Blocking w00tw00t scans

on July 17, 2010 in Linux with 2 comments by

Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:

... "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...

Using Iptables

The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:

iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp --dport 80 -m string --to 70  --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:

-m iprange --dst-range start.xxx.xxx.xxx-end.xxx.xxx.xxx

where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively.

If you wish to have a fancier option, one where it will for example blacklist an IP for a certain period, etc., have a look at [email protected]’s website.

They go deeper into this subject and have provided two scripts near the end of their article. Simply save one of these scripts in a file named, for example, /opt/blockw00t.sh and make it executable with:

chmod +x /opt/blockw00t.sh

You can run it manually with typing “/opt/blockwoot.sh” in the shell or to automatically load it at boot time you can add it to your /etc/rc.local file, or on Debian/Ubuntu systems add it to your /etc/network/interfaces like so:

auto eth0
inet eth0 static
   ... [existing configuration that remains unaltered] ...
   # Load anti-w00t script:
   post-up /opt/blockw00t.sh[/cce_text]

Using Fail2Ban

If you are using Fail2Ban, like described in the Shorewall firewall configuration, you can create a new definition that scans for the w00tw00t entries in the webserver log files.

The following definition assumes your webserver log entries look like the following (Nginx and Apache 2):

203.127.11.214 - - [15/Jul/2010:15:50:04 +0200] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 173 "-" "-"

Create a file /etc/fail2ban/filter.d/webserver-w00tw00t.conf:

[Definition]
failregex = ^<HOST> .*"GET /w00tw00t.at.ISC.SANS..+:).*?"

ignoreregex =

This catches the known variants of the scanner, including “DFind”, “test0”, “MSlog” and “ntsvc”.

Note: The <HOST> portion is specific to fail2ban and is a shorthand for the regex (?:::f{4,6}:)?(?P<host>S+), which matches either an IPv4 or IPv6 address. See the fail2ban manual for more details.

TIP If you wish to change the regular expression, I recommend RegExr to play with various options/search criteria. It’s a time saver and free :)

To test your definition’s regular expression, use:

fail2ban-regex logfile /etc/fail2ban/filter.d/webserver-w00tw00t.conf

Where logfile is the actual log file name, such as /var/log/apache2/access.log.

Add this definition to the fail2ban Jail configuration (/etc/fail2ban/jail.conf):

... [existing configuration] ...

[webserver-w00tw00t]
enabled  = true
port     = http,https
filter   = webserver-w00tw00t
# !!! Keep in mind to specify the correct web server log here:
logpath  = /var/log/apache2/access.log
maxretry = 1
# Time in seconds, in this case, one day:
bantime  = 86400

Now reload the service (ie., “/etc/init.d/fail2ban reload” or “service fail2ban reload“).

2 comments

  1. Sircolin
    posted on Oct 16, 2010 at 6:07 PM  |  reply

    once again another useful blog submission my friend, thanks.

    SirColin.

  2. posted on Jul 17, 2010 at 8:03 PM  |  reply

    […] Published Blocking w00tw00t scans. […]

Join the discussion

Your email address will not be published. Required fields are marked *