W00tw00t.at.ISC.SANS.DFind:)

From Flo's Knowledge in a Nutshell

Jump to: navigation, search

Introduction

I do a periodical check of my logfiles and I was nerved by a scriptkiddie tool calles DFind, which has the fingerprint W00tw00t.at.ISC.SANS.DFind:)

Approach

  • Scan Logfiles
  • Block relevant IP adresses
  • Cleanup Logfiles

Implementation

  • Script is located unter /etc/cron.hourly 
#!/bin/sh
IPTABLES="/sbin/iptables"

#wootwootiptables

 for ip in `cat /var/log/apache2/error.log |grep w00tw00t | awk '{print $8}' | sed 's/]//g'  | sort -ug` ; do
                countoff=$[$countoff+1]
                countwoot=$[$countwoot+1]
                $IPTABLES -I INPUT -s $ip -j DROP
                $IPTABLES -I OUTPUT -s $ip -j DROP
        done

#cleanup the logfiles
sed -i '/w00tw00t/ d' /var/log/apache2/error.log
sed -i '/w00tw00t/ d' /var/log/apache2/access.log
Retrieved from "http://wiki.combatx.net/W00tw00t.at.ISC.SANS.DFind:)"
Personal tools