If you have some server and get lines like
client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
in your logs, do not ignore it.
They try to capture your server.
There are a lot of discussions about this log message. Often it is said, that you can ignore these things. Do not ignore this!
A friend’s server was hacked with the help of the used scanner. The server run a recent SUSE – with all updates installed. They managed to use a security hole in apache2 and executed some male-software on his server.
Checked also my server; had similar logs. Looked around and found a nice little tool called fail2ban: it checks out the log files and if it find something nasty it blocks all IP traffic coming from the attacker for some time.
Tho additional configuration files were needed to get it up and running for these needs. fail2ban-w00t00.tar contains these files.
Currently it’s working well: each scanner has mostly one shot. After this, the IP is blocked. Example:
2010-07-01 23:35:12,774 fail2ban.actions: WARNING [apache-w00t] Ban 22.214.171.124
2010-07-01 23:35:12,774 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-apache-w00t
2010-07-01 23:35:12,784 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-apache-w00t returned successfully
2010-07-01 23:35:12,784 fail2ban.actions.action: DEBUG iptables -I fail2ban-apache-w00t 1 -s 126.96.36.199 -j DROP
2010-07-01 23:35:12,790 fail2ban.actions.action: DEBUG iptables -I fail2ban-apache-w00t 1 -s 188.8.131.52 -j DROP returned successfully
IMPORTANT NOTE: Enable fail2ban only reduces the possibility of a successful attack. If there is old or problematic software on your computer you will get hacked!
- Never use passwords. If possible use ssh keys for ssh access.
- Disable everything you don’t need; especially ftp.
- Ever, ever update all software to the newest available version – especially when there are security updates.
fail2ban only decreases the possibility of getting hacked.
Conclusion: You are hacked – lucky you if you know about.