While looking throught log files to see why zarafa won't snd or receive I found these concerning entries
I found these in the httpd/accesslog-log-20120617
A quick google search found this (first result) http://ekle.us/index.php/2007/05/update_on_morfeus_fucking_scanner
which suggests that its a scanner that searches for vunerabilities in PHP based web sites running on apache and offers the suggestion of adding this code
to the ".htaccess" file
Any suggestions should I use the code, is it a correct format to use, should I be concerned???
The ip address appears to be in Korea
211.229.107.60 - - [15/Jun/2012:01:29:35 +1000] "GET /user/soapCaller.bs HTTP/1.1" 404 303 "-" "Morfeus Fucking Scanner"
62.2.182.111 - - [16/Jun/2012:21:26:28 +1000] "GET /roundcubemail/README HTTP/1.1" 404 305 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:29 +1000] "GET /rc/README HTTP/1.1" 404 294 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:30 +1000] "GET /webmail/README HTTP/1.1" 404 299 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:31 +1000] "GET /roundcube/README HTTP/1.1" 404 301 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:31 +1000] "GET /mail/README HTTP/1.1" 404 296 "-" "Morfeus strikes again."
62.2.182.111 - - [16/Jun/2012:21:26:32 +1000] "GET /README HTTP/1.1" 404 291 "-" "Morfeus strikes again."
190.0.131.98 - - [16/Jun/2012:21:42:13 +1000] "HEAD / HTTP/1.0" 403 - "-" "-"
I found these in the httpd/accesslog-log-20120617
A quick google search found this (first result) http://ekle.us/index.php/2007/05/update_on_morfeus_fucking_scanner
which suggests that its a scanner that searches for vunerabilities in PHP based web sites running on apache and offers the suggestion of adding this code
# Start of .htaccess change.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]
# End of .htaccess change.
to the ".htaccess" file
Any suggestions should I use the code, is it a correct format to use, should I be concerned???
The ip address appears to be in Korea
Share this post:
Responses (1)
-
Accepted Answer
Code looks OK, and the log entries are typical of 'script kiddies' who are scanning your web server for common vulnerabilities. They are usually nothing to worry about if you don't have any of those files in those locations (shown by the 404 file not found response)
I tend to give these a life time block on the firewall too...
The htaccess code just blocks anything that has Morfeus in the user agent
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »