Category: Vulnebilities

Morpheus comes a scanning!!

Paul

morpheusscan1I’ve been reading about this on other blogs about this user agent   I have been seeing this agent trying to access an area where I know WordPress doesn’t have anything there.  Some people suspect it is scanning for any Drupal Vulnerabilities.   I have to say if it is searching for Drupal, it is in the wrong place.

Now let’s get down to it.  I’ve seen a lot of comments that just blocking the User is not going to prevent this from happening.   You see they can always spoof the agent with out much trouble but I feel that if they are going to do use an agent that I can track.  It is never a bad idea to block that type of access.  If that was a true agent, I seriously doubt it would be a legitimate agent because of the name.  Others have suggested this is looking to find a PHP Vulnerability and exploit your system.

[ad]I don’t know if it is true.   I have been reading the comments on the blog and some of them are quite interesting.   One such comment that I like how this scanner has been around since 2006 and most PHP servers have been updated to prevent this type of exploit.   So either this scanner is an old system that has nothing better to do or they are just trying to see if they can get a response from my server.   In which case, they now will be give the Access denied.   I have modified my htaccess file to prevent this scanner from even coming to my website.  See blog post to find out how.

What makes this so interesting is it tries to go to “user/soapCaller.bs” expecting to find something, Oh well I am pretty much unconcerned due to the fact that I keep WordPress up to date and I am constantly looking for oddities like this in my log files.   Now we heard that they don’t always have to use the headers and can hide and not be blocked so I have thought about denying anything that doesn’t show IP or has no header?   I wanted to ask my users if that is a good ide or bad idea?   This would stop bots from being bad, I do wonder if this has to do with me talking about [intlink id=”3132″ type=”post”]Pifts.exe a couple months ago[/intlink].    I have read about this on the comments section about this being a Government funded data collection, I don’t know but it does intrique me on the subject.

Remember to help prevent exploits on your server you should keep it up to date as much as possible.  [intlink id=”3700″ type=”post”]If there is an update to WordPress[/intlink], you should always consider updating even when there are problems down the road.

Mikeyy Worms stills going around Twitter

Paul

It seems Mikeyy has spawned a new and improved little advertisement:

Twitter, hire Mikeyy! (718) 312-8131 🙂

As you can see from tweets:
mikey12

It seems this is the new campaign started earlier this morning around 1am or so for Mikeyy and people have found this rather annoying but it is teaching Twitter a lesson, this would be good PR if they hired Mikeyy. Obviously he has a lot to offer but I guess who ever wrote this variant for the Mikeyy Worm went and found his number on a stickcam website:

mickstickcam

Anyone who just Google the number right now could find out the stickcam profile, so I won’t direct you to it. I just hope this doesn’t keep up to much longer. If you’ve been infected with this worm I would refer to my other [intlink id=”3308″ type=”post”]post about removing the worm[/intlink]. I do know if you aren’t logged into twitter through your browser you will not get the worm. This is a simple exploit where they use your browser cookies to infect your Twitter account. So if you view any twitter accounts just keep logged out of Twitter in your browser and you should help prevent this from happening until Twitter gets this under control.

StalkDaily.com was the culprit afterall!!

Paul

In my previous post, [intlink id=”3308″ type=”post”]about StalkDaily[/intlink] I thought they were the innocent party in all this:
stalkdaily3

[ad#cricket-right-ez]Now he talks about how he did this and claims responsibility for the Twitter calamity. According to him he did this out of boredom, and needed a way to make money. I am wondering if Twitter will do some legal actions against him for the time it took to fix the problem and fact that it caused so much widespread panic for people to not trust Twitter makes me think that Twitter would have a real good case against a 17 year old who was trying to gain the system.

Then the people who have lost followers or have had problems with their twitter are going to be mad to, They were the innocent party and did not know about the Cross Site Scripting Vulnerability, although it doesn’t appear to have gotten any passwords or sensitive data.

Although It does prove a p0int that the no script addon in Firefox is looking to be more and more needed as people search through the web.

Conficker Gets a new Look : Spyware Protector 2009

Paul3 Replies

Looks like the Conficker Worm has changed directions according to Viruslist:

One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.

The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com.

[See Pictures of website at Viruslist.com]

[ad#cricket-right-ez]From my understanding of this worm, it seems to be trying to [intlink id=”3114″ type=”post”]scareware tactic[/intlink] trying to get you to pay $49.95 to remove these threats. F-secure has also seen this worm and thinks this is doing what the Waldec virus is doing by becoming a spambot. According to Eset, the botnet is larger than most and this could create a problem in the future.  It seems that it used the p2p to distribute this update so they could bypass the domain blocks that were in place.

I will tell you this, if you get the warnings you are infected by all means go to my [intlink id=”2205″ type=”page”]Malware resource page[/intlink] and do a scan from the trusted sources.   I will update as I get more information on this little development.