WAF 330205

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Post Reply
Shakall
Forum User
Forum User
Posts: 13
Joined: Sat Nov 16, 2013 12:19 pm
Location: Munich

WAF 330205

Unread post by Shakall »

I have a Problem.
Today i become this Message on my Atomic:

Time: December 2, 2013 16:47:22
Rule: 330205 - null
Attacker: 198.72.123.132
Target: ht tp://www.website-is-changed.com
Log: /20131202/20131202-1647/20131202-164707-UpyrewUJd5QAADa6vqQAAAAH

--8b041d1a-A--
[02/Dec/2013:16:47:07 +0100] UpyrewUJd5QAADa6vqQAAAAH 198.72.123.132 39248 5.9.119.148 80

--8b041d1a-B--
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1
Host: ht tp://www.website-is-changed.com
User-Agent: BOT/0.1 (BOT for JCE)
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Request: JSON
Content-Length: 70


--8b041d1a-C--
json={"fn":"folderRename","args":["/config.inc.gif","config.inc.php"]}

--8b041d1a-F--
HTTP/1.1 301 Moved Permanently
X-Pingback: ht tp://www.website-is-changed.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.2.5
Location: ht tp://www.website-is-changed.com/?option=com_ ... 576&cid=20
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


--8b041d1a-H--
Message: [file "/usr/local/apache/modsecurity.d/20_asl_useragents.conf"] [line "86"] [id "330205"] [rev "2"] [msg "Atomicorp.com WAF Rules: Joomla Exploit Bot"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "bot for jce" at REQUEST_HEADERS:User-Agent.
Action: Intercepted (phase 2)
Stopwatch: 1385999227691891 217816 (- - -)
Stopwatch2: 1385999227691891 217816; combined=2300, p1=16, p2=2264, p3=0, p4=0, p5=20, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); 201312011202.
Server: Apache
Engine-Mode: "ENABLED"

The website dont use joomla they use WP.
What is mean whit this message or what must is do in the rules ?
Top
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: WAF 330205

Unread post by mikeshinn »

Thanks for the question. A bot has attacked your system, looking for a vulnerable component in Joomla:

POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1

The bad guys have no way to know the system isnt running Joomla until after they attack it. And ASL has blocked it. Which is good, because this means they want to do bad things to your system, and now they cant. Please see this blog post:

https://atomicorp.com/company/blogs/231-tripwires.html

Is there anything else we can help you with?
Top
Post Reply

Return to “Atomic Protector (formerly ASL)”