:00406559 Call dword ptr Call shutdown(). :0040654E mov dword ptr, eax Save number of bytes :0040653E lea eax, dword ptr characters returned :004064AD jne 004064CB Give up if any error. :004064AA cmp eax, FFFFFFFF post the request. :0040649A lea eax, dword ptr buffer (w00tw00t string :0040648B lea edi, dword ptr edi = destination buffer It only wants to fetch your HTTP server name, nothing else.ĭFind.exe (v1.0.9, 73,728 bytes) - disassembly listing
That particular string is only used as part of DFind webserver banner scanner, that is, There are several variants including, amongst them :
That's just a simple vulnerability scanner named DFind that loves to show off in your logs. This also means that you do not have to worry, you haven't been hacked ! In our case, the hostname is missing and thus it is rejected.
#W00tw00t at isc sans dfind code
We can see here that 213.251.134.23, a small (compromised) server hosted by OVH,Īsked for the "/w00tw00t.at.:)" web page and that apache politely told it to bugger off by sending a HTTP 400 code (BAD_REQUEST) and wrote to its error log file the reason why :Ĭlient sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)Īpache rejected that request because it is non RFC2616-compliant.Īny HTTP 1.1 request should contain at least 2 fields in its headers, one of them being the "Host:" field as per follows : Linux : using iptables string-matching filter to block vulnerability scannersĭoes " w00tw00t.at.:)" sound familiar to you ? If you own one ore more servers, there are a lot of chances you found it in your logs and that it gave you headaches or even nightmares trying unsuccessfully to get rid of it.
0 kommentar(er)
