Results 1 to 11 of 11

Thread: w00tw00t

  1. #1
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283

    w00tw00t

    82.152.231.210 - - [30/Jul/2009:00:12:49 -0700] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 460
    82.152.231.210 - - [30/Jul/2009:00:12:49 -0700] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 460
    122.212.152.212 - - [30/Jul/2009:05:17:59 -0700] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 460
    122.212.152.212 - - [30/Jul/2009:05:17:59 -0700] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 460
    86.57.250.109 - - [31/Jul/2009:11:54:50 -0700] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 578
    86.57.250.109 - - [31/Jul/2009:11:54:50 -0700] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 578

  2. #2
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    And your question is?
    Having problems, or maybe questions about WHT? Head over to the help desk!

  3. #3
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    Did you try googling that? It is not exactly an uncommon thing to have appear in weblogs...
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  4. #4
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283
    sorry, my browser was crash and i cant edit my post,. this is my httpd log file.

    this is a ddos to0l. i mean w00tw00t /
    how can i protect my server from this attack ?

  5. #5
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    It's not aDDoS tool, it's a web banner scanner. Unless you have an old IIS 5 server which hasn't been updated/patched for the last 10 years you don't need to worry about it.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  6. #6
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283
    so why some one use it?

  7. #7
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204
    welcome to the internet, its a PORT 80 scan - you can ignore it.
    beast5.com - Managed Hosting Solutions 2004 - 2016

  8. #8
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283
    and is it safe ?
    i mean this scan. whay some one scan my port?
    how can i ignore it ?

  9. #9
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by nimafire View Post
    so why some one use it?
    Some script-kiddies think they can hack a Linux server using old MS WebDav/NetBios vulnerabilities.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  10. #10
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204
    Quote Originally Posted by khunj View Post
    Some script-kiddies think they can hack a Linux server using old MS WebDav/NetBios vulnerabilities.
    what are you talking about?

    Linux Server > Netbios ?
    its DFIND scanner, on port 80 , not netbios port.


    OP: Its a random port scan by some kid/bot, you can ignore it.
    Just keep your server up to date and apply all needed security settings / patches for all your software.
    keep a good password policy - and you should be safe.
    beast5.com - Managed Hosting Solutions 2004 - 2016

  11. #11
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    It's a NetBios/Webdav vulnerabily scanner. The w00tw00t scan on port 80 is just a harmless HTTP banner scan to get the webserver name as it is looking for IIS servers.
    It can look for open proxies too, but in that case the request is different (POST request to googlesyndication.com).
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

Similar Threads

  1. "GET /w00tw00t.at.ISC.SANS.DFind:) , Was my server being hacked ?
    By kimkim2 in forum Hosting Security and Technology
    Replies: 6
    Last Post: 05-18-2009, 10:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •