UNA 13 Attack Problem
According to my ModSecurity Firewall on my server, I am getting attacks from the following two IP sources.
The targeted file of the attacks is:
template/images/icon/apple-touch-icon.png
Server side comment is:
"[id=332039] Atomicorp com WAF Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests."
Has anyone seen this before? And what would be the use in targeting this file?
-
- · Dannie Jackson
- ·
Sorry, it would not let me post the two IP addresses.
-
-
·
Andrey Yasko
- ·
Hey Dannie! Could you elaborate... in what circumstances are you getting this message? No sure how this can be triggered by or related to UNA specifically.
-
·
Andrey Yasko
-
- · Dannie Jackson
- ·
Someone somewhere appears to have tried to access the file listed above, (template/images/icon/apple-touch-icon.png) and triggered my server security. Also, the server set the main directory to 744 instead of 755. I blocked the the IP addresses associated with the attack, and changed the permissions of the main directory back to 755, and the Access Denied notice went away, and I got back onto the site. If someone else has this problem, check the main directory to see if the security suite of the server changed the permissions to the main directory. I run this on a server that is associated with my reseller panel account.
-
- · banister
- ·
The file which you mentioned is an image file, of course.
False positives are common with firewalls, however, malicious code can be attached (hidden) in image files. In fact, even a tiny ico file can contain a virus. Who would have known?
From the reversinglabs site:
Image formats can be as dangerous as executables, and Titanium Platform is a reliable partner that can quickly detect such embedded threats. Even though in most cases images are used as a non-executable container for the malware, there are instances where images can trigger execution if placed in an unexpected, misconfigured place. For example, the described PHP web shells placed on a vulnerable server.
This is why every piece of content entering a business network must be analyzed and checked for malicious content, regardless of the file format. Malware authors and threat actors will always look for blind spots where they can bypass defenses. Having detection gaps can lead to severe business operation interruption and cause brand damage.
-
Ok Banister that's interesting, I'll check the graphic file offline with Avast. And I will look into the Titanium Platform. If my sever still has a record of the event, I will look at the two IPs that attempted to access the file. Thank you!