Dealing with HTTP w00tw00t attacks

From your error log they are sending a HTTP/1.1 request without the Host: portion of the request. From what I read, Apache replies with a 400 (bad request) error to this request, before handing over to mod_security. So, it doesn’t look like your rules will be processed. (Apache dealing with it before requiring to hand over to mod_security)

Try yourself:

telnet hostname 80
GET /blahblahblah.html HTTP/1.1  (enter)
(enter)

You should get the 400 error and see the same error in your logs. This is a bad request and apache is giving the correct answer.

Proper request should look like:

GET /blahblahblah.html HTTP/1.1
Host: blah.com

A work around for this issue could be to patch mod_uniqueid, to generate a unique ID even for a failed request, in order that apache passes the request on to its request handlers.
The following URL is a discussion about this work around, and includes a patch for mod_uniqueid you could use:
http://marc.info/?l=mod-security-users&m=123300133603876&w=2

Couldn’t find any other solutions for it and wonder if a solution is actually required.

Related Posts:

  1. Authentication versus Authorization
  2. Tips for finding SPAM links injected into the_content
  3. What do spammers gain by signing up as a user?
  4. Strategies for coping with hyperagressive spambots?
  5. Website is being flooded [closed]
  6. How to expire all wordpress user passwords instantly?
  7. Spam injected in w3 total cache page cache [closed]
  8. reCaptcha doesnt appear in comment (manual or plugin)
  9. How to stop direct HTTP POST to a PHP script?
  10. Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
  11. Why does my admin email address keep changing to something random?
  12. Using htaccess to prevent spam through wp-comments-post.php
  13. Site has fake users registered with a similar pattern in username and email
  14. Unwanted Links and Spam WordPress Pages and Posts
  15. How do I deal with a compromised server?
  16. What permissions should my website files/folders have on a Linux webserver?
  17. How do I select which Apache MPM to use?
  18. Redirect, Change URLs or Redirect HTTP to HTTPS in Apache – Everything You Ever Wanted to Know About mod_rewrite Rules but Were Afraid to Ask
  19. Finding out what user Apache is running as?
  20. Is it bad to redirect http to https?
  21. Is it possible to generate RSA key without pass phrase?
  22. What does Apache’s “Require all granted” really do?
  23. Multiple SSL domains on the same IP address and same port?
  24. How do I prevent apache from serving the .git directory?
  25. Proxy Error 502 “Reason: Error reading from remote server” with Apache 2.2.3 (Debian) mod_proxy and Jetty 6.1.18
  26. How does ServerName and ServerAlias work?
  27. How to inspect remote SMTP server’s TLS certificate?
  28. Apache2 config variable is not defined
  29. Using variables in Apache config files to reduce duplication?
  30. How to get Apache2 to redirect to a subdirectory
  31. Why is the response on localhost so slow?
  32. Do you have any useful awk and grep scripts for parsing apache logs? [closed]
  33. apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
  34. When is K 1024 and when is it 1000?
  35. what is svn? and how to use it with project?
  36. What’s the best approach for generating a new API key?
  37. What is the difference between application server and web server?
  38. Code-first vs Model/Database-first
  39. How to resolve git’s “not something we can merge” error
  40. Even though JRE 8 is installed on my MAC -” No Java Runtime present,requesting to install ” gets displayed in terminal
  41. How to create temp table using Create statement in SQL Server?
  42. Error while trying to retrieve text for error ORA-01019
  43. What is meant by diameter of a network?
  44. LaTeX table too wide. How to make it fit?
  45. R Markdown – changing font size and font type in html output
  46. git add only modified changes and ignore untracked files
  47. HTTP Error 404.3-Not Found in IIS 7.5
  48. What is the difference between procedural programming and functional programming?
  49. Multiplying a register value by a constant in MIPS?
  50. how fix “this certificate cannot be verified up to a trusted certification authority”
  51. How to get the vector between two vectors?
  52. Brackets.io in built support for TypeScript
  53. How to Protect Uploads, if User is not Logged In?
  54. Can I rename the wp-admin folder?
  55. Getting a List of Currently Available Roles on a WordPress Site?
  56. Why are passwords exportable as plain text in WordPress?
  57. Nonces and Cache
  58. What is the purpose of having a token in cookies?
  59. Do I need to sanitize WordPress search query?
  60. What permissions does wp-content/uploads need?
  61. What is the wp-includes/certificates/ca-bundle.crt used for?
  62. How to secure WordPress XMLRPC?
  63. Comments screen in backend, how to disable Quick Edit | Edit | History | Spam | for non admins
  64. Using two different DB users on one WP install
  65. How do I bypass WordPress 404 handling?
  66. Why are xmlrpc.php and wp-cron.php being called so often?
  67. Using esc_html with HTML purifier and CSSTidy: Overkill?
  68. wordfence scan warning on W3 Total Cache [closed]
  69. Woocommerce reviews xss issue [closed]
  70. SQL Injection blocked by firewall
  71. Reset Password policy
  72. Malware installation during plugin update?
  73. Which Versions of WordPress Ship with the Patched TimThumb?
  74. What do comments with […] mean?
  75. Hardening uploads folder in IIS breaks images
  76. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  77. Make every comment go to the spam folder
  78. Is a very simple theme secure enough?
  79. Import local site to WordPress.com
  80. Can I make the post type value dynamic in ajax.php in wordpress
  81. Posts feed number of posts
  82. Adding Security Keys?
  83. WordPress disable direct access of files in WordPress installation path
  84. SQL queries to another wordpress site
  85. Scan multiple websites for malware that are in same webhost root?
  86. Iterating users while user iteration is suppressed
  87. Bootstrap theme embedded iframes are distorted [closed]
  88. Is there default meta boxes types that handles types and sanitization?
  89. PHP Code Sniffer – WordPress VIP Coding Standards
  90. Being hacked. Is there a list of WordPress security holes I can check against?
  91. WP upload/select image , isn’t this a security issue?
  92. Trying to understand nature of hacking
  93. Are image addresses security relevant?
  94. How to Prevent Unwanted Spam to Contact Form 7 [closed]
  95. Our security auditor is an idiot. How do I give him the information he wants?
  96. List all DNS records in a domain using dig?
  97. I am under DDoS. What can I do?
  98. How to add dependency on a Windows Service AFTER the service is installed
  99. Monday morning mistake: sudo rm -rf –no-preserve-root /
  100. Can you alter the default wordpress strong password requirements?

Leave a Comment