Forums

Resolved
0 votes
While looking throught log files to see why zarafa won't snd or receive I found these concerning entries


211.229.107.60 - - [15/Jun/2012:01:29:35 +1000] "GET /user/soapCaller.bs HTTP/1.1" 404 303 "-" "Morfeus Fucking Scanner"



62.2.182.111 - - [16/Jun/2012:21:26:28 +1000] "GET /roundcubemail/README HTTP/1.1" 404 305 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:29 +1000] "GET /rc/README HTTP/1.1" 404 294 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:30 +1000] "GET /webmail/README HTTP/1.1" 404 299 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:31 +1000] "GET /roundcube/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:31 +1000] "GET /mail/README HTTP/1.1" 404 296 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:32 +1000] "GET /README HTTP/1.1" 404 291 "-" "Morfeus strikes again."
190.0.131.98 - - [16/Jun/2012:21:42:13 +1000] "HEAD / HTTP/1.0" 403 - "-" "-"


I found these in the httpd/accesslog-log-20120617

A quick google search found this (first result) http://ekle.us/index.php/2007/05/update_on_morfeus_fucking_scanner

which suggests that its a scanner that searches for vunerabilities in PHP based web sites running on apache and offers the suggestion of adding this code


# Start of .htaccess change.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]
# End of .htaccess change.


to the ".htaccess" file

Any suggestions should I use the code, is it a correct format to use, should I be concerned???

The ip address appears to be in Korea
Sunday, June 17 2012, 12:34 AM
Share this post:
Responses (1)
  • Accepted Answer

    Monday, June 18 2012, 09:01 PM - #Permalink
    Resolved
    0 votes
    Code looks OK, and the log entries are typical of 'script kiddies' who are scanning your web server for common vulnerabilities. They are usually nothing to worry about if you don't have any of those files in those locations (shown by the 404 file not found response)

    I tend to give these a life time block on the firewall too...

    The htaccess code just blocks anything that has Morfeus in the user agent
    The reply is currently minimized Show
Your Reply