FAQ  |  Search  |  Register  |  Profile  |  Log in to check your private messages  |  Log in
w00tw00t

 
Post new topic   Reply to topic    Aprelium Forum Index -> Off Topic Discussions
View previous topic :: View next topic  
Author Message
Goatie.dk
-


Joined: 11 Feb 2005
Posts: 125
Location: Denmark > Herning
PostPosted: Wed Mar 29, 2006 9:47 pm    Post subject: w00tw00t Reply with quote
I've just been looking through my access.log and found a lot of hacking-attempts.
Here's list a little bit of the latest ones.
Quote:
24.128.64.211 - - [23/Mar/2006:03:09:28 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 500 246 "" ""
82.208.142.95 - - [23/Mar/2006:15:37:30 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 500 246 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:46 +0100] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:47 +0100] "GET /xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:48 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:49 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:49 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:50 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:51 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:52 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:53 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:54 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:54 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:55 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:56 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:57 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:58 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:59 +0100] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:56:59 +0100] "GET /cgi/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:57:00 +0100] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:57:01 +0100] "GET /awstats/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:57:02 +0100] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:57:03 +0100] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:57:04 +0100] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:57:04 +0100] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 234 "" ""
210.120.62.92 - - [24/Mar/2006:08:57:05 +0100] "GET /scripts/awstats.pl HTTP/1.0" 404 234 "" ""
64.62.253.140 - - [28/Mar/2006:04:06:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 500 246 "" ""


But there's something new I've never seen before which makes an 500 error...
Code:
64.62.253.140 - - [28/Mar/2006:04:06:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 500 246 "" ""

Afte googling a little around I found out it's some kind of a "hacker tool" called DFind. But I don't have the slightest idea what it actualle does.

Does anyone have any knowledge about this program and what it does?
_________________
The insane dane who loves AWS :D
http://home.goatie.dk <- pic = online.. no pic, guess ;P
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192
PostPosted: Thu Mar 30, 2006 12:46 am    Post subject: Reply with quote
Just a bunch of preset vulnerability scans in one package...

Quote:

1. Scans for the following vulnerabilities and services:

o Open TCP and UDP ports.
o HP Web JetAdmin
o PSOProxy Server
o HP Web Server
o Microsoft Frontpage
o Hacktool.Radmin
o RealServer
o Apache Servers
o IIS servers
o Windows Media Service
o IPC$ shares without password protection.
o Weak write permissions in Microsoft IIS web server.
o Backdoor.OptixPro.10 and variants.
o Dictionary attacks on SQL Servers
o NULL/NTAuth/Passworded connections on Hacktool.Radmin
o The CCBill webserver module
o The PHPbb webserver module
o The PHP-Nuke webserver module.
o WebDav enabled on IIS5.0 webservers
o The Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow
(Microsoft MS01-033)
o The Microsoft SQL Server MDAC buffer overflow (Microsoft MS02-040).


The actual site for it is here :

http://www.class101.org/

The w00tw00t part in the GET request is just electronic graffiti in your web logs :)
_________________

"Invent an idiot proof webserver and they'll invent a better idiot..."
Back to top View user's profile Send private message
Goatie.dk
-


Joined: 11 Feb 2005
Posts: 125
Location: Denmark > Herning
PostPosted: Thu Mar 30, 2006 12:54 am    Post subject: Reply with quote
Thanks for the reply :)
_________________
The insane dane who loves AWS :D
http://home.goatie.dk <- pic = online.. no pic, guess ;P
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Off Topic Discussions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group