The infamous /w00tw00t.at.ISC.SANS.DFind GET requests in your access logs

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, February 05, 2012

Follow me on Twitter as @mattiasgeniar

If you look at your access/errors logs once in a while, like any good DevOps would, you occasionally find some URLs as these:

[01/Feb/2012:23:42:08 +0100] “GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1″ 400 166 “-” “-” “-”

[01/Feb/2012:21:13:58 +0100] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1″ 404 1072 “-” “ZmEu” “-”

[05/Feb/2012:04:44:24 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 166 “-” “-” “-”

[05/Feb/2012:04:44:24 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 226 “-” “-”

For the record, it’s not ISC SANS that made those requests, but an exploit scanner using that particular signature. What originally started as the Dfind Port Scanner seems to have been changed quite often as I’m finding more and more signatures from alternatives.

Among the best ways to combat these would be a good implementation of fail2ban.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.