Block: w00tw00t.at.ISC.SANS.DFind

Hello

Any idea how can i block on my dedicated Centos server using csf firewall or iptables this old vulnerability scanner that i found on my logs?

69.162.74.37 - - [18/Sep/2011:18:56:22 +0300] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 166 "-" "-"
62.141.46.141 - - [19/Sep/2011:06:18:21 +0300] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 166 "-" "-"
24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"

Code (markup):

Thank you

 

Yes, you can block by URI

<LocationMatch "/w00t.*">
Deny from all
</Location>

This is a common scanner string.

 

You can use iptables to block the w00tw00t scanner. If you are using CSF, create a file /etc/csf/csfpost.sh and place the iptables rule mentioned in the post in it and restart the firewall. The iptable rule will be added along with CSF rules.

 

Ok so i will create a file /etc/csf/csfpost.sh and add just this line inside and restart csf?

Thank you

 

Right but don't forget to restart the firewall

 

Getting some info from the net it seems that i am able to do it with two commands and i want to ask which one is better and what is the difference on them?

iptables -I INPUT -d YOUR.SERVER.IP -p tcp --dport 80 -m string --to 70  --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Code (markup):

and

iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Code (markup):

?

 

The text format in Wordpress caused the problem. The format has been corrected, you can copy the iptable rule again from the post and paste it as it is in the csfpost.sh file.

 

Ok i did and is working and i edit my previous post with some info if yo uknow to help me


Getting some info from the net it seems that i am able to do it with two commands and i want to ask which one is better and what is the difference on them?

iptables -I INPUT -d YOUR.SERVER.IP -p tcp --dport 80 -m string --to 70  --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Code (markup):

and

iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Code (markup):

?

 

Both are almost the same:

1) With "-d YOUR.SERVER.IP" the rule will only work for the connections to that specific IP.
2) With "--to 70" it will pick up the first 70 bytes of the packet.

Not going to make much different if it isn't mentioned.

 

But how it blocks it as i use the second command that doesn't have the server ip or the --to 70 ?

 

The rule is placed in the INPUT chain, so all the rules in that chain are applicable to all the incoming connections to any of your server IP. "--to 70" is nothing but the first 70 bytes of the packets, if not mentioned it will read the complete packet.

 

Ok thanks

Does that rule cause an overhead on Apache?