Dfind is a vulnerability scanner, and a very pain in the *** one, as it will pollute your apache log with lines such as this:
84.145.78.74 [16 / Oct / 2008: 18: 12: 34] "GET /w00tw00t.at.ISC.SANS.DFind :) HTTP / 1.1" 400
How to get rid of this junk ?
The apache return code is 400
, which implies that the query syntax is invalid. Looking in the logs we see this:
client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)
As the request is invalid, it’s useless to try to block it with a rewrite rule or a mod_security pattern.
The best solution is to block it before the HTTP server using iptables
, like that:
iptables -I INPUT -d -p tcp -dport 80 -m string -to 70 -algo bm -string 'GET /w00tw00t.at.ISC.SANS.' -j DROP