Rick's World

If you guys are using nginx (EngineX) instead of Apache (slowpache) you can add this directive to your main server config and / or vhost include files.


if ($http_user_agent ~* (Baiduspider|Jullo|Morfeus) ) {
return 444;server {
listen 80 default;
server_name _;

if ($http_user_agent ~* (Baiduspider|Jullo|Morfeus) ) {
return 444;
}

access_log /usr/local/www/data/_default/access_default.log;
server_name_in_redirect off;

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/www/data/_default$fastcgi_script_name;
include fastcgi_params;
}

location / {
index index.php index.html;
root /usr/local/www/data/_default;
error_page 404 error/404.html;
}

}

As in the following "default" example (for anything that doesn't match any of my served domains):

I just added "soapCaller" to my "custom keyword based blocker" which block not only their ip, but their whole subnet.

This is something I cobbled together
(1) Uses modsec to grep any of a list of keywords.
(2) Sends the ip to a "whois" custom java program
(3) This "whois" queries servers such as arin,ripe and gets the netblock range.
(4) Makes an OS call to block the range (via iptables,netsh,ipseccmd,ipsecmod,etc)

i set up an apache server on ubuntu recently, and i noticed this morfeus stuff on there, "Morefeus strikes again" and a bunch of requests. I don't really understand the http get and post stuff yet, so i was wondering if he had done anything bad. I got a bunch of 404s, but then it says internal dummy connection with what I think is the "option" command. maybe i did this, but i really dont know. mind taking a look?

95.211.24.2 - - [13/May/2010:01:25:08 -0400] "GET /mail/README HTTP/1.1" 404 470 "-" "Morfeus strikes again."
95.211.24.2 - - [13/May/2010:01:25:08 -0400] "GET /README HTTP/1.1" 404 467 "-" "Morfeus strikes again."
::1 - - [13/May/2010:01:25:09 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"
::1 - - [13/May/2010:01:25:10 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"
::1 - - [13/May/2010:01:25:11 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"

Did he get in? or was that just something i did? message me if you want, i appreciate the help

@Aneeque: Set the Default Directory of the FIle DIalog to "/Applications" and then change the only allowed file types to ".app"

hey really thanks....i am working for it for more than a day....

There are only nine steps required :

( 1 ) Select the Classes folder, then the MyDocument.m file
( 2 ) Double Click on "MyDocument" next to the @implementation
( 3 ) Select MenuBar --> Edit --> Refactor and a dialog will appear
( 4 ) Rename should be selected from the popup menu, change the textField to "ParDocument" or whatever you want, and Click Preview, and Apply Button, and Wait till it is done.
( 5 ) At the top of the ParDocument.m file Double Click MyDocument, and do a CMD-E, and a CTRL-CMD-E, then a CMD-SHIFT-F
( 6 ) In the Replace field change MyDocument to ParDocument, or whatever you want.
The popup menu's should have :
"In Project"
"Textual"
"Whole words"
( 7 ) select all the items found and click on Replace, then hit Find again to make sure there are no more items found.
( 8 ) Open the Resources folder and rename MyDocument.xib to ParDocument.xib
( 9 ) Hit CMD-R to run, and you should see a document window open

Hi, can you please let me know how can I display the choose application dialog. I have an application in which I am displaying the right click context menu and I have an option in that menu on click of which choose application dialog gets open, my problem is that I don't know how to open what are the carbon/cocoa API's through which this dialog gets displayed.

You legend, ive been looking through apple simple browser and complex browser examples, I knew there had to be an easier way

This is still doing the rounds almost a year and a half later. I got called to help an elderly lady (who never even surfs the Web, let alone downloads!) who received this mail scam and another, apparently from the mediadefender.com domain, on the same day. Almost made her throw away her computer completely. ;-)
Showing her this article (and the comments posted by others) convinced her of the falsity of these mails.

Thanks!

Just stumbled across this old post of yours and was wondering if you'd ever changed your mind :) I've replaced every set in my house with HDTVs, and man was it worth it.

I have nothing on my webserver, just a index.html page saying nothing is here.

I have thousands of lines every day from this Morfeus.

94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /cube/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /round/README HTTP/1.1" 404 289 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcube-0.2/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcube-0.1/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcubemail-0.1/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /roundcubemail-0.2/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /wm/README HTTP/1.1" 404 286 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /webmail2/README HTTP/1.1" 404 292 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /rms/README HTTP/1.1" 404 287 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /mail2/README HTTP/1.1" 404 289 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /mss2/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /mss/README HTTP/1.1" 404 287 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /roundcubemail/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /rc/README HTTP/1.1" 404 286 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /webmail/README HTTP/1.1" 404 291 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /roundcube/README HTTP/1.1" 404 293 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /mail/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /README HTTP/1.1" 404 283 "-" "Morfeus strikes again."

Wow, I have no idea how simple to display a splash screen!!
And it works pretty good, thanks for the tutorial!!

Finding time to do it is quite daunting, I bet you can do it considering you spend alot of time on the computer!

Blocking UA and IP'S is nonsense
Both can be faked
Just be sure that the files scanned for don't exists on your server(or in case you want to play with the kids you could create the files with nice js scripts like The Love You virus etc.) but why wasting your time with this ?? just secure your servers
and watch your logs on 200 status codes
The 200 Status tells me that somebody received the file he asked for!!

