=^.^=

Using DFind.exe and Blocking w00tw00t.at.ISC.SANS.DFind

Chances are you've seen something like this in your access/error_logs:

[Tue Jul 13 12:13:54 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Jul 13 12:16:45 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Jul 14 00:26:44 2010] [error] [client 62.103.39.74] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Jul 14 10:27:20 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Jul 14 10:30:11 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

You can start breathing again - it's just the signature of a slightly outdated vulnerability scanner for windows-based script kiddies. I couldn't find anything particularly useful on it with Google so this article will show you not only how to block sources of the scans (they could be zombies equipped with other tools after all) but also how to use it.

You can either download DFind from its project homepage (requires an account) or you can grab it from http://foxpa.ws/dist/DFind_1.0.9.rar and extract it somewhere on a windows box. Your antivirus will probably have a fit since it's a common component of bundled malware, just make it shut up for a bit.

It doesn't come with much in the way of documentation, just a revision.txt file:

Usage:

DFind is a free command line scanner used to be small, fast, introducing a large number of command lines, helping anyone to identify
in one line the kiddie's doors.

Revision:

---x32.1.0.9---
+PestPatrol detects the last MD5 hash of DFind, quick binary update to bypass
+WEBDAV status scanner on IIS/5.0 added.
+Back to VC6 and old mfc, much smaller and stable
+Symantec detected signature gone; "\x20\x20VULNE" is enough for them to classify it as 'HackTool.DFind', this is updated to "\x20\x20VULN...", keep it up sym ;>
+"DFind -update" added to check like a lazy for new updates, this will calculate and compare the md5hash of the file your are using with the one I publish on the website.
---x32.1.0.8---
+No more using MFC libraries, too recents, too buggy...
+'HackTool.DFind' on Symantec 10.0.1.1000 gone
+New compilation moved under Visual Studio 2005 and Platorm SDK.
+x64.1.0.8 compilation available to the website (for the new 64-bit systems).
---------------

http://getdfind.class101.org (32-bit)
http://getdfind32.class101.org (32-bit)
http://getdfind64.class101.org (64-bit)

Note:

The author of this tool isn't responsible of the bad use of it, just try it on (and secure..) your network before the attacker does.

A.D

Pop open a command line and give it a whirl, you'll get a help menu similar to this:

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind.exe

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 MAIN MENU
 =============================================================

[+] Usage: DFind <option> <syntax>
[+] <option>:
 _______________________________________________________
 |___-p___|___+p___|___-pu__|__-ban__|__-web__|__-dde__|
 |__-wdv__|
 _______________________________________________________
 |__-rad__|__-wns__|_-http__|_-sock__|__-ipc__|__-nbn__|
 |__-vnc__|
 _____________
 |__-update__|

[+] Type DFind <option> to look the <syntax>
[+] Number of possibles <syntax>: 973

Here's the help listing for each flag:

================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 TCP port scanner
 =============================================================

[+]  . DFind -p 80 192.168.0.1  [-v]
[+]  . DFind -p 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -p 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -p 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -p 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -p 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind +p

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 PING port scanner
 =============================================================

[+]  . DFind +p 80 192.168.0.1  [-v]
[+]  . DFind +p 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind +p 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind +p 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind +p 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind +p 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -pu

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 UDP port scanner
 =============================================================

[+]  . DFind -pu 80 192.168.0.1  [-v]
[+]  . DFind -pu 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -pu 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -pu 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -pu 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -pu 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -ban

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 BANNER port scanner
 =============================================================

[+] . DFind -ban 80 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -ban 80 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -ban 80 150 192.168.0.1  [THREADS] [-v] [-spy "text"]
[+] . DFind -ban 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -ban 1,.,10 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -ban 1,.,10 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]

 [-spy "text"] == case sensitive

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -web

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 WEBSERVER BANNER port scanner
 =============================================================

[+] . DFind -web 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -web 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 80 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -web 80 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 80 150 192.168.0.1  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 1,.,10 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -web 1,.,10 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]

 [-spy "text"] == case sensitive

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -dde

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft NETDDE port scanner
 -----------------------
 ripped from HOD exploit with a recoded nbname checking
 =============================================================

[+]  . DFind -dde 192.168.0.1  [-v]
[+]  . DFind -dde 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -rad

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Famatech LLC RAdmin 2.1 vulnerability scanner
 =============================================================

[+]  . DFind -rad 192.168.0.1  [-v|-vv]
[+]  . DFind -rad 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -rad 80 192.168.0.1  [-v|-vv]
[+]  . DFind -rad 80 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -rad 80 150 192.168.0.1  [THREADS] [-v|-vv]
[+]  . DFind -rad 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -rad 1,2,..,9,10 192.168.0.1  [-v|-vv]
[+]  . DFind -rad 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -nns

