Lately I recognized the increase of scans for some certain paths resp. not closed connections from user agents containing strings like “w00t.isc.sans.Dfind:)” and variations thereof. The source of these strings were from dialup ip adresses but also from some probably hacked fixed server ip adresses. To get rid of these scans I whipped up a shellscript which scans the apachelogs and utilizes iptables to block these ip adresses. The script assumes there are no installations of phpmyadmin or other server management software in a standard path. A responsible acting admin should’t use this kind of thing on openly accessible production servers anyway methinks 😉
Continue reading howto block w00tw00t.isc.sans.dfind:) and other scans using iptables