Scribd
Upload
113 views12 pages

IPS Report Uni-2020-07-21-0900 - 3717

The document provides a summary of intrusions detected over a 24 hour period. A total of 9,784 intrusions were detected, with the majority (60.04%) being informational and the remainder split between medium (18.83%), high (11.10%), and low (7.47%) severity. The highest volume of intrusions occurred between 12:00-15:00. The most common intrusion type was anomaly (7,741), followed by SQL injection (1,013) and information disclosure (381). Several critical severity intrusions involved code injection exploits.

Uploaded by

zeroxiclan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views12 pages

IPS Report Uni-2020-07-21-0900 - 3717

The document provides a summary of intrusions detected over a 24 hour period. A total of 9,784 intrusions were detected, with the majority (60.04%) being informational and the remainder split between medium (18.83%), high (11.10%), and low (7.47%) severity. The highest volume of intrusions occurred between 12:00-15:00. The most common intrusion type was anomaly (7,741), followed by SQL injection (1,013) and information disclosure (381). Several critical severity intrusions involved code injection exploits.

Uploaded by

zeroxiclan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

IPS Report uni

Report Date: July 21, 2020 09:00


Data Range: 2020-07-20 00:00 2020-07-20 23:59 CLT (FAZ local)

Fortinet Inc. All rights reserved. Created on: July 21, 2020 09:00
Table of Contents

Summary 2
Intrusions By Severity 2
Intrusions Timeline 2
Intrusions By Types 2

Intrusions Detected 3
Critical Severity Intrusions 3
High Severity Intrusions 4
Medium Severity Intrusions 5
Low Severity Intrusions 5
Intrusion Victims 6
Intrusion Sources 6
Intrusions Blocked 7
Intrusions Monitored 8
Attacks Over HTTP/HTTPs 9

Appendix A 11
Devices 11

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 1 of 11
Summary
Intrusions By Severity

60.04% Info (5,874 )


18.83% Medium (1,842 )
11.10% High (1,086 )
7.47% Low (731 )
2.57% Critical (251 )

Intrusions Timeline

1K Critical
High
800
Medium
600
Low
400 Info

200

0
0

0
:0

:0

:0

:0

:0

:0

:0

:0
00

03

06

09

12

15

18

21
0

0
-2

-2

-2

-2

-2

-2

-2

-2
07

07

07

07

07

07

07

07

Intrusions By Types
# Intrusion Type Counts
1 Anomaly 7,741
2 SQL Injection 1,013
3 Information Disclosure 381
4 Code Injection 184
5 Other 178
6 Permission/Priviledge/Access Control 61
7 Improper Authentication 57
8 Malware 29
9 XSS 27
10 DoS 23
11 Path Traversal 22
12 OS Command Injection 18
13 Buffer Errors 13

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 2 of 11
Intrusions Detected
Critical Severity Intrusions
# Attack Name CVE-ID Intrusion Type Counts
1 Zeroshell.Kerbynet.Type.Par CVE-2009-0545,CVE-2019-12725 Code Injection
76
ameter.Remote.Command.Exec
ution
2 Netcore.Netis.Devices.Hardc Improper Authentication 57
oded.Password.Security.Bypass
3 PHPUnit.Eval-stdin.PHP.Rem CVE-2017-9841 Code Injection 43
ote.Code.Execution
4 ThinkPHP.Controller.Parame CVE-2019-9082,CVE-2018-20062 Code Injection 12
ter.Remote.Code.Execution
5 WordPress.HTTP.Path.Traver CVE-2019-9618,CVE-2018-16283 Path Traversal 12
sal ,CVE-2018-16299,CVE-2020-117
38
6 TrueOnline.ZyXEL.P660HN.V CVE-2017-18368 Code Injection 9
1.Unauthenticated.Command.In
jection
7 Zeroaccess.Botnet 7
8 Oracle.WebLogic.Server.wls9 CVE-2019-2725,CVE-2019-2729 Code Injection 6
_async.Component.Code.Injecti
on
9 Dasan.GPON.Remote.Code.E CVE-2018-10561,CVE-2018-1056 OS Command Injection 5
xecution 2
10 Oracle.WebLogic.Server.wls9 CVE-2019-2729 Code Injection 4
_async.Method.Code.Injection
11 DrayTek.Vigor.Router.Web.M CVE-2020-8515 OS Command Injection 3
anagement.Page.Command.Inje
ction
12 NETGEAR.DGN1000.CGI.Una Code Injection 3
uthenticated.Remote.Code.Exec
ution
13 Citrix.Application.Delivery.Co CVE-2019-19781 Path Traversal 2
ntroller.VPNs.Directory.Traversa
l
14 Gh0st.Rat.Botnet 2
15 Bladabindi.Botnet 2
16 Remote.CMD.Shell Malware 2
17 D-Link.DSL-2750B.CLI.OS.Co OS Command Injection 2
mmand.Injection
18 MS.Windows.HTTP.sys.Requ CVE-2015-1635 Buffer Errors 1
est.Handling.Remote.Code.Exec
ution
19 D-Link.Realtek.SDK.Miniigd. CVE-2014-8361 OS Command Injection 1
UPnP.SOAP.Command.Executio
n
20 D-Link.Devices.HNAP.SOAPA CVE-2015-2051,CVE-2019-10891 OS Command Injection 1
ction-Header.Command.Executi
on

