"morfeus strikes again" causing massive db server connections

stevejepsen
stevejepsen used Ask the Experts™
on
We see in our apache log "morfeus strikes again" at the same time as when the mysql db servers experience a connection surge.  Sometimes over 800 connections.  What is this and how can I stop the db connections from being opened.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
President
Commented:
Hi,

In fact the full text should be:

User Agent: Morfeus striks again

It means that there's a certain crawler out there and it is trying locate some explotis over your web pages. In your case it seems that the crawler disturbs your site a lot.

What  you can do is to disable access to people coming with this user agent. You can find more info here:

http://ekle.us/index.php/2007/05/update_on_morfeus_fucking_scanner

Here's an article about what the agent exactly searches:

http://stateofsecurity.com/?p=467

Cheers,
K.


Cheers,
K.

Commented:
This is caused by a scanner or bot probing your server.  There's not much you can do, but you could try to block the user agent:

In your apache conf file, add the following line:

SetEnvIfNoCase User-Agent "^morfeus strikes again" bad_bot

then look for your directory configuration, and a deny bad_bot directive:

<Directory "/usr/www/public_html/">
        Order Allow,Deny
        Allow from all
        Deny from env=bad_bot
</Directory>

and reload your apache conf (apachectl graceful).

Author

Commented:
I am wondering how a single line in my apache log can result in 800+ connections to the db server hosting information for the web site. I understand the probe and the user agent.  I wonder if this is a false positive, unless a bot like this can open 800+ pages leaving only one entry in the log file.

If the log entry had not been at the very minute and second as the hang, I would not care about it. However it's the only clue I have for why the db's receive so many connections, then within 1-3 minutes all is fine.  

This is happening at least once an evening. Tonight I will grab my second log.  If I see Morfeus again, I will accept this is somehow causing the surge in db connections.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Kerem ERSOYPresident

Commented:
In fact I guess this is only a coincidence. If  yuo've skimmed through the second link I've snet you it gives technical details about what the bot looks for. It has nothing to do with a DB related thing.

Furthermore if only one entry in the HTTP log could cause 800+ DB connections I would think that there were a problem with the software design rather than the nature of the connection.

Commented:
You will probably find that the request (GET or POST) is for a page that accesses the database (eg. a forum post page).  Thus when a scanner, attacker, or bot generates a flood of requests to this URL, that in turn generates a surge of database activity.
Kerem ERSOYPresident

Commented:
You should also try to disable the ot access and give it try later if this repats tomorrow to be sure that the source of your problem is the bot.
Kerem ERSOYPresident

Commented:
I believed I've shared all the available data about the virus and how to check against the DB's as the asker was initially afraid of.  I guess he'll evaluate this when he has time to check back the question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial