/w00tw00t.at.ISC.SANS.DFind:)

Forum Moderators: phranque

Message Too Old, No Replies

/w00tw00t.at.ISC.SANS.DFind:)

How do I stop this $%Ł^" from showing in my logs?

superclown2

8:08 am on Oct 19, 2007 (gmt 0)

My Linux servers are pretty secure and I manage to keep most rubbish out of my log files with SetEnvIfNoCase in httpd.conf but I can't get this to work with /w00tw00t.at.ISC.SANS.DFind:) and it's driving me nuts. Does anyone know the correct syntax to block these entries? I've tried SetEnvIfNoCase Request_URI "^/w00tw00t.at.ISC.SANS.DFind:\)" but this doesn't work. If you have the answer you'll earn my eternal gratitude!

jdMorgan

12:37 pm on Oct 19, 2007 (gmt 0)

You can't keep it out of your logs, since all accesses --successful or not-- are logged, unless you have a very advanced firewall that can actually look at the HTTP request headers.

One thing you'll notice about these requests --if they're like the ones I always get-- is that they are malformed, and never result in a successful transfer, even if you take no steps to block them. The usual server response is 400-Malformed Request, if I recall correctly.

The purpose of these requests is to serve as a nuisance, in order to make ISC/SANS look bad... This is a "revenge pest" from someone who doesn't like ISC/SANS's efforts to report on internet abuse, most likely using a network of innocent-but-compromised computers as a botnet.

Jim

superclown2

5:41 pm on Oct 19, 2007 (gmt 0)

"You can't keep it out of your logs, since all accesses --successful or not-- are logged, unless you have a very advanced firewall that can actually look at the HTTP request headers."

Respectfully: I manage to keep all the CodeRed garbage and much besides out of my logs for specific domains by using the following in httpd.conf:

SetEnvIfNoCase Request_URI "^/string to exclude/" drop

and then

CustomLog /var/log/httpd/www.mydomainname.com-access_log combined env=!drop

between <VirtualHost> and </VirtualHost>

but replacing "string to exclude" with w00tw00t.at.ISC.SANS.DFind:) throws up an error message because Apache gets confused with the ) at the end. I've tried commenting it out, ie "\)" but this doesn't work either. What I need is the correct syntax, if such syntax is at all possible. Help! It's driving me crazy.

wilderness

8:54 pm on Oct 19, 2007 (gmt 0)

try this portion for your rewrite (omitting the leading "^":

exactly as shown

"ISC.SANS"

BTW, Apache does not require escaping of the parenthenses marks.
Perhaps you have an error some where else?

superclown2

9:29 pm on Oct 19, 2007 (gmt 0)

Thanks wilderness, I've given it a try. It shouldn't be long before it gets tested!

superclown2

8:28 am on Oct 20, 2007 (gmt 0)

Ah. Doesn't work I'm afraid, a whole new crop this morning. Most of then come from Germany, I guess I'll just have to block off their ISPs - I've never had a reply from a German ISP in the ten years I've been running web servers so there's no point complaining to them.

wilderness

12:47 pm on Oct 20, 2007 (gmt 0)

Ah. Doesn't work I'm afraid

there no reason why the following should not succeed.

SetEnvIf "ISC.SANS" drop

edited by wilderness.

I've had a second thought and I wondering if the lines you provided are refers, rather than user agents?

SetEnvIf Referer "ISC.SANS" drop

superclown2

9:10 pm on Oct 23, 2007 (gmt 0)

Nope, still doesn't work I'm afraid. More rubbish today, this time from Hungary. I though Apnic was bad .........

Hasn't anyone had any success in stopping this rubbish getting into log files? There has to be a way before I block the whole world off.

jdMorgan

9:44 pm on Oct 23, 2007 (gmt 0)

How about posting one of these log entries?
As I said at the start, I always see 400 errors on these requests, so perhaps you can block logging by using the server response status...

Jim

superclown2

7:58 am on Oct 31, 2007 (gmt 0)

Here's the relevant line from the logs:

213.215.41.138 - - [31/Oct/2007:02:18:35 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 316 "-" "-"

[edited by: jdMorgan at 11:59 am (utc) on Oct. 31, 2007]
[edit reason] Disabled smilies in user-agent string [/edit]

jdMorgan

12:28 pm on Oct 31, 2007 (gmt 0)

OK, so your server is also returning a 400-Bad Request status. I have a feeling that this is important with respect to logging or not logging the request.

It may be that if the error handler is invoked, many or all of the Apache modules are not executed, leading to the problem of not being able to suppress logging -- I'm not sure, just wanted to mention it.

Jim

superclown2

10:30 pm on Oct 31, 2007 (gmt 0)

Done it! I've taught my logfile reader to ignore it. I couldn't get it to ignore w00tw00t.at.ISC.SANS.DFind:) because the final ")" broke the program but I replaced it with a wildcard, ie w00tw00t.at.ISC.SANS.DFind:* and that worked OK. This problem had been driving me crazy for months, now if I can only find a way to block live.com referer spam from my logs..........

alex95_bg

4:30 pm on Apr 14, 2008 (gmt 0)

That's apparently a hacking attempt, i got it on my server along with ALOT of brute-force hacking attempts

jdMorgan

1:44 am on Apr 15, 2008 (gmt 0)

One of the signatures of w00tw00t is that it sends an HTTP/1.1 request, but omits the "Host:" header. This leads to a 400-Bad Request response from properly-configured servers.

Custom logging (see mod_log_config CustomLog [httpd.apache.org]) can be set up in httpd.conf to drop log entries based on server variables or server response codes, so in this case the logging could be suppressed based on the 400 response, or by using mod_setenvif, to set a server variable based on the user-agent string itself, and then doing conditional logging based on that variable.

Jim