I noticed a few w00tw00ts in our Apache2 logfile the other day, so I thought I would write a quick post on blocking them with iptables. Feel free to improve upon any of my scripts or ideas in this thread.
First of all, what is a w00tw00t and where might we find one?
Well, a w00tw00t is an signature left by a web vulnerability scanner called DFind that has the signature below and you can find them in your Apache logfiles, for example:
neo@forum:# grep "GET /w00tw00t.at.ISC.SANS.DFind:)" /website/logs/apache2/access.log
88.80.222.117 - - [25/Nov/2009:08:38:36 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
If you are like me, you would simply like to block IP addresses of people with nothing better to do than probe your web server (commonly called "losers"), so here goes:
First, you can download a list of know w00tw00t'ers using wget here, like so:
wget http://www.novirusthanks.org/dfind-logs/ip-list;mv ip-list w00tw00t_list
Then, it might be a good idea to scan your logs like I did above and append any w00tw00ts you see to that list:
grep w00tw00t /website/logs/apache2/access.log | awk 'BEGIN { FS = " " } ; { print $1 }' >> w00tw00t_list
You might have more than one w00tw00t IP address in your list now, so you might want to use awk to dedupe your w00tw00t_list:
awk '{
if ($0 in stored_lines)
x=1
else
print
stored_lines[$0]=1
}' w00tw00t_list > w00t_new
Then move it back of course:
mv w00t_new w00tw00t_list
Now, with a nice w00tw00t_list in your directory, you can do something like:
while read ip
do
iptables -A INPUT -s "$ip"/24 -j DROP
done < w00tw00t_list
I am pretty strict, and tend to block entire networks when we are probed, hence the /24 at the end of the IP address. You might want to be nicer than me and just block the IP ....
while read ip
do
iptables -A INPUT -s "$ip" -j DROP
done < w00tw00t_list
And you can check your iptables blocklist with:
iptables -L -n
However, before running your iptables script, make sure your IP address is not accidentally in the w00tw00t list
Anyone care to combine all this into one great script? If so, please post back!
Happy w00tw00t blocking!