These are one of the most common vulnerability scanners you will see in Apache access log.
220.127.116.11 – – [12/Feb/2013:10:28:11 +0000] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 408
Above is a typical line which you will see in the access log file – usr/local/apache/log/access_log (CentOS).
These could be serious security vulnerability in your Linux server depending on what happens after such GET commands. If you see that any of files are being accessed after these commands then you are vulnerable. If none of files are accessed then you are safe however you need to patch this up.
Apache rejects such requests as they do not contain hostname, see the 2nd last error code 400. Which means that you are not hacked so you don’t need to worry too much.
If you see the error_log then you will find following errors.
[Tue Feb 12 10:28:11 2013] [error] [client 18.104.22.168] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
Here is a simple command (I’m sure linux experts could write a much better command) which will extract all the unique IP addresses from which these scanners originate.
cat /usr/local/apache/logs/access_log | grep "GET /w00tw00t.at.ISC.SANS.DFind" | cut -f1 -d' ' | sort | uniq -u > w00tlogs_unique_ips.txt
This command will extract Unique IP Addresses and saves it in w00tlogs_unique_ips.txt file.
If you do IP trace for these IP Addresses then you will find them originating from various countries so just knowing origin of IP addresses is no good.
The very first thing you as non-expert admin would do is to report these attacks to your server host provider. Most of decent web host providers would have some sort of protections to block these attacks. Just pass them the list of IP addresses which you have extracted from above command and ask them if they could do about it.
Install and configure Fail2Ban. As name suggests this utility blocks the IP addresses from failed malicious attacks by adding IP addresses to firewall.
Snort is network intrusion prevention and detection system. Install it as well.
First check if you have mod_security installed on your server or not by using these commands.
cat /etc/httpd/conf/httpd.conf | grep mod_security
If you see any entry like the followings then mod_security is enabled on your server.
LoadModule security_module modules/mod_security.so