[Dshield] OK, who's the wise guy? (odd stuff in DShield server log....)

Johannes B. Ullrich jullrich at sans.org
Sat Mar 4 15:25:09 GMT 2006


DFind, a web-vulnerability scanner, is using the 'isc.sans.dfind' string
to identify itself. Not sure why.
(Its not that the ISC is involved in the development of the tool).


Valdis.Kletnieks at vt.edu wrote:

>Seen in the apache access.log:
>
>65.110.2.136 - - [31/Jan/2006:13:01:47 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-"
>221.132.66.5 - - [20/Feb/2006:02:47:43 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-"
>81.208.36.100 - - [27/Feb/2006:13:37:07 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-"
>221.139.49.91 - - [28/Feb/2006:22:15:11 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-"
>81.169.176.15 - - [02/Mar/2006:04:19:56 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-"
>
>>From 5 different places, scattered over a month...
>
>And in the error.log (only showing one, all 5 got same error msg):
>
>[Thu Mar 02 04:19:56 2006] [error] [client 81.169.176.15] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
>
>
>
>
>
>
>  
>
>------------------------------------------------------------------------
>
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>  
>


-- 
---------      
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS 

"We use [isc.sans.org] every day to keep on top of 
 security at our bank" Matt, Network Administrator. 
       

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060304/b5c0bcad/signature.bin


More information about the list mailing list