The w00tw00t Scan
Note: This post has been updated since publication to use reserved IP addresses for documentation purposes and to include more information about the w00tw00t scan.
Here’s an interesting log excerpt from a pretty common bot scan that you’ll likely see if you run your own web server for any length of time:
203.0.113.42 - - [21/Jun/2016:06:35:55 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 400 0 "-" "ZmEu"
In this excerpt, we see that a client made a GET request for /w00tw00t.at.blackhats.romanian.anti-sec:), a nonexistent resource. However, the server returned 400 Bad Request instead of the expected response code, 404 Not Found.
This is worth looking into because of the unexpected response code, but if your server is properly configured, this shouldn’t be an issue.
What This Means
The w00tw00t entries are created by the ZmEu or DFind vulnerability scanners as part of an attempt at banner grabbing. Banner grabbing is an enumeration technique, and in this case the scanner was searching for information about my server that could reveal possible exploits.
The process looks something like this: A bot, possibly an infected computer or a proxy server, sends an HTTP GET request with a bogus URI in the hope that the targeted server will respond with some information about its configuration. In my case, Nginx determined that the HTTP request was malformed in some way, so it rejected it with a 400 Bad Request status code. Most likely, the request was missing the Host header, in the hope that my server would fill it in or provide some other information.
The bottom line is that if you’re running a web server, you’re going to come across these requests in your server logs at some point. The Internet is frequently scanned by script kiddies looking for various vulnerabilities, but as long as your server returns a 400 error for any w00tw00t requests, you shouldn’t have to worry. There are a few other variants of this scan as well, including one that makes a request for /w00tw00t.at.ISC.SANS.DFind:).
References:
- Yes, the w00tw00t continues - SANS Internet Storm Center
- Hacked MIT Server Used to Stage Attacks, Scan for Vulnerabilities - SecurityWeek
- How to block web vulnerability scanners with iptables - NinTechNet
- Strange requests to web server - Information Security Stack Exchange
- Dealing with HTTP w00tw00t attacks - Server Fault
- Attacks by ZmEu or w00tw00t robots - The Linux Page