has my server been hacked w00tw00t.at.ISC.SANS.DFind

The DFind scan is just that, a scan, and doesn't indicate a breach; you'll see it all the time if you're watching. See here.

That's a graceful MySQL shutdown, which may warrant further investigation, but isn't terribly suspicious on its own.


Those two entries in the access log are nothing to worry about.

The first one is perfectly fine (someone at 208.90.56.152 asked for your website root and got it), and the second one looks like someone at 69.162.74.102 tried to access a file called w00tw00t.at.ISC.SANS.DFind:) on your site... and of course didn't find it.

People (or bots) may ask the weirdest things to your web server; this doesn't matter, what matters is that they don't find them :-)


A record of GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 in your Raw Access logs indicates that someone is running vulnerability scanner which has this fingerprint.

By itself, this entry does not mean that you have been hacked. It only means that someone has been scanning your server for potential vulnerabilities using a web vulnerability scanner. These entries can be followed by other brute-force entries (the actual hack attempts).

This entry should send you a message. Keep your code clean! Most web sites are attacked in one way or another almost every day. Your best defense is to learn what you can do to keep your files, directories, and scripts safe from hackers. Be sure you have your file and directory permissions set properly. Even more importantly, only use safe scripts that have a good reputation for security on the Internet, and be sure that you always check the parent sites for your scripts at least once a month for updates and bug fixes.

Related:

  • Dealing with HTTP w00tw00t attacks
  • Blocking w00tw00t scans
  • w00tw00t.at.ISC.SANS.DFind iptables fix - abusable?