What were seeing the bad guys doing

Customer support forums for the Atomicorp Threat Intelligence system. There is no such thing as a bad question here as long as it pertains to using the TI.
Post Reply
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

What were seeing the bad guys doing

Unread post by mikeshinn »

Using our Global Internet Threat Intelligence system we can report on what we see the bad guys doing across the Internet. We're working on regular reports we can share both automatically, and with editorial content. We'll be releasing that soon. In the mean time, heres a quick summary of what we've seen in just the last 12 hours:

Top 25 Types of Attacks:

RuleID # of Attacks Description
-----------------------------------------
392301 209668 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header (These are DOS attacks)
5706 32595 SSH insecure connection attempt (scan).
5712 13015 SSHD brute force trying to get access to the system.
171303 12875 Known brute force attacker. (this is an SMTP/POP/IMAP brute force attack)
393766 11788 Atomicorp.com WAF Rules - Virtual Just In Time Patch: semalt.com bot attempt (Spammer)
60910 9391 Very Slow Wordpress brute force login failures from same IP source.
4151 7987 Multiple Firewall drop events from same source. (Firewall port scans, and connection attempts to blocked ports, like telnet)
60159 6769 Wordpress brute force (fast) login failures
3357 6624 Multiple rapid SASL authentication failures.
5720 6015 Multiple SSHD authentication failures.
300079 5529 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument
340162 4933 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
31102 4289 Possible DoS Consumption Attack
5551 4106 Multiple failed logins in a small period of time.
336461 3149 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file
5703 3148 Possible breakin attempt (high number of reverse lookup errors).
330131 3058 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
340006 2548 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
300066 2524 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
334009 2337 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
341245 1990 Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)
11306 1872 FTP brute force (multiple failed logins).
340095 1561 Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack.
303800 1499 Atomicorp.com WAF Rules: Fake Googlebot webcrawler
330082 1476 Atomicorp.com WAF Rules: Known Exploit User Agent


Top 25 Web attacks
RuleID # of Attacks Description
-----------------------------------------
392301 209668 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header (These are DOS attacks)
393766 11788 Atomicorp.com WAF Rules - Virtual Just In Time Patch: semalt.com bot attempt
300079 5529 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument
340162 4933 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
336461 3149 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file
330131 3058 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
340006 2548 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
300066 2524 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
334009 2337 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
341245 1990 Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)
340095 1561 Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack.
303800 1499 Atomicorp.com WAF Rules: Fake Googlebot webcrawler
330082 1476 Atomicorp.com WAF Rules: Known Exploit User Agent
330034 1295 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected
381203 888 Atomicorp.com WAF Rules - Virtual Just In Time Patch: TimThumb Non Image Upload Attempt
340148 802 Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack
336460 709 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Open Flash Charts File Upload Attack
340165 685 Atomicorp.com WAF Rules: Uniencoded possible Remote File Injection attempt in URI (AE)
390614 682 Atomicorp.com WAF Rules: Invalid character in ARGS (this is usually an LFI attack)
300311 671 Atomicorp.com WAF AntiSpam Rules: Possible loan spam
318811 626 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory
340016 591 Atomicorp.com WAF Rules: Possible SQL injection attempt detected
330036 541 Atomicorp.com WAF Rules: Suspicious User agent detected. Disable this rule if you use indy library. (this is almost always spam or a malicious bot)
336477 512 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Magento Shoplift attack
347008 437 Atomicorp.com WAF Rules: Suspicious deep path recursion denied


Top 25 non web attacks
RuleID # of Attacks Description
-----------------------------------------
5706 32595 SSH insecure connection attempt (scan).
5712 13015 SSHD brute force trying to get access to the system.
171303 12875 Known brute force attacker.
60910 9391 Very Slow Wordpress brute force login failures from same IP source.
4151 7987 Multiple Firewall drop events from same source.
60159 6769 Wordpress brute force (fast) login failures
3357 6624 Multiple rapid SASL authentication failures.
5720 6015 Multiple SSHD authentication failures.
31102 4289 Possible DoS Consumption Attack
5551 4106 Multiple failed logins in a small period of time.
5703 3148 Possible breakin attempt (high number of reverse lookup errors).
11306 1872 FTP brute force (multiple failed logins).
11254 1271 Multiple attempts to login using a non-existent user..
3912 1062 Multiple failed logins, 6 failures in 60 seconds from the same IP.
40114 865 Multiple authentication failures. (Slow Brute Force)
60904 826 Rapid SMTP password incorrect events from the same IP source.
60908 581 Very Slow Joomla brute force login failures from same IP source.
60156 456 Joomla brute force (fast) login failures
3355 363 Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.
3351 342 Multiple relaying attempts of spam.
3356 338 Multiple attempts to send e-mail from black-listed IP address (blocked).
9952 337 Vpopmail brute force (email harvesting).
3359 316 Multiple SASL authentication failures.
40111 286 Multiple authentication failures.
9750 255 Dovecot Multiple Authentication Failures.

Currently we're tracking 331833 unique sources that are actively attacking systems right now. If you enable the TI in ASL, it will block these sources in real time. You can enable that feature by enabling this option:

https://www.atomicorp.com/wiki/index.ph ... _00_THREAT

And you can look up attacker IPs at the URL below:

http://www.atomicrbl.com/

Or watch attacks happen globally on our map:

http://www.atomicrbl.com/map/
Top
Post Reply

Return to “Atomicorp Threat Intelligence System”