March 20, 2007
w00tw00t.at.ISC.SANS.DFind
Well i’ve been having this problem for a long time, with script kiddies trying to run scans on my server with Dfind (http://class101.org ).
These are some of these request from the apache server logs
/var/log/httpd/access_log.2:83.71.188.242 - - [05/Mar/2007:16:25:40 -0800] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 299 “-” “-”
/var/log/httpd/access_log.2:213.254.226.49 - - [06/Mar/2007:05:11:47 -0800] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 299 “-” “-”
/var/log/httpd/access_log.2:216.30.246.14 - - [09/Mar/2007:08:56:12 -0800] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 299 “-” “-”
/var/log/httpd/access_log.3:80.237.211.76 - - [25/Feb/2007:07:46:16 -0800] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 299 “-” “-”
/var/log/httpd/access_log.3:83.71.188.242 - - [25/Feb/2007:17:51:23 -0800] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 299 “-” “-”
/var/log/httpd/access_log.3:80.237.172.185 - - [27/Feb/2007:05:42:20 -0800] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400
All this while i’ve been lazy 
, but today i felt like trying something to fix it. What i’ve come up with is this
This is one of the things i wrote to get all the list of IPs from the Apache access logs who have been running these scans. Well the purpose of this is to feed these IPs to APF (http://www.rfxnetworks.com/apf.php ) the output of this is pumped to /etc/apf/deny_hosts.rules to block any of these lamers from further accessing my server ^_^
Only problem is for some strange reason, I couldn’t pipe the output of the command directly to /etc/apf/deny_hosts.rules. The file always ended up with output of "grep "w00tw00t" /var/log/httpd/access_log*|awk ‘{print $1}’|sed ’s/\(.*\)://g’|sort|uniq". Well maybe i’ll figure it out sometime later. SLEEPP!! awaits!!
