Update on Morfeus F***ing Scanner

213126 Resource 187691 21 21 1221960057763 1222534130372 Controlled Webmaster Tips: Blocking Selected User-Agents

While blocking access to servers based on user agent strings does not offer absolute security, it is still very worthwhile.

I was just reviewing our server security logs and ran across a questionable request for "/user/soapCaller.bs".  Doing a bit of research on this, I ran across <a title="Update on Morfeus Fucking Scanner" href="http://ekle.us/index.php/2007/05/update_on_morfeus_fucking_scanner" target="_blank">this blog post</a> by Rick Ekle confirming that was, indeed, the work of some script kiddie's "Morfeus F***ing Scanner" (sorry, that's its name—the underbelly of the Internet is a seedy place) looking for exploitable PHP servers.No big deal; I added a couple new <a title="SlimeGate: Fighting Back Against Big, Hungry, Orange Alligators" href="http://blogsite.com/public/blog/178941" target="_blank">SlimeGate™</a> rules and all of our servers are protected from this slime ball.But what struck me as interesting was the debate in the comment thread on Rick's post about whether or not webmasters should block requests bases on user agent names.  IMO, the answer is absolutely, yes!<h3>Why block by user-agent?</h3><img style="MARGIN: 0px 10px 5px 0px" height="113" alt="security" src="docs/security-150.jpg" width="150" align="left" border="0" />Some people argue that blocking specific user agents is pointless because user agent names are easily spoofed, thus it is trivial for a hacker to masquerade as any user agent.  Therefore, the argument goes, blocking based on user agent provides only a false sense of security.But this argument misses an important point.  Specifically, blocking by user agent is not intended to provide reliable security; it is intended to block unwanted traffic.  For example, blocking the user agent "^Morfeus" will not make a vulnerable PHP server secure, but it will prevent at least some unwanted traffic.  Arguing against doing this is like arguing against wearing safety belts on the grounds that doing so does not provide absolute safety.<h3>What about blocking generic user agents like "libwww-perl" or "Java"?</h3>In my opinion, most production servers should block generic user agents.  In my experience, it is very rare when a legitimate, desirable application, browser, or web service makes requests using a generic user agent name.  In the vast majority of cases, these products issue user-agent headers that properly identify themselves.In years of hosting hundreds of commercial sites, I can count on one hand the times we have made exceptions to permit access by a generic user agent name.  And when such an exception is necessary, it is easily accomplished and the exception can be limited by IP address, referrer address, etc.<h3>The bottom line</h3>As a webmaster, you definitely should use user-agent headers to manager server traffic.  But understand that this is purely a pragmatic tactic and not a serious security measure.  Real security comes only through elimination of exploitable security holes. 9 application/xml false Morfeus security SlimeGate user-agent Update on Morfeus F***ing Scanner Thoughts on computers and health http://ekle.us/index.php/2007/05/update_on_morfeus_fucking_scanner Fighting Back Against Big, Hungry, Orange Alligators | MyST Blogsite® Overly aggressive RSS feed aggregators can cause server performance problems; MyST Blogsite introduces new technology to detect (and reject) egregious offenders. http://blogsite.com/public/blog/178941 As a webmaster, you definitely should use user-agent headers to manager server traffic. But understand that this is purely a pragmatic tactic and not a serious security measure. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 127.0.0.1 127.0.0.1 aseidl 68.40.167.222 false true false false true 188081 false false true false false false true 213155 Resource 188081 173239 21 1222040700526 1222095658820 Controlled Great Post!

I agree. The bad guys are always one step ahead so security should always be a concern. In my article, I detailed how to write your robots.txt, and I agree that this is should not really be used for security purposes.How to write robots.txt: <a href="http://sin8.com/tip-3-its-important-to-hide-parts-of-your-site-from-search-engines">http://sin8.com/tip-3-its-important-to-hide-parts-of-your-site-from-search-engines</a> Carl 10 application/xml false Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 127.0.0.1 127.0.0.1 aseidl 68.40.167.222 false true false false true 187691 blog blogsite/FASeidl/web