Dfind is a vulnerability scanner, and a very pain in the *** one, as it will pollute your apache log with lines such as this:
126.96.36.199 [16 / Oct / 2008: 18: 12: 34] "GET /w00tw00t.at.ISC.SANS.DFind :) HTTP / 1.1" 400
How to get rid of this junk ?
The apache return code is
400, which implies that the query syntax is invalid. Looking in the logs we see this:
client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)
As the request is invalid, it’s useless to try to block it with a rewrite rule or a mod_security pattern.
The best solution is to block it before the HTTP server using
iptables, like that:
iptables -I INPUT -d -p tcp -dport 80 -m string -to 70 -algo bm -string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
It is very easy under GNU/Linux to restore a system from a full rsync backup. Just follow this procedure:
- Boot on a liveCD
- In case of hard-drive change, partition the new HDD using parted
- Create a temporary directory and mount the root partition of you HDD inside (
/dev/sdb1 in this example):
mount -t ext3 /dev/sdb1 /mnt/root_hdd
- Restore data from your backup:
rsync -av --numeric-ids --delete --exclude='/proc' --exclude='/sys' /media/<mybackup>/ /mnt/root_hdd/
Data from the root partition will be overwritten, and supernumerary files deleted.
Now in case of disk change, we need to take care of the boot loader also:
mount --bind /proc /mnt/root_hdd/proc
mount --bind /dev /mnt/root_hdd/dev
mount --bind /sys /mnt/root_hdd/sys
That’s all, reboot and enjoy.