Global Internet Threat and Attacks Report for August 10th

Customer support forums for the Atomicorp Threat Intelligence system. There is no such thing as a bad question here as long as it pertains to using the TI.
Post Reply
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Global Internet Threat and Attacks Report for August 10th

Unread post by mikeshinn »

So heres what we're seeing the bad guys doing today, in terms of most "popular" attacks so far across all reporting customers and honeypots:

Top 25 Attacks
Rule_ID #_of_attacks Description
-----------------------------------------
392301 103017 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header (These are DOS attacks)
336468 24984 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe
5706 22027 SSH insecure connection attempt (scan).
60910 7170 Very Slow Wordpress brute force login failures from same IP source.
3357 6984 Multiple rapid SASL authentication failures.
5712 6224 SSHD brute force trying to get access to the system.
60159 6015 Wordpress brute force (fast) login failures
171303 5763 Known brute force attacker.
393766 5447 Atomicorp.com WAF Rules - Virtual Just In Time Patch: semalt.com bot attempt (this is a spam attempt)
4151 4644 Multiple Firewall drop events from same source.
5720 4558 Multiple SSHD authentication failures.
5551 2883 Multiple failed logins in a small period of time.
340162 2459 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
300079 2434 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (this is forum or blog spamming)
330131 2337 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
336461 1563 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file
330701 1511 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack (This is shellshock)
5703 1198 Possible breakin attempt (high number of reverse lookup errors).
334009 1169 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
300066 1032 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
341245 1006 Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)
11306 985 FTP brute force (multiple failed logins).
303800 849 Atomicorp.com WAF Rules: Fake Googlebot webcrawler (This is a know exploit bot trying to fake out software by pretending to be google)
336460 817 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Open Flash Charts File Upload Attack
347008 808 Atomicorp.com WAF Rules: Suspicious deep path recursion denied

Top 25 Web attacks
Rule_ID #_of_attacks Description
-----------------------------------------
392301 103017 Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header (these are DOS attacks)
336468 24984 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe
393766 5447 Atomicorp.com WAF Rules - Virtual Just In Time Patch: semalt.com bot attempt (This is spam)
340162 2459 Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected
300079 2434 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (this is forum or blog spamming)
330131 2337 Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected
336461 1563 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible attempt to maliciously access wp-config.php file
330701 1511 Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack
334009 1169 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt
300066 1032 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
341245 1006 Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)
303800 849 Atomicorp.com WAF Rules: Fake Googlebot webcrawler
336460 817 Atomicorp.com WAF Rules - Virtual Just In Time Patch: Open Flash Charts File Upload Attack
347008 808 Atomicorp.com WAF Rules: Suspicious deep path recursion denied
340009 754 Atomicorp.com WAF Rules: Protected Path Access denied in URI/ARGS
390614 714 Atomicorp.com WAF Rules: Invalid character in ARGS
330034 695 Atomicorp.com WAF Rules: Vulnerability Scanner User agent detected (This is a known attack/hacking tool trying to attack a site)
340095 663 Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack.
340006 638 Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS
318811 590 Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory
381203 574 Atomicorp.com WAF Rules - Virtual Just In Time Patch: TimThumb Non Image Upload Attempt
300311 518 Atomicorp.com WAF AntiSpam Rules: Possible loan spam
330082 500 Atomicorp.com WAF Rules: Known Exploit User Agent
340016 424 Atomicorp.com WAF Rules: Possible SQL injection attempt detected
340361 386 Atomicorp.com WAF Rules: CONNECT method denied (these are people trying to misuse a system as a proxy, so they can hide they traffic through customers websites)

Top 25 non-web attacks
Rule_ID #_of_attacks Description
-----------------------------------------
5706 22027 SSH insecure connection attempt (scan).
60910 7170 Very Slow Wordpress brute force login failures from same IP source.
3357 6984 Multiple rapid SASL authentication failures.
5712 6224 SSHD brute force trying to get access to the system.
60159 6015 Wordpress brute force (fast) login failures
171303 5763 Known brute force attacker.
4151 4644 Multiple Firewall drop events from same source.
5720 4558 Multiple SSHD authentication failures.
5551 2883 Multiple failed logins in a small period of time.
5703 1198 Possible breakin attempt (high number of reverse lookup errors).
11306 985 FTP brute force (multiple failed logins).
31102 783 Possible DoS Consumption Attack
11254 667 Multiple attempts to login using a non-existent user..
3355 655 Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.
60904 516 Rapid SMTP password incorrect events from the same IP source.
60908 458 Very Slow Joomla brute force login failures from same IP source.
40114 350 Multiple authentication failures. (Slow Brute Force)
3912 339 Multiple failed logins, 6 failures in 60 seconds from the same IP.
60156 323 Joomla brute force (fast) login failures
3352 290 Multiple attempts to send e-mail from a rejected sender IP (access).
3356 259 Multiple attempts to send e-mail from black-listed IP address (blocked).
3359 215 Multiple SASL authentication failures.
3913 201 Multiple failed logins, 10 failures in 1 hour from the same IP.
40111 170 Multiple authentication failures.
9952 166 Vpopmail brute force (email harvesting).
Top
Post Reply

Return to “Atomicorp Threat Intelligence System”