We purchased some server in Digital Ocean and found the w00tw00t.at.blackhats.romanian.anti-sec attack. The same kind of attack we also found in our AWS EC2 servers.

w00tw00t.at.blackhats.romanian.anti-sec is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL.
The same thing I found in my client system who have recently been migrated to Digital Ocean because of its very reasonable price.

[root@server log]# grep -r w00t *
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:10:15:42 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:07 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:09 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623:108.161.129.137 – – [22/Jun/2013:21:46:59 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
[root@server log]#

Solution :

(1) To deal with this issue I have set the iptable based on string. As well as I putted Anti portscan iptable script.

iptables -I INPUT -p tcp --dport 80 -m string --to 60 --algo bm --string 'GET /w00tw00t' -j DROP

(2) Implement fail2ban . (I have not written post on it)

Create a new file in /etc/fail2ban/filter.d/ called “w00tw00t.conf”

vi /etc/fail2ban/filter.d/w00tw00t.conf

[Definition]

failregex = ^ .*"GET /w00tw00t*

ignoreregex =

Edit /etc/fail2ban/jail.conf file and after last line put this configuration & restart the fail2ban service

vi /etc/fail2ban/jail.conf

[w00tw00t-scans]
enabled = true
action = iptables-allports sendmail-whois[name=SSH, dest=root,sender=fail2ban@example.com]
filter = w00tw00t ##### set the log path ######
logpath = /var/log/httpd/access_log
maxretry = 1 ###### ban for 24 hour ######
bantime = 86400

There are some other measures I am looking forward to protect my server from such attack.
Currently parsing apache the error.log and banned the attacking IP address in iptable
Checking some more fail2ban regex to deal with this issue.

Putting the Nagios monitoring for this particular attack.

Till now the server is safe and all the above measures are working fine.

Read Some More Articles

4 Comments

  1. As fas I can understand Fail2Ban ‘only’ blocks IP’s etc which have already attempted a hack. Why give this scums bags 1 chance of gaining access?

    I run WP sites and for the past 18 months I’ve implimented ZB Block (a free script – additional & updated Country bans available). None of these undesirables get access to anything – they are stopped before they reach the front door. As long as your running php ZB Block will work.

    Worth checking out cause it has saved me from oddles of headaches.

  2. Hi, I follow you tutorial and get this error:

    File “/usr/share/fail2ban/client/configurator.py”, line 68, in getOptions
    return self.__jails.getOptions(jail)
    File “/usr/share/fail2ban/client/jailsreader.py”, line 67, in getOptions
    ret = jail.getOptions()
    File “/usr/share/fail2ban/client/jailreader.py”, line 78, in getOptions
    ret = self.__filter.read()
    File “/usr/share/fail2ban/client/filterreader.py”, line 56, in read
    return ConfigReader.read(self, “filter.d/” + self.__file)
    File “/usr/share/fail2ban/client/configreader.py”, line 62, in read
    SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
    File “/usr/share/fail2ban/client/configparserinc.py”, line 108, in read
    fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
    File “/usr/share/fail2ban/client/configparserinc.py”, line 79, in getIncludes
    parser.read(resource)
    File “/usr/lib/python2.7/ConfigParser.py”, line 305, in read
    self._read(fp, filename)
    File “/usr/lib/python2.7/ConfigParser.py”, line 546, in _read
    raise e
    ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/w00tw00t.conf
    [line 2]: ‘xc2xa0n’
    [line 4]: ‘xc2xa0n’
    …fail!

    Any ideea?!!?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.