Am I being hacked?

To follow up on the answer given by @user823629, here is a default virtual host configuration I use on Apache 2.4:

<VirtualHost *:80>
    # Default vhost for requests not matching IP or Host of other vhosts
    ServerName blackhole
    ErrorLog logs/error_log_default
    CustomLog logs/access_log_default combined

    Redirect 404 /
</VirtualHost>

<VirtualHost *:443>
    # Default vhost for requests not matching IP or Host of other vhosts
    ServerName blackhole

    ErrorLog logs/ssl_error_log_default
    CustomLog logs/ssl_access_log_default combined
    CustomLog logs/ssl_request_log_default   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    Redirect 404 /
</VirtualHost>

It redirects all requests to the default 404 page. SSL requests that do not match any other site will end up at the second VirtualHost definition, and will of course result in a certificate error, but this is expected and fine.

I put this in conf.d and give it a name of conf.d/0_default.conf so that it comes before other vhosts definitions and it is the default virtual host. This can be verified via:

apachectl -t -D DUMP_VHOSTS

or on Redhat/Fedora/CentOS distros:

httpd -t -D DUMP_VHOSTS

Other virtual hosts will match before this default vhost if:

  1. Their IP address and port matches the VirtualHost definition more explicitly (IP-based virtual host), or
  2. The request contains a Host header that matches the request (name-based virtual host). Otherwise, the request will fall back to the default blackhole virtual host defined above.

Be careful with VirtualHost definitions with IP addresses specified. Since these match before the blackhole, the wrong configuration can become the default for that IP. List the specific IPs in the blackhole if necessary.

See http://httpd.apache.org/docs/current/vhosts/details.html for more details on virtual host matching.


Requests for this are usually sent without a server header. Just create a default virtual host for requests that don't have a server header you expect and blackhole it. Also fun to log broken traffic and do reverse DNS to see if it's coming from another webserver (compromised?) and contact the owner based on whois database. You never know who's running silly scripts from a publicly identifiable server to scan for vulnerabilities and later exploit them over ToR tunnel. Use burner contact information if you don't want to bring attention to yourself.


This is just an automatic script deployed by many Script Kiddies looking for a security breach in your apache version/configuration. The signature w00tw00t is usually left by DFind.

Just use a program like fail2ban configured such as this example explains to avoid being flooded by these requests :

https://web.archive.org/web/20160617020600/http://www.userdel.com/post/18618537324/block-w00tw00t-scans-with-fail2ban

This does not necessarily mean you've been hacked, but the server has been scanned for vulnerabilities. However, if you use any of the software that you saw in those logs and it is an older version having known vulnerabilities, you should check your server for unusual files and login activities.

Tags:

Apache