Rick's World

If you guys are using nginx (EngineX) instead of Apache (slowpache) you can add this directive to your main server config and / or vhost include files.


if ($http_user_agent ~* (Baiduspider|Jullo|Morfeus) ) {
return 444;server {
listen 80 default;
server_name _;

if ($http_user_agent ~* (Baiduspider|Jullo|Morfeus) ) {
return 444;
}

access_log /usr/local/www/data/_default/access_default.log;
server_name_in_redirect off;

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/www/data/_default$fastcgi_script_name;
include fastcgi_params;
}

location / {
index index.php index.html;
root /usr/local/www/data/_default;
error_page 404 error/404.html;
}

}

As in the following "default" example (for anything that doesn't match any of my served domains):

I just added "soapCaller" to my "custom keyword based blocker" which block not only their ip, but their whole subnet.

This is something I cobbled together
(1) Uses modsec to grep any of a list of keywords.
(2) Sends the ip to a "whois" custom java program
(3) This "whois" queries servers such as arin,ripe and gets the netblock range.
(4) Makes an OS call to block the range (via iptables,netsh,ipseccmd,ipsecmod,etc)

i set up an apache server on ubuntu recently, and i noticed this morfeus stuff on there, "Morefeus strikes again" and a bunch of requests. I don't really understand the http get and post stuff yet, so i was wondering if he had done anything bad. I got a bunch of 404s, but then it says internal dummy connection with what I think is the "option" command. maybe i did this, but i really dont know. mind taking a look?

95.211.24.2 - - [13/May/2010:01:25:08 -0400] "GET /mail/README HTTP/1.1" 404 470 "-" "Morfeus strikes again."
95.211.24.2 - - [13/May/2010:01:25:08 -0400] "GET /README HTTP/1.1" 404 467 "-" "Morfeus strikes again."
::1 - - [13/May/2010:01:25:09 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"
::1 - - [13/May/2010:01:25:10 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"
::1 - - [13/May/2010:01:25:11 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"

Did he get in? or was that just something i did? message me if you want, i appreciate the help

@Aneeque: Set the Default Directory of the FIle DIalog to "/Applications" and then change the only allowed file types to ".app"

hey really thanks....i am working for it for more than a day....

There are only nine steps required :

( 1 ) Select the Classes folder, then the MyDocument.m file
( 2 ) Double Click on "MyDocument" next to the @implementation
( 3 ) Select MenuBar --> Edit --> Refactor and a dialog will appear
( 4 ) Rename should be selected from the popup menu, change the textField to "ParDocument" or whatever you want, and Click Preview, and Apply Button, and Wait till it is done.
( 5 ) At the top of the ParDocument.m file Double Click MyDocument, and do a CMD-E, and a CTRL-CMD-E, then a CMD-SHIFT-F
( 6 ) In the Replace field change MyDocument to ParDocument, or whatever you want.
The popup menu's should have :
"In Project"
"Textual"
"Whole words"
( 7 ) select all the items found and click on Replace, then hit Find again to make sure there are no more items found.
( 8 ) Open the Resources folder and rename MyDocument.xib to ParDocument.xib
( 9 ) Hit CMD-R to run, and you should see a document window open

Hi, can you please let me know how can I display the choose application dialog. I have an application in which I am displaying the right click context menu and I have an option in that menu on click of which choose application dialog gets open, my problem is that I don't know how to open what are the carbon/cocoa API's through which this dialog gets displayed.

You legend, ive been looking through apple simple browser and complex browser examples, I knew there had to be an easier way

This is still doing the rounds almost a year and a half later. I got called to help an elderly lady (who never even surfs the Web, let alone downloads!) who received this mail scam and another, apparently from the mediadefender.com domain, on the same day. Almost made her throw away her computer completely. ;-)
Showing her this article (and the comments posted by others) convinced her of the falsity of these mails.

Thanks!

Just stumbled across this old post of yours and was wondering if you'd ever changed your mind :) I've replaced every set in my house with HDTVs, and man was it worth it.

I have nothing on my webserver, just a index.html page saying nothing is here.

I have thousands of lines every day from this Morfeus.

94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /cube/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /round/README HTTP/1.1" 404 289 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcube-0.2/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcube-0.1/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcubemail-0.1/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /roundcubemail-0.2/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /wm/README HTTP/1.1" 404 286 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /webmail2/README HTTP/1.1" 404 292 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /rms/README HTTP/1.1" 404 287 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /mail2/README HTTP/1.1" 404 289 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /mss2/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /mss/README HTTP/1.1" 404 287 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /roundcubemail/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /rc/README HTTP/1.1" 404 286 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /webmail/README HTTP/1.1" 404 291 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /roundcube/README HTTP/1.1" 404 293 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /mail/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /README HTTP/1.1" 404 283 "-" "Morfeus strikes again."

Wow, I have no idea how simple to display a splash screen!!
And it works pretty good, thanks for the tutorial!!

Finding time to do it is quite daunting, I bet you can do it considering you spend alot of time on the computer!

Blocking UA and IP'S is nonsense
Both can be faked
Just be sure that the files scanned for don't exists on your server(or in case you want to play with the kids you could create the files with nice js scripts like The Love You virus etc.) but why wasting your time with this ?? just secure your servers
and watch your logs on 200 status codes
The 200 Status tells me that somebody received the file he asked for!!

You should use virtualbox becuase I know for a fact that virtual pc 2007 doesn't support Ubnuntu or any type of linux. I have tried doing this and I couldn't even get it to install. So guess you could say that you were lucky getting that far. Also virtualbox runs in OSX so you at least don't have to pay for a program like Parallels. Hope this gives ya some thoughts.

tnx, it helped me :)

Good stuff =)

thankyou

Nice Dialog thx a lot.

We are receiving the same soapCaller.bs scans, four of them just last night. I am just learning that these are related to this MFS. We have not noticed any particular problems aside from the fact that this keeps popping up on our error list.