GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1

You have seen the following in your Apache or your web server’s logs for your websites:

WHMCS Complete Billing and Support

xx.xx.xx.xx – – [xx/xx/xxxx:18:56:22 +0300] “GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:06:18:21 +0300] “GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:11:41:35 +0300] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:11:41:35 +0300] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:21:35:12 +0300] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 166 “-” “-”

Generally you see the above logs, if someone is trying to scan your website and/or server using the vulnerability scanner software like Acunetix. As far as the response code is 400, you should not worry about it. But you should protect your website and/or server from potential outside scan because such software reveal many confidential information. There are several method to block such request on the Linux server as follow:

[1] Block such request using mod_security

If you are using mod_security, you can write a rule to match this pattern and block all such request.

[2] Use iptables to block request

You can use iptables to block such request on port 80:

iptables -I INPUT -p tcp –dport 80 -m string –to 70 –algo bm –string ‘GET /w00tw00t.at.ISC.SANS.’ -j DROP

Kailash

Posted in Site and Server Security.

2 Comments

  1. Your port 443 rule is pointless. 443 port is SSL. Before “GET” command is sent, encrypted connection is esablished. Once it is encrypted, you will no longer see plain text string of “GET”.

Leave a Reply

Your email address will not be published. Required fields are marked *