avoid threat: PHP Webshell Access(36180)

Reply
Highlighted
L4 Transporter

avoid threat: PHP Webshell Access(36180)

How to avoid this threat: PHP Webshell Access (36180). From Zone Trust, Zone to Untrust.

Thank you,

L4 Transporter

Re: avoid threat: PHP Webshell Access(36180)

Hello COS,

If we have to avoid the threat 36180. Find which security rule is used for Trust to Untrust. In that security rule find the Vulnerability profile. Go to that Vulnerability profile in the Objects Tab > Vulnerability profile Exceptions tab.

Select "show all signatures" search for the threat id 36180. Now chose the action "allow" so that the threat will not be seen in the logs any more. If you want to drop packets or reset or any other action you can select too. But the option Allow only will not log it and all other options would log them.

Vuln-1.png

Hope this helps !

L4 Transporter

Re: avoid threat: PHP Webshell Access(36180)

Hello Phoenix


if I setup this exception; would we be exposed to this type of attack?


Backdoor:PHP/WebShell.A is a backdoor trojan that allows unauthorized access and control of an affected computer by a remote attacker. The backdoor is written in PHP format and can affect both Windows and Linux operating systems.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:PHP/WebShell.A

I prefer that alerted me to this threat, but I also like to avoid registering false positives.

What would be the most recommended option (Action)?

Thanks and regards,

L6 Presenter

Re: avoid threat: PHP Webshell Access(36180)

Well first of all, did you really verify that this actually was a false positive?

If so you could save a recording of the traffic and send to PA so they could update this threatid.

Besides this there is little you can do if you encounter a false positive, either you let this id be active (and analyze each alarm) or you disable this id.

Note that you can choose to disable this id either globally or for a specific flow - in your case if you just want to ignore this alarm you can set it to "allow" for the particular flow (so in case this shows up on some of your other webservers you will still get an alarm).

Also the action can be allow, block or alert. Allow is pretty obvious, block means drop the session AND log while alert means allow the session AND log (while allow means no logging at all).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!