I need a solution
Log below - the attack involves word press which is not running on this web facing server, nor do any users access it directly. It seems like a bug in the way this is logged as I can't see how the traffic originated internally.
Client Affected
Computer Name | |
Current: | Internal DNS |
When event occurred: | Internal DNS |
IP Address | |
Current: | Internal IP |
When event occurred: | Internal IP |
Local MAC: | N/A |
User Name: | none |
Operating system: | Windows Server 2008 R2 Standard Edition |
Location Name: | Default |
Domain Name: | Default |
Group Name: | My Company\Servers |
Server Name: | MANTUS |
Site Name: | Site MANTUS |
Risk Detected
Event Time: | 12/22/2015 06:02:02 |
Begin Time: | 12/22/2015 06:01:47 |
End Time: | 12/22/2015 06:01:47 |
Occurrence: | 1 |
Signature Name: | Web Attack: Wordpress Arbitrary File Download |
Signature ID: | 27847 |
Signature Sub ID: | 73066 |
Intrusion URL: | OurURL/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php |
Intrusion Payload URL: | N/A |
Event Description: | [SID: 27847] Web Attack: Wordpress Arbitrary File Download attack blocked. Traffic has been blocked for this application: SYSTEM |
Event Type: | Intrusion Prevention |
Hack Type: | 0 |
Severity: | Critical |
Application Name: | SYSTEM |
Network Protocol: | TCP |
Traffic Direction: | Outbound |
Remote IP: | 65.208.151.114 |
Remote MAC: | N/A |
Remote Host Name: | N/A |
Alert: | 1 |
Local Port: | 80 |
Remote Port: | 18469 |
0