• Digital Paint Discussion Board »
  • Digital Paint Community »
  • Other Stuff »
  • w00tw00t.at.ISC.SANS.DFind
« previous next »
Pages: [1]

Author Topic: w00tw00t.at.ISC.SANS.DFind  (Read 1395 times)

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
w00tw00t.at.ISC.SANS.DFind
« on: January 07, 2008, 03:12:17 PM »
I constantly get this crap in my apache error_log:

[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Is there a way to block it so I don't have to scan through as much garbage to find real errors?
Logged

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #1 on: January 07, 2008, 03:25:13 PM »
OK I found some info on it:

From SANS.org: http://isc.sans.org/diary.html?storyid=900
Quote
Published: 2005-11-29,
Last Updated: 2005-11-30 05:49:00 UTC
by Swa Frantzen (Version: 1)
Following our request for help, a while ago, we received another submission of somebody finding the following in his web logs:

"GET /w00tw00t.at.ISC.SANS.DFind:)"

It seems that we forgot to tell our whitehat readers that the search is off. We know what's behind it.  It's a web vulnerability scanner that has this fingerprint. Find and use it at your own risk. We at the Internet Storm Center distance ourselves from this tool that is labeled by at least one security company as a hacker tool..

Here is a filter you can try. Read the entire thread: http://www.webmasterworld.com/apache/3481679.htm

Logged

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #2 on: January 07, 2008, 03:56:58 PM »
Yeah, I saw that thread.  His solution was to filter it in his log parser, not the log itself.
Logged

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #3 on: January 07, 2008, 04:26:57 PM »
oh I misread that then.

Let me keep looking.

Maybe XB has an idea.
Logged

XtremeBain

  • Developer
  • Autococker
  • Posts: 1470
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #4 on: January 08, 2008, 02:29:58 PM »
Logged

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #5 on: January 08, 2008, 09:17:06 PM »
Logged

Eiii

  • Autococker
  • Posts: 4595
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #6 on: January 08, 2008, 10:51:04 PM »
Ear candles.
(Don't work at all, btw.)
Logged

Zorchenhimer

  • Autococker
  • Posts: 2614
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #7 on: January 09, 2008, 01:59:10 AM »
Quote from: Eiii on January 08, 2008, 10:51:04 PM
Ear candles.
(Don't work at all, btw.)

You've tried?  Haha.
Logged

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #8 on: January 09, 2008, 02:41:38 AM »
Quote
Ear candles cannot be legally sold in Canada.

Bain's right up there with the rest of his Canadian buddies in illicit medicinal devices.
Logged
Pages: [1]
« previous next »
  • Digital Paint Discussion Board »
  • Digital Paint Community »
  • Other Stuff »
  • w00tw00t.at.ISC.SANS.DFind