Rick's World - Latest comments on Update on Morfeus Fucking Scanner

Another Visitor [Visitor] in response to: Update on Morfeus Fucking Scanner

Another Visitor [Visitor] — Thu, 05 Aug 2010 19:49:54 +0000

If you guys are using nginx (EngineX) instead of Apache (slowpache) you can add this directive to your main server config and / or vhost include files.

if ($http_user_agent ~* (Baiduspider|Jullo|Morfeus) ) {
return 444;server {
listen 80 default;
server_name _;

if ($http_user_agent ~* (Baiduspider|Jullo|Morfeus) ) {
return 444;
}

access_log /usr/local/www/data/_default/access_default.log;
server_name_in_redirect off;

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/www/data/_default$fastcgi_script_name;
include fastcgi_params;
}

location / {
index index.php index.html;
root /usr/local/www/data/_default;
error_page 404 error/404.html;
}

}

As in the following "default" example (for anything that doesn't match any of my served domains):

Richard [Visitor] in response to: Update on Morfeus Fucking Scanner

Richard [Visitor] — Fri, 14 May 2010 14:04:25 +0000

I just added "soapCaller" to my "custom keyword based blocker" which block not only their ip, but their whole subnet.

This is something I cobbled together
(1) Uses modsec to grep any of a list of keywords.
(2) Sends the ip to a "whois" custom java program
(3) This "whois" queries servers such as arin,ripe and gets the netblock range.
(4) Makes an OS call to block the range (via iptables,netsh,ipseccmd,ipsecmod,etc)

kyle [Visitor] in response to: Update on Morfeus Fucking Scanner

kyle [Visitor] — Fri, 14 May 2010 10:28:25 +0000

i set up an apache server on ubuntu recently, and i noticed this morfeus stuff on there, "Morefeus strikes again" and a bunch of requests. I don't really understand the http get and post stuff yet, so i was wondering if he had done anything bad. I got a bunch of 404s, but then it says internal dummy connection with what I think is the "option" command. maybe i did this, but i really dont know. mind taking a look?

95.211.24.2 - - [13/May/2010:01:25:08 -0400] "GET /mail/README HTTP/1.1" 404 470 "-" "Morfeus strikes again."
95.211.24.2 - - [13/May/2010:01:25:08 -0400] "GET /README HTTP/1.1" 404 467 "-" "Morfeus strikes again."
::1 - - [13/May/2010:01:25:09 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"
::1 - - [13/May/2010:01:25:10 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"
::1 - - [13/May/2010:01:25:11 -0400] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.12 (Ubuntu) (internal dummy connection)"

Did he get in? or was that just something i did? message me if you want, i appreciate the help

Sam [Visitor] in response to: Update on Morfeus Fucking Scanner

Sam [Visitor] — Sun, 20 Dec 2009 16:38:02 +0000

I have nothing on my webserver, just a index.html page saying nothing is here.

I have thousands of lines every day from this Morfeus.

94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /cube/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /round/README HTTP/1.1" 404 289 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcube-0.2/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcube-0.1/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:05 +0000] "GET /roundcubemail-0.1/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /roundcubemail-0.2/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /wm/README HTTP/1.1" 404 286 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /webmail2/README HTTP/1.1" 404 292 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /rms/README HTTP/1.1" 404 287 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:06 +0000] "GET /mail2/README HTTP/1.1" 404 289 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /mss2/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /mss/README HTTP/1.1" 404 287 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /roundcubemail/README HTTP/1.1" 404 297 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /rc/README HTTP/1.1" 404 286 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:07 +0000] "GET /webmail/README HTTP/1.1" 404 291 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /roundcube/README HTTP/1.1" 404 293 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /mail/README HTTP/1.1" 404 288 "-" "Morfeus strikes again."
94.102.209.172 - - [08/Dec/2009:13:01:08 +0000] "GET /README HTTP/1.1" 404 283 "-" "Morfeus strikes again."

MiDoX [Visitor] in response to: Update on Morfeus Fucking Scanner

MiDoX [Visitor] — Mon, 23 Nov 2009 16:21:47 +0000

Blocking UA and IP'S is nonsense
Both can be faked
Just be sure that the files scanned for don't exists on your server(or in case you want to play with the kids you could create the files with nice js scripts like The Love You virus etc.) but why wasting your time with this ?? just secure your servers
and watch your logs on 200 status codes
The 200 Status tells me that somebody received the file he asked for!!

The Law Offices of Philip C. Banks [Visitor] in response to: Update on Morfeus Fucking Scanner

The Law Offices of Philip C. Banks [Visitor] — Tue, 04 Aug 2009 14:20:48 +0000

We are receiving the same soapCaller.bs scans, four of them just last night. I am just learning that these are related to this MFS. We have not noticed any particular problems aside from the fact that this keeps popping up on our error list.

Zenni [Visitor] in response to: Update on Morfeus Fucking Scanner

Zenni [Visitor] — Fri, 17 Apr 2009 12:10:08 +0000

Does it represent threats for HTML only or ASP.NET websites?

shineshadow [Visitor] in response to: Update on Morfeus Fucking Scanner

shineshadow [Visitor] — Sat, 04 Apr 2009 01:44:11 +0000

Beth
You could block the user-agent 'curl'. However you could also just install a captcha of some sort on user and content creation pages. Just google captcha script for various levels from simple math problems to the more typical 'Copy these numbers' kind.