В логе апача постоянно появляется эти хрень!
5.199.175.63 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
5.9.196.201 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
50.63.136.60 "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 514 "-"
62.193.232.12 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
62.193.243.32 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
62.193.243.32 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
69.197.34.138 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
70.38.112.218 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
85.114.135.167 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
85.114.135.167 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
85.114.135.167 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
85.114.135.167 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
85.214.74.60 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
89.121.253.227 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
109.163.227.107 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
178.238.46.192 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
184.168.116.156 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
184.168.116.156 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
184.168.116.156 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
184.168.116.156 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
188.138.115.207 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
188.138.88.171 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
188.138.90.252 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
188.40.183.199 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
188.40.183.199 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
194.226.137.239 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
195.244.61.62 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
204.236.201.72 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
217.52.239.25 "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 514 "-"
В общем надоел он мне, накатал такую функцию:
function WOOT() { TMPNAME=$(mktemp)
[ -f $TMPNAME ] || return 1;
for i in `ls /var/log/apache2/access.*`;
do
case $(file $i | cut -d" " -f2)
in
ASCII)
CAT=cat
;;
gzip)
CAT=zcat
;;
*) break
;;
esac
$CAT $i | grep -i w00tw00t | awk '{print $1}' | sort -n | uniq >> $TMPNAME;
done
for j in $(cat $TMPNAME | sort -nr | uniq );
do
iptables -A INPUT -s $j -j DROP;
done;
rm $TMPNAME;
iptables -A INPUT -s 0/0 -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP;
iptables -A INPUT -s 0/0 -p tcp --dport 443 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP;
}
Вариант для распечатки
