has my server been hacked w00tw00t.at.ISC.SANS.DFind

I'm quite sure my server's been hacked. I'm seeing these entries in my access log as the last two before a series of 500 error messages, It's related to the DB but I haven't found out the exact error yet. I'm still trying to figure out what it means - can anyone help me out:

208.90.56.152 - - [16/Jun/2011:16:18:04 +0000] "GET / HTTP/1.1" 200 3011 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

69.162.74.102 - - [16/Jun/2011:16:25:00 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"

Update

OK - on further investigation - for some reason the mysql service was shut down. I restarted it, and everything LOOKS normal. No data's missing, but I'm really not feeling well over the spook of those weird entries - how can I check if someone's been inside my system?

In my MYSQl log I see these lines - how does that realte to what has happened?

Version: '5.0.77'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  Source distribution
110616 17:34:20 [Note] /usr/libexec/mysqld: Normal shutdown

110616 17:34:20  InnoDB: Starting shutdown...
110616 17:34:21  InnoDB: Shutdown completed; log sequence number 0 2054508
110616 17:34:21 [Note] /usr/libexec/mysqld: Shutdown complete

110616 17:34:21  mysqld ended

Solution 1:

The DFind scan is just that, a scan, and doesn't indicate a breach; you'll see it all the time if you're watching. See here.

That's a graceful MySQL shutdown, which may warrant further investigation, but isn't terribly suspicious on its own.

Solution 2:

Those two entries in the access log are nothing to worry about.

The first one is perfectly fine (someone at 208.90.56.152 asked for your website root and got it), and the second one looks like someone at 69.162.74.102 tried to access a file called w00tw00t.at.ISC.SANS.DFind:) on your site... and of course didn't find it.

People (or bots) may ask the weirdest things to your web server; this doesn't matter, what matters is that they don't find them :-)

Solution 3:

A record of GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 in your Raw Access logs indicates that someone is running vulnerability scanner which has this fingerprint.

By itself, this entry does not mean that you have been hacked. It only means that someone has been scanning your server for potential vulnerabilities using a web vulnerability scanner. These entries can be followed by other brute-force entries (the actual hack attempts).

This entry should send you a message. Keep your code clean! Most web sites are attacked in one way or another almost every day. Your best defense is to learn what you can do to keep your files, directories, and scripts safe from hackers. Be sure you have your file and directory permissions set properly. Even more importantly, only use safe scripts that have a good reputation for security on the Internet, and be sure that you always check the parent sites for your scripts at least once a month for updates and bug fixes.

Related:

  • Dealing with HTTP w00tw00t attacks
  • Blocking w00tw00t scans
  • w00tw00t.at.ISC.SANS.DFind iptables fix - abusable?