Author Topic: after 3 years of peace with waf I have a malicious malware  (Read 350 times)

Offline jarecki74

  • Newbie
  • *
  • Posts: 9
after 3 years of peace with waf I have a malicious malware
« on: April 21, 2018, 02:04:43 AM »
after 3 years of peace with WAF  I have a malicious malware :(

FILE HIT LIST:
{HEX}php.base64.v23au.186 : /public_html/profiles/favicon_24c0ce.ico


drupal 7.34 / cpanel with comodo waf









Offline jarecki74

  • Newbie
  • *
  • Posts: 9
Re: after 3 years of peace with waf I have a malicious malware
« Reply #1 on: April 22, 2018, 01:00:55 AM »
Today i have again this infection . 
I
/public_html/misc/ui/images/favicon_3674bb.ico
==========================
Any sugestion with waf configuration.   ?

Looks like waf don't detect this atack.

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 163
Re: after 3 years of peace with waf I have a malicious malware
« Reply #2 on: April 23, 2018, 07:11:24 AM »
Hi  jarecki74.
You cna try to use:
https://cwatch.comodo.com/free-malware-removal-form.php
as part of:
https://cwatch.comodo.com/
where our specialists will clean your site from malware.

Strongly recommende to change all your credentials to exclude their leakage and reason of reinfection. Also possible that infection was not from web but by ftp or any other sources.

Files with extesios ".ico" usually whitelisted by firewalls to aviod false positives, so without collecting of logs we can't determine attack vector. You can change "SecAuditEngine" settings of your firewall to "on" to log every request to analyze and catch reinfection (if it was from the web).
Regards. 

Offline Jerry78

  • Newbie
  • *
  • Posts: 4
Re: after 3 years of peace with waf I have a malicious malware
« Reply #3 on: April 23, 2018, 09:19:37 AM »
Hi,

Drupal versions 6,7 and 8 can be exploided if you are not running the lastest version.
See: https://www.drupal.org/sa-core-2018-002

Drupal released version 7.58
https://www.drupal.org/project/drupal/releases/7.58

Maybe Comodo can include the following rule to fight the exploit:
https://github.com/a2u/CVE-2018-7600/blob/master/ModSecurity.txt




Offline Jerry78

  • Newbie
  • *
  • Posts: 4
Re: after 3 years of peace with waf I have a malicious malware
« Reply #4 on: April 25, 2018, 03:11:53 AM »
Looks like they are releasing another update today (April 25th)
https://www.drupal.org/psa-2018-003


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek