Difference between revisions of "WAF 330205"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1 = Rule 330205 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Atomicorp.com WAF Rules: Joomla Exploit Bot }} = Description = This rule ...")
 
m
 
(3 intermediate revisions by one user not shown)
Line 11: Line 11:
 
This rule detects a known malicious attack tool.  If your system is getting alerts on this rule your system is being attacked.  This is not a false positive.
 
This rule detects a known malicious attack tool.  If your system is getting alerts on this rule your system is being attacked.  This is not a false positive.
  
The rule detects the "Bot for JCE" attack tool.  This tool looks for vulnerable Joomla installations.  It does this blindly, which means it just attacks the system and if a vulnerable Joomla install is detected on the system the system will be compromised, if this rule is disabled.   
+
The rule detects the "Bot for JCE" attack tool.  This attack tool identifies itself, which makes its very easy to detect, and means that there can not be a false positive for this rule.  Only this attack bot identifies itself as "Bot for JCE".  The bot attacks vulnerable Joomla installations that have a vulnerable version of the JCE Joomla Extension Remote File Upload installed'''This bot attacks blindly.'''  That means it just attacks the system ''without checking'' to see if Joomla is installed on the system and if a vulnerable JCE extension is installed.    This means this attack tool also indiscriminately attacks systems that do not have Joomla installed.
 +
 
 +
If your system is being targeted with this tool we do not recommend you disable this rule, even if you do not have Joomla installed.  This rule is telling you that someone is attacking your system, you should block this sourcePlease see the [https://atomicorp.com/company/blogs/231-tripwires.html blog post] referenced below for information about leaving rules enabled for applications you may not have installed.
 +
 
 
= Troubleshooting =
 
= Troubleshooting =
  

Latest revision as of 13:14, 12 December 2013

Rule 330205
Status Active
Alert Message Atomicorp.com WAF Rules: Joomla Exploit Bot

Contents

[edit] Description

This rule detects a known malicious attack tool. If your system is getting alerts on this rule your system is being attacked. This is not a false positive.

The rule detects the "Bot for JCE" attack tool. This attack tool identifies itself, which makes its very easy to detect, and means that there can not be a false positive for this rule. Only this attack bot identifies itself as "Bot for JCE". The bot attacks vulnerable Joomla installations that have a vulnerable version of the JCE Joomla Extension Remote File Upload installed. This bot attacks blindly. That means it just attacks the system without checking to see if Joomla is installed on the system and if a vulnerable JCE extension is installed. This means this attack tool also indiscriminately attacks systems that do not have Joomla installed.

If your system is being targeted with this tool we do not recommend you disable this rule, even if you do not have Joomla installed. This rule is telling you that someone is attacking your system, you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.

[edit] Troubleshooting

[edit] False Positives

None. This rule detects a known malicious attack tool. If your system is getting alerts on this rule your system is being attacked. This is not a false positive.

[edit] Tuning Guidance

None. Do not disable this rule.

[edit] Additional Information

[edit] Blog Articles

Detection and Tripwires

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

Personal tools