Protect from w00tw00t.at.blackhats.romanian.anti-sec

by

Protect from w00tw00t.at.blackhats.romanian.anti-sec

What the hell? I recently purchased some server in Digital Ocean and found the w00tw00t.at.blackhats.romanian.anti-sec attack. The same kind of attack I also found in my AWS EC2 servers.

w00tw00t.at.blackhats.romanian.anti-sec is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL.
The same thing I found in my client system who have recently been migrated to Digital Ocean because of its very reasonable price.

[root@server log]# grep -r w00t *
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:10:15:42 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:07 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:09 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
httpd/access_log-20130623:108.161.129.137 – – [22/Jun/2013:21:46:59 +0000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 301 354 “-” “ZmEu”
[root@server log]#

Solution :

(1) To deal with this issue I have set the iptable based on string. As well as I putted Anti portscan iptable script.

iptables -I INPUT -p tcp --dport 80 -m string --to 60 --algo bm --string 'GET /w00tw00t' -j DROP

(2) Implement fail2ban . (I have not written post on it)

Create a new file in /etc/fail2ban/filter.d/ called “w00tw00t.conf”

vi /etc/fail2ban/filter.d/w00tw00t.conf

[Definition]

failregex = ^ .*"GET /w00tw00t*

ignoreregex =

Edit /etc/fail2ban/jail.conf file and after last line put this configuration & restart the fail2ban service

vi /etc/fail2ban/jail.conf

[w00tw00t-scans]

enabled  = true

action   = iptables-allports

sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]

filter   = w00tw00t

##### set the log path ######

logpath  = /var/log/httpd/access_log

maxretry = 1

###### ban for 24 hour ######

bantime  = 86400

There are some other measures I am looking forward to protect my server from such attack.
Currently parsing apache the error.log and banned the attacking IP address in iptable
Checking some more fail2ban regex to deal with this issue.

Putting the Nagios monitoring for this particular attack.

Till now the server is safe and all the above measures are working fine.

Related posts:

  1. How to protect from port scanning and smurf attack in Linux Server by iptables
  2. Protect ssh with Google Authenticator on Ubuntu 14.04 LTS
  3. Protect from SSL Drown Attack in AWS ELB, Apache and Nginx
  4. GNU Screen
  5. Error installing rails
  6. How to download package using apt-get command in ubuntu
  7. Linux Tac Command : Reverse Of cat Command Output
  8. Recover Linux Grub Password in linux rescue mode CentOS/Red Hat
  9. fatal error: error writing to /tmp/ccwAjc9Z.s: No space left on device
  10. New XAMPP security concept

4 thoughts on “Protect from w00tw00t.at.blackhats.romanian.anti-sec”

  2. As fas I can understand Fail2Ban ‘only’ blocks IP’s etc which have already attempted a hack. Why give this scums bags 1 chance of gaining access?

    I run WP sites and for the past 18 months I’ve implimented ZB Block (a free script – additional & updated Country bans available). None of these undesirables get access to anything – they are stopped before they reach the front door. As long as your running php ZB Block will work.

    Worth checking out cause it has saved me from oddles of headaches.

    Reply

  3. Hi, I follow you tutorial and get this error:

    File “/usr/share/fail2ban/client/configurator.py”, line 68, in getOptions
    return self.__jails.getOptions(jail)
    File “/usr/share/fail2ban/client/jailsreader.py”, line 67, in getOptions
    ret = jail.getOptions()
    File “/usr/share/fail2ban/client/jailreader.py”, line 78, in getOptions
    ret = self.__filter.read()
    File “/usr/share/fail2ban/client/filterreader.py”, line 56, in read
    return ConfigReader.read(self, “filter.d/” + self.__file)
    File “/usr/share/fail2ban/client/configreader.py”, line 62, in read
    SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
    File “/usr/share/fail2ban/client/configparserinc.py”, line 108, in read
    fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
    File “/usr/share/fail2ban/client/configparserinc.py”, line 79, in getIncludes
    parser.read(resource)
    File “/usr/lib/python2.7/ConfigParser.py”, line 305, in read
    self._read(fp, filename)
    File “/usr/lib/python2.7/ConfigParser.py”, line 546, in _read
    raise e
    ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/w00tw00t.conf
    [line 2]: ‘xc2xa0n’
    [line 4]: ‘xc2xa0n’
    …fail!

    Any ideea?!!?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.