I need a solution
Log below - the attack involves word press which is not running on this web facing server, nor do any users access it directly. It seems like a bug in the way this is logged as I can't see how the traffic originated internally.
Client Affected
| Computer Name | |
| Current: | Internal DNS |
| When event occurred: | Internal DNS |
| IP Address | |
| Current: | Internal IP |
| When event occurred: | Internal IP |
| Local MAC: | N/A |
| User Name: | none |
| Operating system: | Windows Server 2008 R2 Standard Edition |
| Location Name: | Default |
| Domain Name: | Default |
| Group Name: | My Company\Servers |
| Server Name: | MANTUS |
| Site Name: | Site MANTUS |
Risk Detected
| Event Time: | 12/22/2015 06:02:02 |
| Begin Time: | 12/22/2015 06:01:47 |
| End Time: | 12/22/2015 06:01:47 |
| Occurrence: | 1 |
| Signature Name: | Web Attack: Wordpress Arbitrary File Download |
| Signature ID: | 27847 |
| Signature Sub ID: | 73066 |
| Intrusion URL: | OurURL/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php |
| Intrusion Payload URL: | N/A |
| Event Description: | [SID: 27847] Web Attack: Wordpress Arbitrary File Download attack blocked. Traffic has been blocked for this application: SYSTEM |
| Event Type: | Intrusion Prevention |
| Hack Type: | 0 |
| Severity: | Critical |
| Application Name: | SYSTEM |
| Network Protocol: | TCP |
| Traffic Direction: | Outbound |
| Remote IP: | 65.208.151.114 |
| Remote MAC: | N/A |
| Remote Host Name: | N/A |
| Alert: | 1 |
| Local Port: | 80 |
| Remote Port: | 18469 |
0