WAF 340029

From Atomicorp Wiki
Revision as of 14:38, 12 December 2013 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Rule 340029
Status Active
Alert Message Atomicorp.com WAF Rules: Possible command in REQUEST_URI or Argument

Contents

Description

This rule detects when a Linux command is used in a URL or an argument. It specifically looks for these types of commands:

  • process management tools (kill, nice, etc.)
  • file management tools (cp, chown, rm, etc.)
  • shells (bash, tcsh, etc.)
  • compilers (gcc, c++, etc.)
  • web downloading tools (wget, curl, etc.)
  • interpreters (perl, php, etc.)
  • other downloading tools (scp, ftp, etc.)


attempt to access a PHP file in the /images/stories/ directory.  This directory is used by several CMS', including Joomla, to store image files.  Attackers also use this directory to hide shells and other malicious files as this directory is typically used to allow users to upload images associated with comments and articles.  Not all CMS' check to ensure that a file uploaded to this directory is not malicious.  PHP files should never be found in this directory, as these CMS' will never install or use PHP files in these directories.  

Some attack tools are known to blindly look for software tools and to see if it can use them. Therefore, the fact that this rule is triggered does not mean that the software tool is installed on the system.

If your system is being targeted with these kinds of attacks we do not recommend you disable this rule. This rule may be telling you that someone is attacking your system, and therefore you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.

Troubleshooting

False Positives

If your CMS is known to use this directory for PHP files, and is known to securely prevent users from uploading PHP files to this directory then this may be a false positive. Please check with your web application vendor to determine if this is true.

Tuning Guidance

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Blog Articles

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Personal tools