Aller au contenu | Aller au menu | Aller à la recherche


/w00tw00t.at.ISC.SANS.DFind:)

Par PlaceOweb le mercredi, octobre 28 2009, 21:56 - Outils Internet - Lien permanent

/w00tw00t.at.ISC.SANS.DFind:)

w00tw00t.at.ISC.SANS.DFind:) Qu'est ce ?

jargonf.org : Signature laissée dans les logs des serveurs HTTP par un logiciel scanner nommé DFind, surtout utilisé par des script kiddies.

Se débarrasser de w00tw00t.at.ISC.SANS.DFind:)

Mare des scans tel que le très classique "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" dont voici un extrait de log apache :

95.168.176.102 - - [25/Oct/2009:06:38:38 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET //phpmyadmin/ HTTP/1.1" 404 268 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET //mysql/ HTTP/1.1" 404 264 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET // HTTP/1.1" 200 56 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
83.103.59.184 - - [25/Oct/2009:09:06:05 +0100] "GET //chat/ HTTP/1.1" 404 263 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
89.97.44.22 - - [25/Oct/2009:11:33:37 +0100] "GET /~stat/index.html HTTP/1.1" 404 331 "-" "-"
89.97.44.22 - - [25/Oct/2009:11:33:42 +0100] "GET /~stat/index.html HTTP/1.1" 404 331 "-" "-"
94.23.221.45 - - [25/Oct/2009:11:37:49 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:11:46:05 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:11:56:51 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
78.189.110.185 - - [25/Oct/2009:13:17:41 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:13:22:59 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:13:33:45 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [25/Oct/2009:13:44:30 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /myAdmin//scripts/setup.php HTTP/1.0" 404 347 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.0" 404 347 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.0" 404 349 "-" "-"
88.191.76.63 - - [25/Oct/2009:15:56:37 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 349 "-" "-"
149.75.200.30 - - [25/Oct/2009:16:00:05 +0100] "GET HTTP/1.1 HTTP/1.1" 400 273 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:05 +0100] "GET /mantis/login_page.php HTTP/1.1" 404 276 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /support/mantis/login_page.php HTTP/1.1" 404 281 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /turbo/mantis/login_page.php HTTP/1.1" 404 280 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /misc/mantis/login_page.php HTTP/1.1" 404 280 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:06 +0100] "GET /tools/mantis/login_page.php HTTP/1.1" 404 280 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:07 +0100] "GET /php/mantis/login_page.php HTTP/1.1" 404 278 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:07 +0100] "GET /mantisbt/login_page.php HTTP/1.1" 404 278 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:07 +0100] "GET /tracker/login_page.php HTTP/1.1" 404 277 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /bugtracker/login_page.php HTTP/1.1" 404 279 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /bugtrack/login_page.php HTTP/1.1" 404 278 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /support/login_page.php HTTP/1.1" 404 276 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:08 +0100] "GET /bug/login_page.php HTTP/1.1" 404 274 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:09 +0100] "GET /bugs/login_page.php HTTP/1.1" 404 274 "-" "Toata dragostea mea pentru diavola"
149.75.200.30 - - [25/Oct/2009:16:00:09 +0100] "GET /login_page.php HTTP/1.1" 404 271 "-" "Toata dragostea mea pentru diavola"
72.10.164.10 - - [25/Oct/2009:16:13:29 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
89.16.175.101 - - [25/Oct/2009:16:59:09 +0100] "GET /phpmyadmin/index.php HTTP/1.0" 404 341 "-" "-"
89.16.175.101 - - [25/Oct/2009:16:59:09 +0100] "GET /phpMyAdmin/index.php HTTP/1.0" 404 341 "-" "-"
72.10.164.10 - - [25/Oct/2009:19:34:29 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
72.10.164.10 - - [25/Oct/2009:19:38:19 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
72.10.164.10 - - [25/Oct/2009:19:42:39 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
69.94.64.50 - - [25/Oct/2009:19:52:32 +0100] "GET ///scripts/setup.php HTTP/1.1" 404 332 "-" "Plesk"
69.94.64.50 - - [25/Oct/2009:20:07:33 +0100] "GET //phpMyAdmin//scripts/setup.php HTTP/1.1" 404 344 "-" "Plesk"
69.94.64.50 - - [25/Oct/2009:20:22:46 +0100] "GET //phpmyadmin//scripts/setup.php HTTP/1.1" 404 344 "-" "Plesk"
195.248.241.211 - - [26/Oct/2009:04:35:51 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.0" 404 347 "-" "-"
195.248.241.211 - - [26/Oct/2009:04:35:51 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 349 "-" "-"
195.248.241.211 - - [26/Oct/2009:04:35:51 +0100] "GET /mysql/ HTTP/1.0" 404 327 "-" "-"
195.248.241.211 - - [26/Oct/2009:04:35:52 +0100] "GET // HTTP/1.0" 200 45 "-" "-"
94.23.221.45 - - [26/Oct/2009:06:30:46 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [26/Oct/2009:06:41:41 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"
94.23.221.45 - - [26/Oct/2009:06:52:34 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"

Globalement spamcleaner préconise iptables à fail2ban, avec la règle suivante :

# iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp dport 80 -m string to 70 algo bm string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Remplacez la chaîne 'xxx.xxx.xxx.xxx' par l'IP de votre serveur.

Ressources

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

Fil des commentaires de ce billet