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==

[+] wrong command line, type DFind to view the main menu

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -wns

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft WINS MS04-045 vulnerability and os/sp scanner
 =============================================================

[+]  . DFind -wns 192.168.0.1  [-v|-vv]
[+]  . DFind -wns 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -http

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Anonymous/Transparent/High-Anon HTTP proxy scanner
 =============================================================

[+]  . DFind -http 192.168.0.1  [-v]
[+]  . DFind -http 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -http 80 192.168.0.1  [-v]
[+]  . DFind -http 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -http 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -http 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -http 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -http 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -sock

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Anonymous SOCKS5 proxy scanner
 =============================================================

[+]  . DFind -sock 192.168.0.1  [-v]
[+]  . DFind -sock 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -sock 80 192.168.0.1  [-v]
[+]  . DFind -sock 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -sock 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -sock 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -sock 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -sock 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -ipc

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft NETBIOS NULL SESSION port scanner
 =============================================================

[+]  . DFind -ipc 192.168.0.1  [-v]
[+]  . DFind -ipc 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -nbn

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft NETBIOS NAME port scanner
 -----------------------------
 ripped from HOD exploit with a recoded nbname checking
 =============================================================

[+]  . DFind -nbn 192.168.0.1  [-v]
[+]  . DFind -nbn 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -vnc

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 VNC4 systems vulnerability scanner
 =============================================================

[+]  . DFind -vnc 192.168.0.1  [-v|-vv]
[+]  . DFind -vnc 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -vnc 80 192.168.0.1  [-v|-vv]
[+]  . DFind -vnc 80 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -vnc 80 150 192.168.0.1  [THREADS] [-v|-vv]
[+]  . DFind -vnc 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -vnc 1,2,..,9,10 192.168.0.1  [-v|-vv]
[+]  . DFind -vnc 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -update

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 DFind updates checker
 =============================================================

[+] -----Calculating the MD5 hash (actual binary:32-bit)-----
[+] "dfind.exe" => 3188826a5c39dd49d0ef3ce3d7bea1c2
[+] -----Retrieving the MD5 hash (official binary:32-bit)-----
[+] "official md5" => 3188826a5c39dd49d0ef3ce3d7bea1c2
[+]
[+] Your version is up to date, no updates required

As you can see it sports an automatic update feature and its small size makes it perfect for bundling in a trojan payload. If you guessed the -web flag was responsible for the log entries you win a gold star:

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind.exe -web xxx.
xxx.xxx.xxx

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 WEBSERVER BANNER port scanner
 =============================================================

[+] status..: 100% thread(s):0
[+] results.: 1 / 5 PORT(s) / 1 IP(s) (open:1)

Showed up as this in my error_log:

[Wed Jul 14 15:56:55 2010] [error] [client yyy.yyy.yyy.yyy] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Since this error is generated by requests missing the mandatory (in HTTP 1.1 but not 1.0) Host header it begs the question if this is just the result of sloppy programming or an intended signature. Either way we can take advantage of it to block hosts using the -web flag. BobA on the hostgator forums suggests blocking these requests with some mod_rewrite rules:

RewriteEngine on
# Block undesired user-agents
RewriteCond %{HTTP_USER_AGENT} ^w00tw00t.at.ISC.SANS.DFind
RewriteRule ^.*$ http://www.thenameofmydomain.com/403.html [L]

That doesn't really do us any good. Port scanning will still show an exposed web server, which is about all the output you get with the -web flag anyway. Chances are good that if you're being scanned by this thing it's not the only tool in the zombie's box either. We need something that will IP-block the bugger so they can't keep scanning.

We need a Snort rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DFind Web Server Scan"; flow:to_server,established; uricontent:".at.ISC.SANS.DFind"; reference:foxpa.ws,301; classtype:web-application-attack; sid:4000001; rev:1; fwsam: src, 1 day;)

You'll notice I dropped the w00tw00t, it seems some folks are getting test0 and other prefixes and the chances of the rest of the string popping up in your URLs legitimately are fairly slim. Pop this into your snort ruleset somewhere (make sure the SID doesn't conflict with any other custom rules) and restart, with the addition of snortsam or a similar IPS add-on attackers should now find themselves automatically firewalled.

Comments

• nice and thanks for info

nice and thanks for info

Dan

The current attacks are actually up to date scanners giving a faked signature to appear as the old scanner, while indeed it looks like an old scanner it is up to date and it can find more security holes than that outdated scanner. This is typically done by botnets.

In the past I had one server that got exploited from this, it was turned into a zombie and was turned into a file sharing haven. The best thing is to just keep your server up to date and using strong passwords and good security practices (such as permissions, etc)