after 3 years of peace with WAF I have a malicious malware

FILE HIT LIST:
{HEX}php.base64.v23au.186 : /public_html/profiles/favicon_24c0ce.ico

drupal 7.34 / cpanel with comodo waf

Today i have again this infection .
I
/public_html/misc/ui/images/favicon_3674bb.ico

Any sugestion with waf configuration. ?

Looks like waf don’t detect this atack.

Hi jarecki74.
You cna try to use:

as part of:

where our specialists will clean your site from malware.

Strongly recommende to change all your credentials to exclude their leakage and reason of reinfection. Also possible that infection was not from web but by ftp or any other sources.

Files with extesios “.ico” usually whitelisted by firewalls to aviod false positives, so without collecting of logs we can’t determine attack vector. You can change “SecAuditEngine” settings of your firewall to “on” to log every request to analyze and catch reinfection (if it was from the web).
Regards.

Hi,

Drupal versions 6,7 and 8 can be exploided if you are not running the lastest version.
See: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 | Drupal.org

Drupal released version 7.58
https://www.drupal.org/project/drupal/releases/7.58

Maybe Comodo can include the following rule to fight the exploit:

Looks like they are releasing another update today (April 25th)
https://www.drupal.org/psa-2018-003

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/rules-updates-changelog-t101377.0.html;msg875913#new