4

In my web server logs I get a lot of these: [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

I know it's just a failed request and I don't have to worry abut it too much. In the past I have tried searching for the actual script or tool that does this. It must be pretty commonly available judging from the number of occurences of this request. I found different tips on how to deal with the message, but I'm interested in looking at this tool/script itself and I never found its name or location mentioned.


My question ends here. A bit more background: Today I noticed one of the clients doing this request is an IP of another server of mine, quite important, actually, because it's my server virtualization host. I suspect intrusion. That's why I want to look at this script - so I can analyze what it does and how to find it.

user63623
  • 151
  • 4
  • Possible duplicate of [has my server been hacked w00tw00t.at.ISC.SANS.DFind](https://serverfault.com/questions/281286/has-my-server-been-hacked-w00tw00t-at-isc-sans-dfind) – kenorb Sep 18 '18 at 13:33

1 Answers1

4

Check the information at: https://isc.sans.edu/diary/w00tw00t/900

It's a web vulnerability scanner that has this fingerprint. Find and use it at your own risk. We at the Internet Storm Center distance ourselves from this tool that is labeled by at least one security company as a hacker tool.

kenorb
  • 5,943
  • 1
  • 44
  • 53
mailq
  • 16,882
  • 2
  • 36
  • 66