Global Internet Threat and Attacks Report for September 29th

Customer support forums for the Atomicorp Threat Intelligence system. There is no such thing as a bad question here as long as it pertains to using the TI.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4124
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Global Internet Threat and Attacks Report for September 29th

Unread post by mikeshinn »

Atomicorp Threat Intelligence RBL
Rule ID Count
-----------------------------------------
350052 21087 Atomicorp.com WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-2 Match)
350053 13718 Atomicorp.com WAF Rules: Threat Intelligence Match for known Brute Force attacker on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-3 Match)
355501 10164 Atomicorp.com WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL (TI-2). See this URL for details http://www.atomicrbl.com/lookup
350051 9174 Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI Match)
355503 8462 Atomicorp.com WAF Rules: Threat Intelligence Match for known Brute Force attacker on Atomicorp Threat Intelligence RBL (TI-3). See this URL for details http://www.atomicrbl.com/lookup
350054 3311 Atomicorp.com WAF Rules: Threat Intelligence Match for known Attacker source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-4 Match)
355500 3286 Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL (TI-1). See this URL for details http://www.atomicrbl.com/lookup
355504 3248 Atomicorp.com WAF Rules: Threat Intelligence Match for Known attacker Source on Atomicorp Threat Intelligence RBL (TI-4). See this URL for details http://www.atomicrbl.com/lookup
350055 967 Atomicorp.com WAF Rules: Threat Intelligence Match for known multi event Attacker source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup (Previous TI-5 Match)
355506 611 Atomicorp.com WAF Rules: Threat Intelligence Match for Known multi event attacker Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup


Top 25 Rules (level 6+)
Rule ID Count
-----------------------------------------
5706 18960 SSH insecure connection attempt (scan).
392301 11383 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header
336468 9700 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe
171303 6944 Known brute force attacker.
60910 6834 Very Slow Wordpress brute force login failures from same IP source.
5712 6174 SSHD brute force trying to get access to the system.
4151 6096 Multiple Firewall drop events from same source.
60159 5923 Wordpress brute force (fast) login failures
330131 5178 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
5720 5051 Multiple SSHD authentication failures.
340006 4555 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
300079 4287 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
3357 4260 Multiple rapid SASL authentication failures.
330701 3278 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack
334009 2871 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
390613 2170 Atomicorp.com WAF Rules: Invalid character in request or headers
340162 2065 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
5551 1983 Multiple failed logins in a small period of time.
60904 1927 Rapid SMTP password incorrect events from the same IP source.
330082 1661 Atomicorp.com WAF Rules: Known Exploit User Agent
330034 1333 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected
347008 1291 Atomicorp.com WAF Rules: Suspicious deep path recursion denied
303800 1250 Atomicorp.com WAF Rules: Fake Googlebot webcrawler
11306 1124 FTP brute force (multiple failed logins).
336461 1075 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file


Top 25 WAF Rules (level 6+)
Rule ID Count
-----------------------------------------
392301 11383 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header
336468 9700 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe
330131 5178 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
340006 4555 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
300079 4287 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
330701 3278 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack
334009 2871 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
390613 2170 Atomicorp.com WAF Rules: Invalid character in request or headers
340162 2065 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
330082 1661 Atomicorp.com WAF Rules: Known Exploit User Agent
330034 1333 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected
347008 1291 Atomicorp.com WAF Rules: Suspicious deep path recursion denied
303800 1250 Atomicorp.com WAF Rules: Fake Googlebot webcrawler
336461 1075 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file
340009 1020 Atomicorp.com WAF Rules: Protected Path Access denied in URI/ARGS
390614 1019 Atomicorp.com WAF Rules: Invalid character in ARGS
340016 991 Atomicorp.com WAF Rules: Possible SQL injection attempt detected
341245 901 Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)
340095 777 Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack.
300066 677 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
390501 498 Atomicorp.com Malware Script Blacklist: Known Malware detected in Request Filename
330036 470 Atomicorp.com WAF Rules: Suspicious User agent detected. Disable this rule if you use indy library.
300311 413 Atomicorp.com WAF AntiSpam Rules: Possible loan spam
340195 395 Atomicorp.com WAF Rules: Possible Base64 Encoded PHP function in Argument - this may be an attack.
381203 374 Atomicorp.com WAF Rules - Virtual Just In Time Patch: TimThumb Non Image Upload Attempt


Top 25 HIDS Rules (level 6+)
Rule ID Count
-----------------------------------------
5706 18960 SSH insecure connection attempt (scan).
171303 6944 Known brute force attacker.
60910 6834 Very Slow Wordpress brute force login failures from same IP source.
5712 6174 SSHD brute force trying to get access to the system.
4151 6096 Multiple Firewall drop events from same source.
60159 5923 Wordpress brute force (fast) login failures
5720 5051 Multiple SSHD authentication failures.
3357 4260 Multiple rapid SASL authentication failures.
5551 1983 Multiple failed logins in a small period of time.
60904 1927 Rapid SMTP password incorrect events from the same IP source.
11306 1124 FTP brute force (multiple failed logins).
5703 992 Possible breakin attempt (high number of reverse lookup errors).
40111 955 Multiple authentication failures.
31102 931 Possible DoS Consumption Attack
11254 920 Multiple attempts to login using a non-existent user..
3355 888 Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.
3356 857 Multiple attempts to send e-mail from black-listed IP address (blocked).
3912 673 Multiple failed logins, 6 failures in 60 seconds from the same IP.
60908 604 Very Slow Joomla brute force login failures from same IP source.
9750 556 Dovecot Multiple Authentication Failures.
60156 358 Joomla brute force (fast) login failures
3351 331 Multiple relaying attempts of spam.
171005 261 Multiple rapid Exim authentication failures.
5701 247 Possible attack on the ssh server (or version gathering).
9952 227 Vpopmail brute force (email harvesting).
Post Reply