w00tw00t.at.ISC.SANS.DFind Web Scanner

The string “/w00tw00t.at.ISC.SANS.DFind:)” can be found in error logs of web servers and it is generated by a web scanner named DFind that scans IP addresses for vulnerabilities, looks like it scans all servers that have port 80 open.

To ban all IP addresses, with a Linux OS, that try to scan your server with DFind, you can use this simple bash script that will extract all IP addresses of the DFind scans from a report file. The script will save the IPs in the format iptables friendly:

1
cat error.log | grep "/w00tw00t.at.ISC.SANS.DFind" | egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | awk '{print "iptables -I INPUT -s " $1 " -j DROP"}' | sort | uniq > dfind.ban

Now you can set the permission of execution (+x) to the file:

1
chmod +x dfind.ban

To run the script and start to ban all extracted IP addresses, use this command:

1
./dfind.ban

If you want to run the script every day at midnight, you can save the script in a file named ban.bash in /var/scripts/ with the following content:

1
2
3
4
cat error.log | grep "/w00tw00t.at.ISC.SANS.DFind" | egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | awk '{print "iptables -I INPUT -s " $1 " -j DROP"}' | sort | uniq > dfind.ban
chmod +x dfind.ban
./dfind.ban
rm -f dfind.ban

Then you can add the following line to the file /etc/crontab:

1
* 0 * * * root cd /var/scripts/ && ./ban.bash

To check if the IP addresses have been added correctly in the iptables, type:

1
iptables -L

Example output:

1
2
3
4
5
6
7
8
9
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  XXX.XXX.XXX.XXX      anywhere
DROP       all  --  XXX.XXX.XXX.XXX      anywhere
DROP       all  --  XXX.XXX.XXX.XXX      anywhere
DROP       all  --  XXX.XXX.XXX.XXX      anywhere
DROP       all  --  XXX.XXX.XXX.XXX      anywhere
DROP       all  --  XXX.XXX.XXX.XXX      anywhere
DROP       all  --  XXX.XXX.XXX.XXX      anywhere

If you want to block the IP addresses directly, you can use this code to set an iptables rule that will automatically block IP addresses that are connected on port 80 of your server and that try to scan your server with DFind signature:

1
iptables -I INPUT -d 127.0.0.1 -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.DFind' -j DROP

Overwrite 127.0.0.1 with the IP address of your server.