You should use virtualbox becuase I know for a fact that virtual pc 2007 doesn't support Ubnuntu or any type of linux. I have tried doing this and I couldn't even get it to install. So guess you could say that you were lucky getting that far. Also virtualbox runs in OSX so you at least don't have to pay for a program like Parallels. Hope this gives ya some thoughts.

tnx, it helped me :)

Good stuff =)

thankyou

Nice Dialog thx a lot.

We are receiving the same soapCaller.bs scans, four of them just last night. I am just learning that these are related to this MFS. We have not noticed any particular problems aside from the fact that this keeps popping up on our error list.

Worked like charm...
Thank you so much

Liked the code.. Very helpful !!

I have written two tutorials on creating stylish splash screen. You can check it here.

http://adeem.me/blog/2009/06/22/creating-splash-screen-tutorial-for-iphone/

Delete the build folder and rebuild. This should work.

Thanks I was looking for this :)

your phone is locked by the service provider here.
you have to get it "unlocked" by a store in america
any store that unlocks iphones can do it.
might cost you a little bit of money.

next time you buy a phone from another person, ask if its unlocked or not.

Yooo Safiya I think this illegal!!!

Yooo Safiya I think this illegal!!!

You know there is a free Spiderman game for the pc? The game has Spiderman, Carnage, Venom and more characters from Marvel, X-men, Justice League, and more. It is called MUGEN.

Hi, also in SA, JHB. I also received the monitoring@isp. mail. Luckily, I picked it up with the @isp, the spelling, zip and the fact that I'm not a criminal! HERE is another one I received today, which I'm sure is the same type of thing so BEWARE of confirm-r16xa@facebookmail.com. Facebook never sends an email like this to confirm a friend...
Facebook notifier (asks for your username & password)!
One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook.
To see her picture please check your attachment. (picture attachment)
Thanks,
The Facebook Team
Facebook © 2008

Remember to forward warnings on to your contacts about the above.
Thanks for letting me share!

I made the default.png and add it to my apps. It works when I tried it with the simulator, but when I tried with the iPhone, (both Default.png and default.png), I didn't see anything.

Thanks, Grate Site!!!

cool!!! Thanks!

Does it represent threats for HTML only or ASP.NET websites?

Beth
You could block the user-agent 'curl'. However you could also just install a captcha of some sort on user and content creation pages. Just google captcha script for various levels from simple math problems to the more typical 'Copy these numbers' kind.

Take the iPhone to an AT&T store and get a new SIM card that will work on AT&T.

My son bought an iphone over the internet. We live in the United States, he bought it from a kid that lives in Canada. We can not get the iphone to work.

I believe that is has already been jailbroken, but everytime we try to get it to work, it tells us that the sims card is not supported.

Help!!! How can we get this to work and not have a $250 paperweight.

Thanks for revealing that this email is a scam. I first saw it when checking my email on my mobile. So I thought to open it on my pc. Instead I googled and saw your link. Thanks

Well I decided to make a file in my htdocs called soapcaller.bs . I wrote a nice message to the asswipe attempting to scan my location. I have been blocking these through .htaccess but I find it to be a pain and just figure if I send them some viruses to play with that would slow it down at least.

I received this email two days ago. Nearly got a heart attack. I did not notice the spelling, i was to shocked. I tried to open the attachment to see what crimes i commited. Lucky my anti virus told me there is a virus in the attachment. Im in South Africa and afrikaans speaking. I dont have my computer very long and still learning.
Thank God for U.

i took a pic with my ipod and it buged on the flash part(whigt part) can any 1 help mee

Thanks i live in Australia and have recieved this email several times i am now going to block the sender.
Thanks.

Received today. Exact same email. I am in the U.S., California. I goodled the email address and found your website. Want to say thanks for the info!! I'm glad I did'nt open the zip file but, wondering what I do with the email? Do I just delete it or take other steps to protect my computer?
Thank you for your time.....

It is goign aroudn again as a message from Delta Airlines with a zip file atatched.

Can anyone share the OSSEC rule they've used to block any user-agent? curl is being used constantly to create new blog accounts (1700 time yesterday) and I want it to stop. If I had a rule that blocked when there's a match for user agent = ^curl and file = wp-signup.php, I'd be able to eliminate 99.9% of the spam blog signups.

thanks,
Beth

THANKS FOR ALL YOUR ADVICE GUYS. I ALMOST OPENED THE ZIPFILE UNTIL I NOTICED THE SILLY SPELLING ERROR. I JUST WONDER HOW THEY CHOOSE THEIR 'VICTIMS' COZ I DIDN'T THINK MY EMAIL ADDRESS WAS ON SUM DODGY DATABASE THAT COULD ACCESSED BY ANYONE...

I just saw "Morfeus Fucking Scanner" in my log files today, thanks for the article.

How can I get these people to stop sending this e-mail. They are claiming that I am doing illegal activities on the internet, which originate from 68.111.94.136. I have no idea what this is?

Same message. Jan 31st. Nice work

@Isaac

You are right, Default.png' works fine in the simulator but not the iPhone itself. You should use 'default.png' instead -- Mac OS X is case sensitive and the iPhone explicitily looks for 'default.png'.

M