Today morning i received some alerts on Snort IDS with Signature. It is like below
After that i searched above alert in google and found out they scan websites.I checked my apache access.log also.
[root@snort~]# grep -R "88.190.22.62" /var/log/httpd/access_log
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /roundcubemail/README HTTP/1.1" 404 15869 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /rc/README HTTP/1.1" 404 15858 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /roundcube/README HTTP/1.1" 404 15865 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /mail/README HTTP/1.1" 404 15860 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /README HTTP/1.1" 404 15855 "-" "Morfeus strikes again."
#2885-(2-579886) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP
#2886-(2-579887) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP
#2887-(2-579888) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP
#2888-(2-666456) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP
#2889-(2-666457) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP
#2890-(2-666458) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP
#2891-(2-666459) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP
#2892-(2-754607) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP
#2893-(2-754608) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP
After that i searched above alert in google and found out they scan websites.I checked my apache access.log also.
[root@snort~]# grep -R "88.190.22.62" /var/log/httpd/access_log
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /roundcubemail/README HTTP/1.1" 404 15869 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /rc/README HTTP/1.1" 404 15858 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /roundcube/README HTTP/1.1" 404 15865 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /mail/README HTTP/1.1" 404 15860 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /README HTTP/1.1" 404 15855 "-" "Morfeus strikes again."
They have not done anything because status code 404 (Not Found) . I decided to block this type of scanner before they will do something
I bocked Morfeus F Scanner using .htaccess file
Go to website directory and open the ".htaccess " file and add below two lines
RewriteCond %{HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]
End.....
No comments:
Post a Comment