Global Internet Threat and Attacks Report for September 26th

Customer support forums for the Atomicorp Threat Intelligence system. There is no such thing as a bad question here as long as it pertains to using the TI.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4124
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Global Internet Threat and Attacks Report for September 26th

Unread post by mikeshinn »

Atomicorp Threat Intelligence RBL
Rule ID Count
-----------------------------------------
350052 35433 Atomicorp.com WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-2 Match)
350053 26537 Atomicorp.com WAF Rules: Threat Intelligence Match for known Brute Force attacker on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-3 Match)
355501 11927 Atomicorp.com WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL (TI-2). See this URL for details http://www.atomicrbl.com/lookup
350051 6524 Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI Match)
350054 6065 Atomicorp.com WAF Rules: Threat Intelligence Match for known Attacker source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-4 Match)
355504 6006 Atomicorp.com WAF Rules: Threat Intelligence Match for Known attacker Source on Atomicorp Threat Intelligence RBL (TI-4). See this URL for details http://www.atomicrbl.com/lookup
355503 5763 Atomicorp.com WAF Rules: Threat Intelligence Match for known Brute Force attacker on Atomicorp Threat Intelligence RBL (TI-3). See this URL for details http://www.atomicrbl.com/lookup
355500 3761 Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL (TI-1). See this URL for details http://www.atomicrbl.com/lookup
350055 524 Atomicorp.com WAF Rules: Threat Intelligence Match for known multi event Attacker source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-5 Match)
355506 396 Atomicorp.com WAF Rules: Threat Intelligence Match for Known multi event attacker Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup


Top 25 Attacks (level 6+)
Rule ID Count
-----------------------------------------
5706 19154 SSH insecure connection attempt (scan).
392301 14598 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header
60910 5995 Very Slow Wordpress brute force login failures from same IP source.
60159 5916 Wordpress brute force (fast) login failures
171303 5842 Known brute force attacker.
3357 5436 Multiple rapid SASL authentication failures.
5712 5344 SSHD brute force trying to get access to the system.
4151 5311 Multiple Firewall drop events from same source.
5720 4333 Multiple SSHD authentication failures.
330701 4158 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack
300079 4147 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
330131 3501 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
340095 2262 Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack.
340162 2057 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
340006 1965 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
5551 1710 Multiple failed logins in a small period of time.
330034 1693 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected
300066 1312 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
340016 1284 Atomicorp.com WAF Rules: Possible SQL injection attempt detected
330082 1243 Atomicorp.com WAF Rules: Known Exploit User Agent
334009 1239 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
3355 1157 Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.
11306 1008 FTP brute force (multiple failed logins).
60904 969 Rapid SMTP password incorrect events from the same IP source.
390501 883 Atomicorp.com Malware Script Blacklist: Known Malware detected in Request Filename


Top 25 Web Attacks (level 6+)
Rule ID Count
-----------------------------------------
392301 14598 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header
330701 4158 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack
300079 4147 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
330131 3501 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
340095 2262 Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack.
340162 2057 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
340006 1965 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
330034 1693 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected
300066 1312 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
340016 1284 Atomicorp.com WAF Rules: Possible SQL injection attempt detected
330082 1243 Atomicorp.com WAF Rules: Known Exploit User Agent
334009 1239 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
390501 883 Atomicorp.com Malware Script Blacklist: Known Malware detected in Request Filename
341245 815 Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)
303800 763 Atomicorp.com WAF Rules: Fake Googlebot webcrawler
318813 523 Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack
310098 514 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible WYSIJA exploit attempt
336461 489 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file
347008 486 Atomicorp.com WAF Rules: Suspicious deep path recursion denied
336468 485 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe
340155 437 Atomicorp.com WAF Rules: Generic SQL Injection protection
340148 436 Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack
340361 419 Atomicorp.com WAF Rules: CONNECT method denied
340195 414 Atomicorp.com WAF Rules: Possible Base64 Encoded PHP function in Argument - this may be an attack.
318811 360 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory

Top 25 Npn-Web attacks (level 6+)
Rule ID Count
-----------------------------------------
5706 19154 SSH insecure connection attempt (scan).
60910 5995 Very Slow Wordpress brute force login failures from same IP source.
60159 5916 Wordpress brute force (fast) login failures
171303 5842 Known brute force attacker.
3357 5436 Multiple rapid SASL authentication failures.
5712 5344 SSHD brute force trying to get access to the system.
4151 5311 Multiple Firewall drop events from same source.
5720 4333 Multiple SSHD authentication failures.
5551 1710 Multiple failed logins in a small period of time.
3355 1157 Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.
11306 1008 FTP brute force (multiple failed logins).
60904 969 Rapid SMTP password incorrect events from the same IP source.
5703 765 Possible breakin attempt (high number of reverse lookup errors).
11254 706 Multiple attempts to login using a non-existent user..
60908 512 Very Slow Joomla brute force login failures from same IP source.
9750 481 Dovecot Multiple Authentication Failures.
3356 470 Multiple attempts to send e-mail from black-listed IP address (blocked).
40111 432 Multiple authentication failures.
31102 369 Possible DoS Consumption Attack
3912 364 Multiple failed logins, 6 failures in 60 seconds from the same IP.
60156 268 Joomla brute force (fast) login failures
9952 224 Vpopmail brute force (email harvesting).
40114 213 Multiple authentication failures. (Slow Brute Force)
3359 180 Multiple SASL authentication failures.
3351 163 Multiple relaying attempts of spam.
Post Reply