Global Internet Threat and Attacks Report for September 14th

Customer support forums for the Atomicorp Threat Intelligence system. There is no such thing as a bad question here as long as it pertains to using the TI.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4124
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Global Internet Threat and Attacks Report for September 14th

Unread post by mikeshinn »

We're adding in counts now for attackers stopped by the threat intelligence system. If you arent using this yet, we highly recommend it. On our honey pots we're seeing over 80% of all attacks are stopped by the threat intelligence rules before the attacker can even launch an attack. Its available for both ASL and rules-only customers and More details about enabling this feature are available at the URL below:

https://www.atomicorp.com/wiki/index.ph ... _00_THREAT

Atomicorp Threat Intelligence RBL
Rule ID Count
-----------------------------------------
350051 29418 Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL.
350052 26619 Atomicorp.com WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL.
350053 25062 Atomicorp.com WAF Rules: Threat Intelligence Match for known Brute Force attacker on Atomicorp Threat Intelligence RBL.
355501 14321 Atomicorp.com WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL (TI-2).
355500 8844 Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL (TI-1).
355503 8671 Atomicorp.com WAF Rules: Threat Intelligence Match for known Brute Force attacker on Atomicorp Threat Intelligence RBL (TI-3).
350054 3705 Atomicorp.com WAF Rules: Threat Intelligence Match for known Attacker source on Atomicorp Threat Intelligence RBL.
355504 2934 Atomicorp.com WAF Rules: Threat Intelligence Match for Known attacker Source on Atomicorp Threat Intelligence RBL (TI-4).
350055 1940 Atomicorp.com WAF Rules: Threat Intelligence Match for known multi event Attacker source on Atomicorp Threat Intelligence RBL.
355506 1423 Atomicorp.com WAF Rules: Threat Intelligence Match for Known multi event attacker Source on Atomicorp Threat Intelligence RBL.

Top 25 Rules (level 6+)
Rule ID Count
-----------------------------------------
5706 18145 SSH insecure connection attempt (scan).
392301 14484 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header
60910 8532 Very Slow Wordpress brute force login failures from same IP source.
330701 6864 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack
330131 6747 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
60159 6430 Wordpress brute force (fast) login failures
3357 5745 Multiple rapid SASL authentication failures.
171303 5730 Known brute force attacker.
4151 5647 Multiple Firewall drop events from same source.
334009 5291 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
5720 4005 Multiple SSHD authentication failures.
5712 3540 SSHD brute force trying to get access to the system.
300079 3233 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
340162 2712 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
31102 2207 Possible DoS Consumption Attack
5551 1940 Multiple failed logins in a small period of time.
11306 1923 FTP brute force (multiple failed logins).
60904 1907 Rapid SMTP password incorrect events from the same IP source.
3351 1764 Multiple relaying attempts of spam.
3912 1751 Multiple failed logins, 6 failures in 60 seconds from the same IP.
390614 1638 Atomicorp.com WAF Rules: Invalid character in ARGS
336468 1553 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe
340016 1545 Atomicorp.com WAF Rules: Possible SQL injection attempt detected
330034 1394 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected
11254 1324 Multiple attempts to login using a non-existent user..


Top 25 WAF Rules (level 6+)
Rule ID Count
-----------------------------------------
392301 14484 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header
330701 6864 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack
330131 6747 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
334009 5291 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
300079 3233 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
340162 2712 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
390614 1638 Atomicorp.com WAF Rules: Invalid character in ARGS
336468 1553 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe
340016 1545 Atomicorp.com WAF Rules: Possible SQL injection attempt detected
330034 1394 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected
341245 1130 Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)
340006 1071 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
340095 1060 Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack.
330082 911 Atomicorp.com WAF Rules: Known Exploit User Agent
336460 894 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Open Flash Charts File Upload Attack
300066 890 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
340008 847 Atomicorp.com WAF Rules: Bogus Path denied
303800 841 Atomicorp.com WAF Rules: Fake Googlebot webcrawler
390501 713 Atomicorp.com Malware Script Blacklist: Known Malware detected in Request Filename
347008 653 Atomicorp.com WAF Rules: Suspicious deep path recursion denied
336461 632 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file
340195 524 Atomicorp.com WAF Rules: Possible Base64 Encoded PHP function in Argument - this may be an attack.
318811 429 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory
393766 382 Atomicorp.com WAF Rules - Virtual Just In Time Patch: semalt.com bot attempt
333301 351 Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site


Top 25 HIDS Rules (level 6+)
Rule ID Count
-----------------------------------------
5706 18145 SSH insecure connection attempt (scan).
60910 8532 Very Slow Wordpress brute force login failures from same IP source.
60159 6430 Wordpress brute force (fast) login failures
3357 5745 Multiple rapid SASL authentication failures.
171303 5730 Known brute force attacker.
4151 5647 Multiple Firewall drop events from same source.
5720 4005 Multiple SSHD authentication failures.
5712 3540 SSHD brute force trying to get access to the system.
31102 2207 Possible DoS Consumption Attack
5551 1940 Multiple failed logins in a small period of time.
11306 1923 FTP brute force (multiple failed logins).
60904 1907 Rapid SMTP password incorrect events from the same IP source.
3351 1764 Multiple relaying attempts of spam.
3912 1751 Multiple failed logins, 6 failures in 60 seconds from the same IP.
11254 1324 Multiple attempts to login using a non-existent user..
3356 1109 Multiple attempts to send e-mail from black-listed IP address (blocked).
5703 566 Possible breakin attempt (high number of reverse lookup errors).
3913 460 Multiple failed logins, 10 failures in 1 hour from the same IP.
3352 421 Multiple attempts to send e-mail from a rejected sender IP (access).
9750 413 Dovecot Multiple Authentication Failures.
40111 406 Multiple authentication failures.
40114 372 Multiple authentication failures. (Slow Brute Force)
60908 264 Very Slow Joomla brute force login failures from same IP source.
9952 248 Vpopmail brute force (email harvesting).
171005 207 Multiple rapid Exim authentication failures.
Post Reply