"
89.97.44.22 - - [25/Oct/2009:11:33:42 +0100] "GET /~stat/index.html HTTP/1.1" 404 331 "-" "-"
94.23.221.45 - - [25/Oct/2009:11:37:49 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:11:46:05 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:11:56:51 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
78.189.110.185 - - [25/Oct/2009:13:17:41 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:13:22:59 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:13:33:45 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:13:44:30 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /myAdmin//scripts/setup.php HTTP/1.0" 404 347 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.0" 404 347 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.0" 404 349 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 349 "-" "-"
149.75.200.30 - - [25/Oct/2009:16:00:05 +0100] "GET HTTP/1.1 HTTP/1.1" 400 273 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:05 +0100] "GET /mantis/login_page.php HTTP/1.1" 404 276 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /support/mantis/login_page.php HTTP/1.1" 404 281 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /turbo/mantis/login_page.php HTTP/1.1" 404 280 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /misc/mantis/login_page.php HTTP/1.1" 404 280 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /tools/mantis/login_page.php HTTP/1.1" 404 280 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:07 +0100] "GET /php/mantis/login_page.php HTTP/1.1" 404 278 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:07 +0100] "GET /mantisbt/login_page.php HTTP/1.1" 404 278 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:07 +0100] "GET /tracker/login_page.php HTTP/1.1" 404 277 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /bugtracker/login_page.php HTTP/1.1" 404 279 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /bugtrack/login_page.php HTTP/1.1" 404 278 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /support/login_page.php HTTP/1.1" 404 276 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /bug/login_page.php HTTP/1.1" 404 274 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:09 +0100] "GET /bugs/login_page.php HTTP/1.1" 404 274 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:09 +0100] "GET /login_page.php HTTP/1.1" 404 271 "-" "Toata dragostea mea pentru diavola"
72.10.164.10 - - [25/Oct/2009:16:13:29 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
89.16.175.101 - - [25/Oct/2009:16:59:09 +0100] "GET /phpmyadmin/index.php HTTP/1.0" 404 341 "-" "-"
89.16.175.101 - - [25/Oct/2009:16:59:09 +0100] "GET /phpMyAdmin/index.php HTTP/1.0" 404 341 "-" "-"
72.10.164.10 - - [25/Oct/2009:19:34:29 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
72.10.164.10 - - [25/Oct/2009:19:38:19 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
72.10.164.10 - - [25/Oct/2009:19:42:39 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
69.94.64.50 - - [25/Oct/2009:19:52:32 +0100] "GET ///scripts/setup.php HTTP/1.1" 404 332 "-" "Plesk"
69.94.64.50 - - [25/Oct/2009:20:07:33 +0100] "GET //phpMyAdmin//scripts/setup.php HTTP/1.1" 404 344 "-" "Plesk"
69.94.64.50 - - [25/Oct/2009:20:22:46 +0100] "GET //phpmyadmin//scripts/setup.php HTTP/1.1" 404 344 "-" "Plesk"
195.248.241.211 - - [26/Oct/2009:04:35:51 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.0" 404 347 "-" "-"
195.248.241.211 - - [26/Oct/2009:04:35:51 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 349 "-" "-"
195.248.241.211 - - [26/Oct/2009:04:35:51 +0100] "GET /mysql/ HTTP/1.0" 404 327 "-" "-"
195.248.241.211 - - [26/Oct/2009:04:35:52 +0100] "GET // HTTP/1.0" 200 45 "-" "-"
94.23.221.45 - - [26/Oct/2009:06:30:46 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [26/Oct/2009:06:41:41 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [26/Oct/2009:06:52:34 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"

Globalement spamcleaner préconise iptables à fail2ban, avec la règle suivante :

# iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp dport 80 -m string to 70 algo bm string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Remplacez la chaîne 'xxx.xxx.xxx.xxx' par l'IP de votre serveur.

Ressources