WAF 330205
Posted: Mon Dec 02, 2013 12:51 pm
I have a Problem.
Today i become this Message on my Atomic:
Time: December 2, 2013 16:47:22
Rule: 330205 - null
Attacker: 198.72.123.132
Target: ht tp://www.website-is-changed.com
Log: /20131202/20131202-1647/20131202-164707-UpyrewUJd5QAADa6vqQAAAAH
--8b041d1a-A--
[02/Dec/2013:16:47:07 +0100] UpyrewUJd5QAADa6vqQAAAAH 198.72.123.132 39248 5.9.119.148 80
--8b041d1a-B--
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1
Host: ht tp://www.website-is-changed.com
User-Agent: BOT/0.1 (BOT for JCE)
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Request: JSON
Content-Length: 70
--8b041d1a-C--
json={"fn":"folderRename","args":["/config.inc.gif","config.inc.php"]}
--8b041d1a-F--
HTTP/1.1 301 Moved Permanently
X-Pingback: ht tp://www.website-is-changed.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.2.5
Location: ht tp://www.website-is-changed.com/?option=com_ ... 576&cid=20
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
--8b041d1a-H--
Message: [file "/usr/local/apache/modsecurity.d/20_asl_useragents.conf"] [line "86"] [id "330205"] [rev "2"] [msg "Atomicorp.com WAF Rules: Joomla Exploit Bot"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "bot for jce" at REQUEST_HEADERS:User-Agent.
Action: Intercepted (phase 2)
Stopwatch: 1385999227691891 217816 (- - -)
Stopwatch2: 1385999227691891 217816; combined=2300, p1=16, p2=2264, p3=0, p4=0, p5=20, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); 201312011202.
Server: Apache
Engine-Mode: "ENABLED"
The website dont use joomla they use WP.
What is mean whit this message or what must is do in the rules ?
Today i become this Message on my Atomic:
Time: December 2, 2013 16:47:22
Rule: 330205 - null
Attacker: 198.72.123.132
Target: ht tp://www.website-is-changed.com
Log: /20131202/20131202-1647/20131202-164707-UpyrewUJd5QAADa6vqQAAAAH
--8b041d1a-A--
[02/Dec/2013:16:47:07 +0100] UpyrewUJd5QAADa6vqQAAAAH 198.72.123.132 39248 5.9.119.148 80
--8b041d1a-B--
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1
Host: ht tp://www.website-is-changed.com
User-Agent: BOT/0.1 (BOT for JCE)
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Request: JSON
Content-Length: 70
--8b041d1a-C--
json={"fn":"folderRename","args":["/config.inc.gif","config.inc.php"]}
--8b041d1a-F--
HTTP/1.1 301 Moved Permanently
X-Pingback: ht tp://www.website-is-changed.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.2.5
Location: ht tp://www.website-is-changed.com/?option=com_ ... 576&cid=20
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
--8b041d1a-H--
Message: [file "/usr/local/apache/modsecurity.d/20_asl_useragents.conf"] [line "86"] [id "330205"] [rev "2"] [msg "Atomicorp.com WAF Rules: Joomla Exploit Bot"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "bot for jce" at REQUEST_HEADERS:User-Agent.
Action: Intercepted (phase 2)
Stopwatch: 1385999227691891 217816 (- - -)
Stopwatch2: 1385999227691891 217816; combined=2300, p1=16, p2=2264, p3=0, p4=0, p5=20, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); 201312011202.
Server: Apache
Engine-Mode: "ENABLED"
The website dont use joomla they use WP.
What is mean whit this message or what must is do in the rules ?