Our HoneyPoint deployments have been picking up a recently added (August 08) scan signature from Morfeus, the bot-based web scanner, that has been around for a long time. The new scans were first detected on our consumer grade DSL/Cable segments in late August and have now also been seen on our Corporate environment sensors as well.
The scans check for “soapCaller.bs” and then “/user/soapCaller.bs”. Returning a 200 result code did not bring any additional traffic or attacks from the original source within 96 hours of the initial scans. In fact, returning the 200 did not seem to cause any change in behavior of the scans or any additional attacks from any source. Likely, this means that vulnerable hosts are being cataloged for later mass exploitation.
Morfeus scans are quite prevalent and can include searches for a number of common PHP and other web application vulnerabilities. Google searches on “morfeus” return about 259,000 results, including quite a few mentions of ongoing scans from the bot-net.
Here is a blog post that discusses using .htaccess rules to block scans with the morfeus user agent.
Morfeus has shown itself to be quite adaptive and seems to be updated pretty frequently by the bot-masters with new application attack signatures. The scanning is very widespread and can be observed on a regular basis across platforms and ISP types.
The soapCaller.bs page is a file often associated with Drupal content management system. There have been a number of vulnerabilities identified in this package in the past, including during our recent content manager testing project. Users of Drupal should be vigilant in patching the systems and in performing application assessments.
I just noticed one of my test servers on the internet getting this request for a file. I don’t have a log of where it came from. This was during the week of Feb 15 2009
Yeah, morfeus has had this payload check for a while and the scanning for it continues. Basically, if you don’t have the file though, you should be fine.
Keep an eye on @lbhuston and @honeypoint on twitter for more attack and probe pattern updates.
Thanks for reading and commenting!
On 2010-01-17 09:24:38 I received one of those Morpheus scans on my development web server asking for /user/soapCaller.bs
The call was from 126.96.36.199
How can I report this incident?
You can try looking up the whois for the source IP and filing an abuse request, along with your log sample. However, I would warn you that usually, little comes from it. The main thing is to have your server assessed and make sure that it, and all other Internet facing devices are protected against such threats. When was the last time you had a network and application assessment performed?
I have seen it come from several places on the internet. Not just 1 place. Today I had one from 188.8.131.52. And I have seen it in other places.
They continue to come from around the world. Morfeus has been slow to update lately though, so I wouldn’t worry too much about it if you have closed the SOAP holes.
Just found this on my server as well from IP: 184.108.40.206. Simply added it to my IPTABLES blocking and will watch for it tomorrow.
Surprised you only see it from one address. This is a pretty common attack pattern, though it is slowly fading into oblivion.
If you have a scripting language on your server,
(I have php. and my server is apache based)
help slow down these hackers by returning a HTML response after 999 seconds.
Redirect permanent /user/soapCaller.bs http://example.com/soapCaller.php
soapCaller.php: calls “sleep(999);” then sends “Hi.” …
keeping the abuser’s host busy for up to 15 minutes and 39 seconds.
Very much like a La Brea kind of approach at the application level. Let us know how this works out and if it actually slows down any of the scanners or reduces the scans against your site.
Thanks for reading!
The bots are still out there, still scanning for the same exploit. You’d think they would figure that everyone who can be hit has been already. Time to add another access rule. Thanks for the info…
220.127.116.11 – – [16/May/2011:19:52:16 -0400] “GET /user/soapCaller.bs HTTP/1.1” 404 673 “-” “Morfeus Fucking Scanner”
On my IIS server:
2011-07-07 12:40:57 xxx.xxx.xxx.xxx GET /user/soapCaller.bs – 80 – 18.104.22.168 Morfeus+Fucking+Scanner – 404 0 2 283
“Here is a blog post that discusses using .htaccess rules to block scans with the morfeus user agent.”
I would not suggest following that method. Blacklisting like that can be easily bypassed. It is unreasonable to whitelist even known good UA so the best method is to have your server(s) validating all input and blocking all debugging info and nonexistent pages.