Open in app

Sign in

Write

Sign in

Blocking w00tw00t scans

Mike Green
Moqume Blog
Published in
2 min readJul 17, 2010

--

Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:

... "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...

Using Iptables

The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:

iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp --dport 80 -m string --to 70  --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:

-m iprange --dst-range start.xxx.xxx.xxx-end.xxx.xxx.xxx

where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively.

If you wish to have a fancier option, one where it will for example blacklist an IP for a certain period, etc., have a look at SpamCle@ner’s website.

They go deeper into this subject and have provided two scripts near the end of their article. Simply save one of these scripts in a file named, for example, /opt/blockw00t.sh and make it executable with:

chmod +x /opt/blockw00t.sh

You can run it manually with typing “/opt/blockwoot.sh” in the shell or to automatically load it at boot time you can add it to your /etc/rc.local file, or on Debian/Ubuntu systems add it to your /etc/network/interfaces like so:

auto eth0
inet eth0 static
   ... [existing configuration that remains unaltered] ...
   # Load anti-w00t script:
   post-up /opt/blockw00t.sh[/cce_text]

Using Fail2Ban

If you are using Fail2Ban, like described in the Shorewall firewall configuration, you can create a new definition that scans for the w00tw00t entries in the webserver log files.

The following definition assumes your webserver log entries look like the following (Nginx and Apache 2):

203.127.11.214 - - [15/Jul/2010:15:50:04 +0200] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 173 "-" "-"

Create a file /etc/fail2ban/filter.d/webserver-w00tw00t.conf:

[Definition]
failregex = ^<HOST> .*"GET /w00tw00t.at.ISC.SANS..+:).*?"ignoreregex =

This catches the known variants of the scanner, including “DFind”, “test0”, “MSlog” and “ntsvc”.

Note: The <HOST> portion is specific to fail2ban and is a shorthand for the regex (?:::f{4,6}:)?(?P<host>S+), which matches either an IPv4 or IPv6 address. See the fail2ban manual for more details.

TIP If you wish to change the regular expression, I recommend RegExr to play with various options/search criteria. It’s a time saver and free :)

To test your definition’s regular expression, use:

fail2ban-regex logfile /etc/fail2ban/filter.d/webserver-w00tw00t.conf

Where logfile is the actual log file name, such as /var/log/apache2/access.log.

Add this definition to the fail2ban Jail configuration (/etc/fail2ban/jail.conf)

… [existing configuration] …
[webserver-w00tw00t]
enabled = true
port = http,https
filter = webserver-w00tw00t
# !!! Keep in mind to specify the correct web server log here:
logpath = /var/log/apache2/access.log
maxretry = 1
# Time in seconds, in this case, one day:
bantime = 86400

Now reload the service (ie., “/etc/init.d/fail2ban reload” or “service fail2ban reload”).

Linux
Firewall
Security

--

--

Mike Green
Moqume Blog

38 Followers
Editor for

I keep servers happy, and they keep me happy.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams