Author Topic: w00tw00t.at.ISC.SANS.DFind  (Read 1396 times)

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
w00tw00t.at.ISC.SANS.DFind
« on: January 07, 2008, 03:12:17 PM »
I constantly get this crap in my apache error_log:

[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[Mon Jan 07 13:21:15 2008] [error] [client 217.218.103.104] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Is there a way to block it so I don't have to scan through as much garbage to find real errors?

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #1 on: January 07, 2008, 03:25:13 PM »
OK I found some info on it:

From SANS.org: http://isc.sans.org/diary.html?storyid=900
Quote
Published: 2005-11-29,
Last Updated: 2005-11-30 05:49:00 UTC
by Swa Frantzen (Version: 1)
Following our request for help, a while ago, we received another submission of somebody finding the following in his web logs:

"GET /w00tw00t.at.ISC.SANS.DFind:)"

It seems that we forgot to tell our whitehat readers that the search is off. We know what's behind it.  It's a web vulnerability scanner that has this fingerprint. Find and use it at your own risk. We at the Internet Storm Center distance ourselves from this tool that is labeled by at least one security company as a hacker tool..

Here is a filter you can try. Read the entire thread: http://www.webmasterworld.com/apache/3481679.htm


jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #2 on: January 07, 2008, 03:56:58 PM »
Yeah, I saw that thread.  His solution was to filter it in his log parser, not the log itself.

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #3 on: January 07, 2008, 04:26:57 PM »
oh I misread that then.

Let me keep looking.

Maybe XB has an idea.

XtremeBain

  • Developer
  • Autococker
  • Posts: 1470
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #4 on: January 08, 2008, 02:29:58 PM »

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #5 on: January 08, 2008, 09:17:06 PM »

Eiii

  • Autococker
  • Posts: 4595
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #6 on: January 08, 2008, 10:51:04 PM »
Ear candles.
(Don't work at all, btw.)

Zorchenhimer

  • Autococker
  • Posts: 2614
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #7 on: January 09, 2008, 01:59:10 AM »
Ear candles.
(Don't work at all, btw.)

You've tried?  Haha.

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: w00tw00t.at.ISC.SANS.DFind
« Reply #8 on: January 09, 2008, 02:41:38 AM »
Quote
Ear candles cannot be legally sold in Canada.

Bain's right up there with the rest of his Canadian buddies in illicit medicinal devices.