WAF Rule ID 391111

Alert message: Atomicorp.com WAF Rules: Cryptomalware attack blocked

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status:

Action: pass

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

Description:

Atomicorp.com WAF Rules: Cryptomalware attack blocked

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390145

Alert message: Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 11

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390902

Alert message: Atomicorp.com WAF Rules: Possible Unauthorized Download Client

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Unauthorized Download Client

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 318812

Alert message: Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in images directory

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects an attempt to access a PHP file in the /images/stories/ directory. This directory is used by several CMS’, including Joomla, to store image files. Attackers also use this directory to hide shells and other malicious files as this directory is typically used to allow users to upload images associated with comments and articles. Not all CMS’ check to ensure that a file uploaded to this directory is not malicious. PHP files should never be found in this directory, as these CMS’ will never install or use PHP files in these directories.

Some attack tools are known to blindly look for installed shells in these directories. Therefore, the fact that this rule is triggered does not mean that a malicious file has been installed on the system.

If your system is being targeted with this tool we do not recommend you disable this rule, even if you do not have Joomla installed. This rule may be telling you that someone is attacking your system, and therefore you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.

Troubleshooting:

False Positives:

If your CMS is known to use this directory for PHP files, and is known to securely prevent users from uploading PHP files to this directory then this may be a false positive. Please check with your web application vendor to determine if this is true.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 318814

Alert message: Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • lowercase

  • removeWhitespace

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 318912

Alert message: Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in joomla modules directory

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in joomla modules directory

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340153

Alert message: Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Kaboozu CMS banner directory

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Kaboozu CMS banner directory

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 342153

Alert message: Atomicorp.com WAF Rules: Attempt to inject code into wordpress

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attempt to inject code into wordpress

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 342154

Alert message: Atomicorp.com WAF Rules: Known vBulletin backdoor

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Known vBulletin backdoor

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 318813

Alert message: Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340033

Alert message: Atomicorp.com WAF Rules: Possible attempt to run malware

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible attempt to run malware

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 392146

Alert message: Atomicorp.com WAF Rules: Backdoor or shell access blocked

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version:

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 404

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Backdoor or shell access blocked

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 391150

Alert message: Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 6

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 391158

Alert message: Atomicorp.com WAF Rules: PHP c99 webshell

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Alert (HIDS: 10)

HTTP Protocol Phase: 2

HTTP Status: 404

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340004

Alert message: Atomicorp.com WAF Rules: Possible cloaked Solarwinds malware on system

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 393150

Alert message: Atomicorp.com WAF Rules: Possible cloaked malware on system

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible cloaked malware on system

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 393151

Alert message: Atomicorp.com WAF Rules: Possible cloaked malware on system

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible cloaked malware on system

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 393152

Alert message: Atomicorp.com WAF Rules: Possible web shell blocked on system

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible web shell blocked on system

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390150

Alert message: Atomicorp.com WAF Rules: Possible spamtool installed on system

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: pass

Transforms:

Log Types:

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390900

Alert message: Atomicorp.com WAF Rules: Possible Unauthorized Download Client - Rapidleech

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 12

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390149

Alert message: Atomicorp.com WAF Rules: Possible remote shell or bot access denied

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 57

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 392149

Alert message: Atomicorp.com WAF Rules: Possible compromised website detected and 404 sent to user

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Options: No active Response

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390801

Alert message: Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390803

Alert message: Atomicorp.com WAF Rules: Known Wormsign

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Known Wormsign

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390810

Alert message: Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • hexDecode

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390811

Alert message: Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390802

Alert message: Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 500

Action: deny

Transforms:

  • cmdLine

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390903

Alert message: Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 3

HTTP Status: 404

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390904

Alert message: Atomicorp.com WAF Rules: Possible Shell Command Attempt

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 15

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Shell Command Attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390905

Alert message: Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 318811

Alert message: Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 316812

Alert message: Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in upload directory

Rule Class: Generic Attack Ruleset (50_asl_rootkits.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 404

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in upload directory

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.