GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1

You have seen the following in your Apache or your web server’s logs for your websites:

xx.xx.xx.xx – – [xx/xx/xxxx:18:56:22 +0300] “GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:06:18:21 +0300] “GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:11:41:35 +0300] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:11:41:35 +0300] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 166 “-” “-”
xx.xx.xx.xx – – [xx/xx/xxxx:21:35:12 +0300] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 166 “-” “-”

Generally you see the above logs, if someone is trying to scan your website and/or server using the vulnerability scanner software like Acunetix. As far as the response code is 400, you should not worry about it. But you should protect your website and/or server from potential outside scan because such software reveal many confidential information. There are several method to block such request on the Linux server as follow:

[1] Block such request using mod_security

If you are using mod_security, you can write a rule to match this pattern and block all such request.

[2] Use iptables to block request

You can use iptables to block such request on port 80:

iptables -I INPUT -p tcp –dport 80 -m string –to 70 –algo bm –string ‘GET /w00tw00t.at.ISC.SANS.’ -j DROP

Kailash

2 Comments

  1. Avatar
    MxxFebruary 24, 2014

    Your port 443 rule is pointless. 443 port is SSL. Before “GET” command is sent, encrypted connection is esablished. Once it is encrypted, you will no longer see plain text string of “GET”.

    Reply
    1. Avatar
      KailashFebruary 25, 2014

      Thank you for you input. It has been updated.

      Reply

Leave a Reply to Kailash Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top
%d bloggers like this: