[Dshield] OK, who's the wise guy? (odd stuff in DShield server log....)

DigitalNation dshield at digitalnation.ca
Sat Mar 4 16:50:49 GMT 2006


I have seen this also. SANS says it is a vulnerability scan tool and not
related to them at all.

http://isc.sans.org/diary.php?storyid=900

------------------
M. McBride
Security Admin
DigitalNation
Vancouver, Canada
 


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Valdis.Kletnieks at vt.edu
Sent: Friday, March 03, 2006 2:19 PM
To: list at lists.dshield.org
Subject: [Dshield] OK,who's the wise guy? (odd stuff in DShield server
log....)


Seen in the apache access.log:

65.110.2.136 - - [31/Jan/2006:13:01:47 -0500] "GET
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-" 221.132.66.5 - -
[20/Feb/2006:02:47:43 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1"
400 309 "-" "-" 81.208.36.100 - - [27/Feb/2006:13:37:07 -0500] "GET
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-" 221.139.49.91 - -
[28/Feb/2006:22:15:11 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1"
400 309 "-" "-" 81.169.176.15 - - [02/Mar/2006:04:19:56 -0500] "GET
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 309 "-" "-"

>From 5 different places, scattered over a month...

And in the error.log (only showing one, all 5 got same error msg):

[Thu Mar 02 04:19:56 2006] [error] [client 81.169.176.15] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)











More information about the list mailing list