New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
w00tw00t.at.blackhats.romanian.anti-s
logixmedia
Member
I am seeing a lot of "w00tw00t.at.blackhats.romanian.anti-sec" in my Apache logs, Debian Server.. It is slowing my server i guess, as I am not able to pinpoint why the pages are loading slow sometimes from this server.
Have googled and referred to some links, but was not really helpful:
http://serverfault.com/questions/125607/dealing-with-http-w00tw00t-attacks
http://ubuntuforums.org/showthread.php?t=1541215
Any help will be appreciated....
Comments
Same with me.
Just block their IP
Well the IP's are changing frequently..............(:
Could you try to install csf or another firewall?
Can you suggest me some good tutorial to configure CSF ?
@praveenbhat - Those pesky Romanians are a real problem. I guess that they are some gang of "putzoi"...
You can use fail2ban to ban them
in /etc/fail2ban/jail.local add
and create /etc/fail2ban/filter.d/apache-w00tw00t.conf
With
For iptables only
@marcm what is "putzoi"....lol
But they scan for couple of PHP applications ...ex-PHPadmin kind of stuff...
I think it's some kind of prepubescent boy who hasn't gotten their pubes in yet...
why my post is looks like shit?
I select and click on code right?
use html tag
Lol yeah - it's annoying but easy to solve.
http://lmgtfy.com/?q=w00tw00t.at
~ 3 year old issue.
I also have those a lot, most of the time combined with PHPmyAdmin searches. I block the entire /16.
You could use mod_sec rules to block them also.
Dear users,
W00Tw00t seems to be an user or so who mostly hacks old ZPanel versions. My homeserver has been hacked too. In that way, he got root access and put up a fake Apple site. Here's some nice information about our lovely user.
$from_name = 'iTunes'; $from_email = '[email protected]'; $to_email = '[email protected]'; $subject = 'iTunes offer'; $url_redirect = 'https://store.apple.com/fr/';
And a really nice IP-address:
41.250.243.198
It seems the user found my server on LET. So you should be warned.
I also have those.. about 2 months ago, but I reinstalled my server and the log never appear until now
hey, it is remote scanner right?? I wonder why it is gone after I reinstalled my server??
Yes, it's gone. However, the hacker installed a backdoor at mine, where he kept uploading the phishing websites. I found his name and lastname, his IP and where he lives.