Server Logs Explained, Part 2: The w00tw00t Scan
(Editor’s note: The IP addresses in this post have been replaced with reserved IP addresses for documentation purposes. This post has been updated since publication to include more information about the w00tw00t scan.)
What is w00tw00t.at.blackhats.romanian.anti-sec?
If you read last week’s post, you’ll remember that I promised to post a more interesting log excerpt this week. This one is from a pretty common bot scan that you’ll see if you’re running a web server for any length of time, and while it looks scary at first, you likely don’t need to worry if your server is configured properly.
203.0.113.42 - - [21/Jun/2016:06:35:55 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 400 0 "-" "ZmEu"
In this log excerpt, we see that an IP address
that maps to the Netherlands made a GET request for
/w00tw00t.at.blackhats.romanian.anti-sec:), a nonexistent resource. However, the server returned a
400 Bad Request error rather than a
404 Not Found.
What This Means for You
Because I didn’t grab the accompanying error log entry that explains why Nginx returned a
400 error, I’m going to skip right to the explanation (spoiler alert). The
w00tw00t entries are created by the ZmEu or DFind vulnerability scanners as part of an attempt at banner grabbing. Banner grabbing is an enumeration technique, and in this case the scanner was searching for information about my server that could reveal possible exploits. The process goes something like this: a bot, possibly an infected computer or a proxy server, sends an
HTTP GET request with a bogus URI in the hope that the targeted server will respond with some information about its configuration. In my case, Nginx determined that the HTTP request was malformed in some way, so it rejected it with a
400 Bad Request status code. Most likely, the request was missing the
Host header, in the hope that my server would fill it in or provide some other information.
The bottom line is that if you’re running a web server, you’re going to come across these requests in your server logs at some point. The Internet is frequently scanned by script kiddies looking for various vulnerabilities, but as long as your server returns a
400 error for any
w00tw00t requests, you shouldn’t have to worry. There are a few other variants of this scan as well, including one that makes a request for
If you want to read more about the
w00tw00t scan, here’s some extra resources for more information:
- Strange requests to web server – Information Security Stack Exchange
- How to block web vulnerability scanners with iptables
- Yes, the w00tw00t continues. – SANS Internet Storm Center
- Hacked MIT Server Used to Stage Attacks, Scan for Vulnerabilities | SecurityWeek.Com
- Dealing with HTTP w00tw00t attacks – Server Fault