Protect from

Protect from

What the hell? I recently purchased some server in Digital Ocean and found the attack. The same kind of attack I also found in my AWS EC2 servers. is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL.
The same thing I found in my client system who have recently been migrated to Digital Ocean because of its very reasonable price.

[root@server log]# grep -r w00t *
httpd/access_log-20130623: – – [21/Jun/2013:10:15:42 +0000] “GET / HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623: – – [21/Jun/2013:18:24:07 +0000] “GET / HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623: – – [21/Jun/2013:18:24:09 +0000] “GET / HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623: – – [22/Jun/2013:21:46:59 +0000] “GET / HTTP/1.1” 301 354 “-” “ZmEu”
[root@server log]#

Solution :

(1) To deal with this issue I have set the iptable based on string. As well as I putted Anti portscan iptable script.

iptables -I INPUT -p tcp --dport 80 -m string --to 60 --algo bm --string 'GET /w00tw00t' -j DROP

(2) Implement fail2ban . (I have not written post on it)

Create a new file in /etc/fail2ban/filter.d/ called “w00tw00t.conf”

vi /etc/fail2ban/filter.d/w00tw00t.conf


failregex = ^ .*"GET /w00tw00t*

ignoreregex =

Edit /etc/fail2ban/jail.conf file and after last line put this configuration & restart the fail2ban service

vi /etc/fail2ban/jail.conf


enabled  = true

action   = iptables-allports

sendmail-whois[name=SSH, dest=root,]

filter   = w00tw00t

##### set the log path ######

logpath  = /var/log/httpd/access_log

maxretry = 1

###### ban for 24 hour ######

bantime  = 86400

There are some other measures I am looking forward to protect my server from such attack.
Currently parsing apache the error.log and banned the attacking IP address in iptable
Checking some more fail2ban regex to deal with this issue.

Putting the Nagios monitoring for this particular attack.

Till now the server is safe and all the above measures are working fine.

4 thoughts on “Protect from”

  1. As fas I can understand Fail2Ban ‘only’ blocks IP’s etc which have already attempted a hack. Why give this scums bags 1 chance of gaining access?

    I run WP sites and for the past 18 months I’ve implimented ZB Block (a free script – additional & updated Country bans available). None of these undesirables get access to anything – they are stopped before they reach the front door. As long as your running php ZB Block will work.

    Worth checking out cause it has saved me from oddles of headaches.

  2. Hi, I follow you tutorial and get this error:

    File “/usr/share/fail2ban/client/”, line 68, in getOptions
    return self.__jails.getOptions(jail)
    File “/usr/share/fail2ban/client/”, line 67, in getOptions
    ret = jail.getOptions()
    File “/usr/share/fail2ban/client/”, line 78, in getOptions
    ret =
    File “/usr/share/fail2ban/client/”, line 56, in read
    return, “filter.d/” + self.__file)
    File “/usr/share/fail2ban/client/”, line 62, in read, [bConf, bLocal])
    File “/usr/share/fail2ban/client/”, line 108, in read
    fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
    File “/usr/share/fail2ban/client/”, line 79, in getIncludes
    File “/usr/lib/python2.7/”, line 305, in read
    self._read(fp, filename)
    File “/usr/lib/python2.7/”, line 546, in _read
    raise e
    ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/w00tw00t.conf
    [line 2]: ‘xc2xa0n’
    [line 4]: ‘xc2xa0n’

    Any ideea?!!?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.