topic Re: avoid threat: PHP Webshell Access(36180) in General Topics

avoid threat: PHP Webshell Access(36180)

SOC_CSG — Mon, 23 Dec 2013 15:20:59 GMT

How to avoid this threat: PHP Webshell Access (36180). From Zone Trust, Zone to Untrust.

Thank you,

Re: avoid threat: PHP Webshell Access(36180)

Phoenix — Mon, 23 Dec 2013 15:44:24 GMT

Hello COS,

If we have to avoid the threat 36180. Find which security rule is used for Trust to Untrust. In that security rule find the Vulnerability profile. Go to that Vulnerability profile in the Objects Tab > Vulnerability profile Exceptions tab.

Select "show all signatures" search for the threat id 36180. Now chose the action "allow" so that the threat will not be seen in the logs any more. If you want to drop packets or reset or any other action you can select too. But the option Allow only will not log it and all other options would log them.

Hope this helps !

Re: avoid threat: PHP Webshell Access(36180)

soporteseguridad — Mon, 23 Dec 2013 17:03:39 GMT

Hello Phoenix

if I setup this exception; would we be exposed to this type of attack?

Backdoor:PHP/WebShell.A is a backdoor trojan that allows unauthorized access and control of an affected computer by a remote attacker. The backdoor is written in PHP format and can affect both Windows and Linux operating systems.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:PHP/WebShell.A

I prefer that alerted me to this threat, but I also like to avoid registering false positives.

What would be the most recommended option (Action)?

Thanks and regards,

Re: avoid threat: PHP Webshell Access(36180)

mikand — Tue, 21 Jan 2014 07:36:20 GMT

Well first of all, did you really verify that this actually was a false positive?

If so you could save a recording of the traffic and send to PA so they could update this threatid.

Besides this there is little you can do if you encounter a false positive, either you let this id be active (and analyze each alarm) or you disable this id.

Note that you can choose to disable this id either globally or for a specific flow - in your case if you just want to ignore this alarm you can set it to "allow" for the particular flow (so in case this shows up on some of your other webservers you will still get an alarm).

Also the action can be allow, block or alert. Allow is pretty obvious, block means drop the session AND log while alert means allow the session AND log (while allow means no logging at all).