Dealing with HTTP w00tw00t attacks
Solution 1:
From your error log they are sending a HTTP/1.1 request without the Host: portion of the request. From what I read, Apache replies with a 400 (bad request) error to this request, before handing over to mod_security. So, it doesn't look like your rules will be processed. (Apache dealing with it before requiring to hand over to mod_security)
Try yourself:
telnet hostname 80 GET /blahblahblah.html HTTP/1.1 (enter) (enter)
You should get the 400 error and see the same error in your logs. This is a bad request and apache is giving the correct answer.
Proper request should look like:
GET /blahblahblah.html HTTP/1.1 Host: blah.com
A work around for this issue could be to patch mod_uniqueid, to generate a unique ID even for a failed request, in order that apache passes the request on to its request handlers. The following URL is a discussion about this work around, and includes a patch for mod_uniqueid you could use: http://marc.info/?l=mod-security-users&m=123300133603876&w=2
Couldn't find any other solutions for it and wonder if a solution is actually required.
Solution 2:
Filtering IPs is not a good idea, imho. Why don't try filtering the string you know?
I mean:
iptables -I INPUT -p tcp --dport 80 -m string --to 60 --algo bm --string 'GET /w00tw00t' -j DROP
Solution 3:
Iv also started seeing these types of messages in my log files. One way to prevent these types of attacks is to setup fail2ban( http://www.fail2ban.org/ ) and setup specific filters to black list these ip address in your iptables rules.
Heres a example of a filter that would block the ip address associated with making those messages
[Tue Aug 16 02:35:23 2011] [error] [client ] File does not exist: /var/www/skraps/w00tw00t.at.blackhats.romanian.anti-sec:) === apache w00t w00t messages jail - regex and filter === Jail
[apache-wootwoot]
enabled = true
filter = apache-wootwoot
action = iptables[name=HTTP, port="80,443", protocol=tcp]
logpath = /var/log/apache2/error.log
maxretry = 1
bantime = 864000
findtime = 3600
Filter
# Fail2Ban configuration file
#
# Author: Jackie Craig Sparks
#
# $Revision: 728 $
#
[Definition]
#Woot woot messages
failregex = ^\[\w{1,3} \w{1,3} \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \d{1,4}] \[error] \[client 195.140.144.30] File does not exist: \/.{1,20}\/(w00tw00t|wootwoot|WootWoot|WooTWooT).{1,250}
ignoreregex =
Solution 4:
w00tw00t.at.blackhats.romanian.anti-sec is a hacking attempt and uses spoof IP's so lookups such as VisualRoute will report China,Poland,Denmark etc according to the IP being seconded at that time. So setting up a Deny IP or resolvable Host Name is well nigh impossible as it will change within an hour.
Solution 5:
I personally wrote a Python script to auto-add IPtables rules.
Here's a slightly abbreviated version without logging and other junk:
#!/usr/bin/python
from subprocess import *
import re
import shlex
import sys
def find_dscan():
p1 = Popen(['tail', '-n', '5000', '/usr/local/apache/logs/error_log'], stdout=PIPE)
p2 = Popen(['grep', 'w00t'], stdin=p1.stdout, stdout=PIPE)
output = p2.communicate()[0].split('\n')
ip_list = []
for i in output:
result = re.findall(r"\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b", i)
if len(result):
ip_list.append(result[0])
return set(ip_list)
for ip in find_dscan():
input = "iptables -A INPUT -s " + ip + " -j DROP"
output = "iptables -A OUTPUT -d " + ip + " -j DROP"
Popen(shlex.split(input))
Popen(shlex.split(output))
sys.exit(0)