Server Intrusion Detection: Analyzing w00tw00t.at.ISC.SANS.DFind in Apache Logs and MySQL Shutdown Patterns


5 views

When you see entries like 69.162.74.102 - - [16/Jun/2011:16:25:00 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-" in your Apache logs, it's time for serious concern. This signature is associated with:

  • Known vulnerability scanners (like DFind)
  • Botnet reconnaissance activities
  • Automated exploit attempts

The MySQL shutdown log you found:

110616 17:34:20 [Note] /usr/libexec/mysqld: Normal shutdown
110616 17:34:20 InnoDB: Starting shutdown...
110616 17:34:21 InnoDB: Shutdown completed; log sequence number 0 2054508
110616 17:34:21 [Note] /usr/libexec/mysqld: Shutdown complete
110616 17:34:21 mysqld ended

Key investigation points:

  1. Check /var/log/secure for authentication attempts around the shutdown time
  2. Verify if shutdown was initiated via sudo grep -i "shutdown" /var/log/messages*
  3. Check for suspicious cron jobs with crontab -l and ls /etc/cron.*
# Check for rootkits
rkhunter --check --sk

# Verify file integrity
find / -type f $-perm -4000 -o -perm -2000$ -exec ls -ld {} \;

# Check network connections
netstat -tulnp

# Verify MySQL user privileges
mysql -e "SELECT User, Host FROM mysql.user; SHOW GRANTS FOR current_user();"

Implement these PHP parameterized queries:

$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email AND status=:status");
$stmt->execute([
    'email' => $email,
    'status' => $active
]);

Create this simple Python monitoring script:

import pyinotify
import re

class EventHandler(pyinotify.ProcessEvent):
    def process_IN_MODIFY(self, event):
        with open(event.pathname) as f:
            for line in f:
                if re.search(r'w00tw00t|DFind|ISC\.SANS', line):
                    send_alert(line)

wm = pyinotify.WatchManager()
handler = EventHandler()
notifier = pyinotify.Notifier(wm, handler)
wdd = wm.add_watch('/var/log/apache2/', pyinotify.IN_MODIFY)
notifier.loop()

The log entry "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 is a clear indicator of a scanning attempt by automated vulnerability scanners (often associated with DDoS botnets). The string "w00tw00t" is a known signature of the infamous DFind scanner.

# Typical pattern in access logs
69.162.74.102 - - [16/Jun/2011:16:25:00 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
  1. Isolate the server if production traffic can be redirected
  2. Check running processes: ps auxf
  3. Verify crontab: crontab -l and ls -la /etc/cron*
  4. Check MySQL users:
SELECT User, Host FROM mysql.user;
SHOW GRANTS FOR 'suspicious_user'@'%';

1. Timeline reconstruction:

# Find all files modified around attack time
find / -type f -newermt "2021-06-16 16:00:00" ! -newermt "2021-06-16 17:00:00" -ls

2. Network connection verification:

netstat -tulpan | grep -E '69.162.74.102|208.90.56.152'
ss -antp | grep -i established

The MySQL shutdown at 17:34 could be either:

  • Legitimate maintenance (unlikely given timing)
  • Attacker clearing traces of SQL injection
  • Crash from resource exhaustion during attack
# Check for suspicious MySQL queries
grep -i -E 'union|select.+from|load_file' /var/log/mysql.log

Apache:

<LocationMatch "^/(w00tw00t|phpmyadmin|\.git)">
    Require all denied
</LocationMatch>

MySQL:

# In my.cnf
[mysqld]
local-infile=0
skip_symbolic_links=1

Create a real-time alert for suspicious patterns:

#!/bin/bash
tail -F /var/log/apache2/access.log | grep --line-buffered \
  -e 'w00tw00t' \
  -e 'UNION SELECT' \
  -e '/etc/passwd' | while read line
do
  echo "$(date) - Possible intrusion: $line" >> /var/log/security_alerts.log
  # Optional: Send email/slack alert
done