w00tw00t.at.ISC.SANS.DFind:) Tu servidor está bajo ataque abril 16, 2014
HackingLinuxVirus
3 comentarios

Cualquiera que tenga una ip en internet está expuesto a ataques, algo muy común es ver este tipo de entradas en los logs de apache.

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Alguién o algo está intentando encontrar una vulnerabilidad en tu equipo.
Para solucionarlo basta con instalar fail2ban y habilitar los filtros y configuración jail:

1- Instalamos fail2ban si no lo hemos instalado todavía:

sudo apt-get install fail2ban

2- Creamos el filtro apache-scan.conf:

# Fail2Ban configuration file
#
# Author: Andreas Florath
#
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] File does not exist: /var/www/2phpmyadmin
            [[]client <HOST>[]] File does not exist: /var/www/admin
            [[]client <HOST>[]] File does not exist: /var/www/administrator
            [[]client <HOST>[]] File does not exist: /var/www/database
            [[]client <HOST>[]] File does not exist: /var/www/db
            [[]client <HOST>[]] File does not exist: /var/www/dbadmin
            [[]client <HOST>[]] File does not exist: /var/www/images
            [[]client <HOST>[]] File does not exist: /var/www/myadmin
            [[]client <HOST>[]] File does not exist: /var/www/MyAdmin
            [[]client <HOST>[]] File does not exist: /var/www/mysql
            [[]client <HOST>[]] File does not exist: /var/www/mysqladmin
            [[]client <HOST>[]] File does not exist: /var/www/mysql-admin
            [[]client <HOST>[]] File does not exist: /var/www/mysqlmanager
            [[]client <HOST>[]] File does not exist: /var/www/phpmy
            [[]client <HOST>[]] File does not exist: /var/www/phpmyadmin
            [[]client <HOST>[]] File does not exist: /var/www/php-myadmin
            [[]client <HOST>[]] File does not exist: /var/www/phpmy-admin
            [[]client <HOST>[]] File does not exist: /var/www/phpmyAdmin
            [[]client <HOST>[]] File does not exist: /var/www/phpMyadmin
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin
            [[]client <HOST>[]] File does not exist: /var/www/phpmyadmin2
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin-2.11.5.1-all-languages
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin-2.11.6-all-languages
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin-2.11.7.1-all-languages
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin-2.11.7.1-all-languages-utf-8-only
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin-2.11.8.1-all-languages
            [[]client <HOST>[]] File does not exist: /var/www/phpMyAdmin-2.11.8.1-all-languages-utf-8-only
            [[]client <HOST>[]] File does not exist: /var/www/phppma
            [[]client <HOST>[]] File does not exist: /var/www/pma
            [[]client <HOST>[]] File does not exist: /var/www/PMA
            [[]client <HOST>[]] File does not exist: /var/www/program
            [[]client <HOST>[]] File does not exist: /var/www/qql
            [[]client <HOST>[]] File does not exist: /var/www/sql
            [[]client <HOST>[]] File does not exist: /var/www/sqlmanager
            [[]client <HOST>[]] File does not exist: /var/www/sqlweb
            [[]client <HOST>[]] File does not exist: /var/www/webadmin
            [[]client <HOST>[]] File does not exist: /var/www/webdb
            [[]client <HOST>[]] File does not exist: /var/www/websql
            [[]client <HOST>[]] File does not exist: /var/www/e107_files
            [[]client <HOST>[]] File does not exist: /var/www/db
            [[]client <HOST>[]] File does not exist: /var/www/e107
            [[]client <HOST>[]] File does not exist: /var/www/site
            [[]client <HOST>[]] File does not exist: /var/www/web
            [[]client <HOST>[]] File does not exist: /var/www/forum
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

3- Creamos el filtro apache-w00t.conf:

vi /etc/fail2ban/filter.d/apache-w00t.conf
# Fail2Ban configuration file
#
# Author: Andreas Florath
#
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named &amp;amp;quot;host&amp;amp;quot;. The tag &amp;amp;quot;&amp;lt;host&amp;gt;&amp;amp;quot; can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P&amp;lt;host&amp;gt;\S+)
# Values:  TEXT
#
failregex = [[]client []] client sent HTTP/1\.1 request without hostname \(see RFC2616 section 14\.23\): \/w00tw00t.at.ISC.SANS.DFind:\)
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

4. Añadimos estas lineas a jail.local o jail.conf en su defecto.

vi /etc/fail2ban/jail.local
#
# You might want to incrase the bantime
#
bantime  = 133201
 
#
# Add the following
#
[apache-w00t]
 
enabled = true
port    = http,https
filter  = apache-w00t
logpath = /var/log/apache*/*error.log
maxretry = 1
 
[apache-scan]
 
enabled = true
port    = http,https
filter  = apache-scan
logpath = /var/log/apache*/*error.log
maxretry = 1

5. Por último reiniciamos fail2ban

service fail2ban restart

NOTA IMPORTANTE: Habilitar fail2ban sólo reduce la posibilidad del ataque. Si hay aplicaciones obsoletas o problemáticas en tu equipo probablemente consigan hackearlo!