I received some alerts on my IDS with Signature. It's like below
#632-(3-693403) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 08:51:34 89.46.161.210:30693 10.21.1.19:80 TCP
#706-(3-692963) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 00:21:54 85.214.236.97:64368 10.21.1.19:80 TCP
#707-(3-692918) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 23:34:23 24.172.10.141:4456 10.21.1.19:80 TCP
#726-(3-692857) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 22:23:33 89.46.161.210:21368 10.21.1.19:80 TCP
After i checked all the payload. It is like below
I searched regarding this alert (w00tw00t.at.ISC.SANS.Win32 ) and getting this is one type of vulnerability scanners after i checked my apache access.log . It's like below
[root@server~]# less /var/log/httpd/access_log | grep "GET /w00tw00t.at.ISC.SANS"
89.46.161.210 - - [22/Oct/2013:22:23:33 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
24.172.10.141 - - [22/Oct/2013:23:34:23 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
85.214.236.97 - - [23/Oct/2013:00:21:54 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
89.46.161.210 - - [23/Oct/2013:08:51:34 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
[root@server ~]# less /var/log/httpd/error_log | grep "89.46.161.210"
[Tue Oct 22 22:23:33 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 08:51:34 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 19:08:46 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[root@server~]# less /var/log/httpd/error_log | grep "24.172.10.141"
[Tue Oct 22 23:34:23 2013] [error] [client 24.172.10.141] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
Above request without hostname. Any HTTP/1.1 request should have host ( like example.com).
Today also i received lot of alert regarding vulnerability scanners. So I decided to drop this type of GET request using IPTABLES.
[root@server~]# iptables -I INPUT -d xx.xx.xx.xx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
Explanation:-
-d ------> Destination
xx.xx.xx.xx -----> your server ipaddress
--dport -----> destination port
--to -----> offset to stop searching
70 -----> total 70 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)
Save the iptables rule and restart
[root@server~]# service iptables save
After you will check the iptables rule. It will show like below
0 0 DROP tcp -- * * 0.0.0.0/0
176.9.7.40 tcp dpt:80 STRING match "GET
/w00tw00t.at.ISC.SANS." ALGO name bm TO 70
Now we blocked DFind w00tw00t GET-Requests using Iptables.....
#632-(3-693403) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 08:51:34 89.46.161.210:30693 10.21.1.19:80 TCP
#706-(3-692963) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 00:21:54 85.214.236.97:64368 10.21.1.19:80 TCP
#707-(3-692918) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 23:34:23 24.172.10.141:4456 10.21.1.19:80 TCP
#726-(3-692857) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 22:23:33 89.46.161.210:21368 10.21.1.19:80 TCP
After i checked all the payload. It is like below
I searched regarding this alert (w00tw00t.at.ISC.SANS.Win32 ) and getting this is one type of vulnerability scanners after i checked my apache access.log . It's like below
[root@server~]# less /var/log/httpd/access_log | grep "GET /w00tw00t.at.ISC.SANS"
89.46.161.210 - - [22/Oct/2013:22:23:33 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
24.172.10.141 - - [22/Oct/2013:23:34:23 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
85.214.236.97 - - [23/Oct/2013:00:21:54 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
89.46.161.210 - - [23/Oct/2013:08:51:34 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
The above attempt was unsuccessful because 400 (Bad request) error indicating after I checked my apache error.log also. It is like below
[root@server ~]# less /var/log/httpd/error_log | grep "89.46.161.210"
[Tue Oct 22 22:23:33 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 08:51:34 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 19:08:46 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[root@server~]# less /var/log/httpd/error_log | grep "24.172.10.141"
[Tue Oct 22 23:34:23 2013] [error] [client 24.172.10.141] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
Above request without hostname. Any HTTP/1.1 request should have host ( like example.com).
Today also i received lot of alert regarding vulnerability scanners. So I decided to drop this type of GET request using IPTABLES.
Iptables rule:
I used string match option.[root@server~]# iptables -I INPUT -d xx.xx.xx.xx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
Explanation:-
-d ------> Destination
xx.xx.xx.xx -----> your server ipaddress
--dport -----> destination port
--to -----> offset to stop searching
70 -----> total 70 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)
Save the iptables rule and restart
[root@server~]# service iptables save
[root@server~]# service iptables restart
After you will check the iptables rule. It will show like below
[root@server~]# iptables -nvL
Now we blocked DFind w00tw00t GET-Requests using Iptables.....
No comments:
Post a Comment