I have a Problem.
Today i become this Message on my Atomic:
Time: December 2, 2013 16:47:22
Rule: 330205 - null
Attacker: 198.72.123.132
Target: ht tp://www.website-is-changed.com
Log: /20131202/20131202-1647/20131202-164707-UpyrewUJd5QAADa6vqQAAAAH
--8b041d1a-A--
[02/Dec/2013:16:47:07 +0100] UpyrewUJd5QAADa6vqQAAAAH 198.72.123.132 39248 5.9.119.148 80
--8b041d1a-B--
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1
Host: ht tp://www.website-is-changed.com
User-Agent: BOT/0.1 (BOT for JCE)
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Request: JSON
Content-Length: 70
--8b041d1a-C--
json={"fn":"folderRename","args":["/config.inc.gif","config.inc.php"]}
--8b041d1a-F--
HTTP/1.1 301 Moved Permanently
X-Pingback: ht tp://www.website-is-changed.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.2.5
Location: ht tp://www.website-is-changed.com/?option=com_ ... 576&cid=20
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
--8b041d1a-H--
Message: [file "/usr/local/apache/modsecurity.d/20_asl_useragents.conf"] [line "86"] [id "330205"] [rev "2"] [msg "Atomicorp.com WAF Rules: Joomla Exploit Bot"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "bot for jce" at REQUEST_HEADERS:User-Agent.
Action: Intercepted (phase 2)
Stopwatch: 1385999227691891 217816 (- - -)
Stopwatch2: 1385999227691891 217816; combined=2300, p1=16, p2=2264, p3=0, p4=0, p5=20, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); 201312011202.
Server: Apache
Engine-Mode: "ENABLED"
The website dont use joomla they use WP.
What is mean whit this message or what must is do in the rules ?
WAF 330205
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: WAF 330205
Thanks for the question. A bot has attacked your system, looking for a vulnerable component in Joomla:
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1
The bad guys have no way to know the system isnt running Joomla until after they attack it. And ASL has blocked it. Which is good, because this means they want to do bad things to your system, and now they cant. Please see this blog post:
https://atomicorp.com/company/blogs/231-tripwires.html
Is there anything else we can help you with?
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1
The bad guys have no way to know the system isnt running Joomla until after they attack it. And ASL has blocked it. Which is good, because this means they want to do bad things to your system, and now they cant. Please see this blog post:
https://atomicorp.com/company/blogs/231-tripwires.html
Is there anything else we can help you with?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone