Webserver logs: "Morfeus F***ing Scanner"

Question

I've just found these accesses in my web server log files:

::ffff:218.38.136.38 109.72.95.175 - [10/Jan/2011:02:54:12 +0100] "GET /user/soapCaller.bs HTTP/1.1" 404 345 "-" "Morfeus Fucking Scanner"
::ffff:218.38.136.38 109.72.95.174 - [10/Jan/2011:02:54:12 +0100] "GET /user/soapCaller.bs HTTP/1.1" 404 345 "-" "Morfeus Fucking Scanner"

Should I start to worry ? Or is it just a normal attempt to hack my server ? thanks

Jason Berg · Accepted Answer · 2011-01-10T07:27:12.527

8

It's a scanner looking for vulnerabilities in PHP based websites(reference). Script kiddies use these types of things to scan many many websites. You're not necessarily being singled out.

If you're not running PHP, you have nothing to worry about. If you are, I sure hope you're using secure code.

edited Jan 10 '11 at 07:27

answered Jan 10 '11 at 07:21

Jason Berg

19,084
6
40
55

can you expand on what this scanner actually does? We seem to have been penetrated by it and I need to find out what to do next. We're sending out a lot of spam at present.... – Mazatec Jun 20 '11 at 07:28

score 3 · Answer 2 · answered Jul 29 '11 at 15:36

3

It's looking for vulnerabilities, and you can deny it access this way in your config:

$HTTP["useragent"] =~ "^Morfeus" { url.access-deny = ( "" ) }

answered Jul 29 '11 at 15:36

peterg22

79
2

1

Unless it modifies it's useragent – bahrep Oct 31 '12 at 12:36

Webserver logs: "Morfeus F***ing Scanner"

2 Answers2