avoid threat: PHP Webshell Access(36180)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

avoid threat: PHP Webshell Access(36180)

L4 Transporter

How to avoid this threat: PHP Webshell Access (36180). From Zone Trust, Zone to Untrust.

Thank you,

3 REPLIES 3

L4 Transporter

Hello COS,

If we have to avoid the threat 36180. Find which security rule is used for Trust to Untrust. In that security rule find the Vulnerability profile. Go to that Vulnerability profile in the Objects Tab > Vulnerability profile Exceptions tab.

Select "show all signatures" search for the threat id 36180. Now chose the action "allow" so that the threat will not be seen in the logs any more. If you want to drop packets or reset or any other action you can select too. But the option Allow only will not log it and all other options would log them.

Vuln-1.png

Hope this helps !

Hello Phoenix


if I setup this exception; would we be exposed to this type of attack?


Backdoor:PHP/WebShell.A is a backdoor trojan that allows unauthorized access and control of an affected computer by a remote attacker. The backdoor is written in PHP format and can affect both Windows and Linux operating systems.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:PHP/WebShell.A

I prefer that alerted me to this threat, but I also like to avoid registering false positives.

What would be the most recommended option (Action)?

Thanks and regards,

Well first of all, did you really verify that this actually was a false positive?

If so you could save a recording of the traffic and send to PA so they could update this threatid.

Besides this there is little you can do if you encounter a false positive, either you let this id be active (and analyze each alarm) or you disable this id.

Note that you can choose to disable this id either globally or for a specific flow - in your case if you just want to ignore this alarm you can set it to "allow" for the particular flow (so in case this shows up on some of your other webservers you will still get an alarm).

Also the action can be allow, block or alert. Allow is pretty obvious, block means drop the session AND log while alert means allow the session AND log (while allow means no logging at all).

  • 4769 Views
  • 3 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!