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 3 of 11
High Severity Intrusions
# Attack Name CVE-ID Intrusion Type Counts
1 HTTP.URI.SQL.Injection SQL Injection
1,009
2 Mirai.Botnet 26
3 Oracle.WebLogic.Server.wls- CVE-2017-3506,CVE-2017-10271 Code Injection 10
wsat.Component.Code.Injection
4 PHP.CGI.Argument.Injection CVE-2012-1823,CVE-2012-2311 Code Injection 9
5 HTTP.Request.URI.Directory. CVE-2001-0308,CVE-2011-0405, Path Traversal 8
Traversal CVE-2018-7171,CVE-2018-10260
,CVE-2018-11137,CVE-2018-162
88,CVE-2018-16836,CVE-2019-1
7662,CVE-2019-20085
6 ThinkPHP.HTTP.VARS.S.Rem Code Injection 5
ote.Code.Injection
7 Linksys.Routers.Administrati Permission/Priviledge/Access Control 4
ve.Console.Authentication.Bypa
ss
8 ThinkPHP.Request.Method.R Code Injection 4
emote.Code.Execution
9 Netlink.GPON.Router.formPi OS Command Injection 4
ng.Remote.Command.Injection
10 PHP.URI.Code.Injection Code Injection 2
11 Tomato.Router.Default.Cred Anomaly 1
entials
12 HTTP.Header.SQL.Injection SQL Injection 1
13 HTTP.Unix.Shell.IFS.Remote. OS Command Injection 1
Code.Execution
14 MS.IIS.Command.Shell.SQL.I CVE-2005-4149 SQL Injection 1
njection
15 Comtrend.VR-3033.Remote. CVE-2020-10173 OS Command Injection 1
Command.Injection

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 4 of 11
Medium Severity Intrusions
# Attack Name CVE-ID Intrusion Type Counts
1 WordPress.xmlrpc.php.system. Anomaly
1,746
multicall.Amplification.Attack
2 Cross.Site.Scripting CVE-2007-1355,CVE-2007-6316, XSS 27
CVE-2008-2165,CVE-2008-3305,
CVE-2008-3726,CVE-2008-4393,
CVE-2008-4918,CVE-2009-1524,
CVE-2010-2370,CVE-2010-3266,
CVE-2010-4828,CVE-2011-0508,
CVE-2011-0959,CVE-2011-0961,
CVE-2011-1772,CVE-2011-2179,
CVE-2011-2938,CVE-2011-3010,
CVE-2011-3390,CVE-2011-4340,
CVE-2016-3212,CVE-2018-2791,
CVE-2018-5550,CVE-2018-8006,
CVE-2018-17441,CVE-2018-1744
3
3 Android.ADB.Debug.Port.Remot Permission/Priviledge/Access Control 26
e.Access
4 WordPress.xmlrpc.Pingback.Do DoS 17
S
5 WordPress.REST.API.Username. CVE-2017-5487 Information Disclosure 15
Enumeration.Information.Disclo
sure
6 Web.Server.Password.Files.Acce Permission/Priviledge/Access Control 11
ss

Low Severity Intrusions


# Attack Name Intrusion Type Counts
1 Traceroute Information Disclosure 366
2 ZGrab.Scanner Anomaly 166
3 Wind.River.VxWorks.WDB.Debug.Service.Version.Number.Scanner Other 93
4 Port.Scanning Other 43
5 ZmEu.Vulnerability.Scanner Malware 27
6 Masscan.Scanner Anomaly 21
7 Nmap.Script.Scanner Anomaly 6
8 IKE.Exchange.DoS.Version DoS 6
9 Havij.Advanced.SQL.Injection.Scanner SQL Injection 2
10 Cisco.Smart.Install.Feature.Enable.Scanner Anomaly 1

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 5 of 11
Intrusion Victims
# Attack Victim Counts Critical High Medium Percent of Total Attacks
1 190.98.232.125 2,837 90.70%
2 200.75.19.132 35 1.12%
3 190.98.232.105 34 1.09%
4 200.75.19.158 34 1.09%
5 200.75.19.154 24 0.77%
6 190.98.232.107 20 0.64%
7 200.75.19.156 16 0.51%
8 190.98.232.120 14 0.45%
9 200.75.19.133 13 0.42%
10 200.75.19.138 13 0.42%
11 190.98.232.124 12 0.38%
12 200.75.19.140 12 0.38%
13 190.98.232.100 11 0.35%
14 200.75.19.153 9 0.29%
15 190.98.232.119 8 0.26%
16 190.98.232.97 8 0.26%
17 190.98.232.106 8 0.26%
18 200.75.19.141 8 0.26%
19 190.98.232.103 6 0.19%
20 190.98.232.101 6 0.19%

Intrusion Sources
# Attack Source Counts Critical High Medium Percent of Total Attacks
1 13.76.198.194 1,405 53.75%
2 201.214.251.121 184 7.04%
3 3.113.7.243 174 6.66%
4 70.37.81.77 145 5.55%
5 129.45.82.164 144 5.51%
6 95.90.210.2 135 5.16%
7 181.177.26.24 128 4.90%
8 35.228.206.201 55 2.10%
9 37.49.224.224 54 2.07%
10 195.54.160.21 44 1.68%
11 174.76.48.246 42 1.61%
12 42.2.59.221 19 0.73%
13 95.110.194.245 17 0.65%
14 117.61.241.253 13 0.50%
15 66.240.205.34 11 0.42%
16 38.99.240.2 10 0.38%
17 186.115.21.135 10 0.38%
18 61.160.236.22 9 0.34%
19 61.132.225.37 8 0.31%
20 190.107.228.202 7 0.27%

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 6 of 11
Intrusions Blocked
# Intrusion Name Intrusion Type Severity Counts
1 Zeroshell.Kerbynet.Ty Code Injection Critical 76
pe.Parameter.Remote.C
ommand.Execution
2 Netcore.Netis.Device Improper Authentication Critical 57
s.Hardcoded.Password.S
ecurity.Bypass
3 PHPUnit.Eval-stdin.P Code Injection Critical 43
HP.Remote.Code.Executi
on
4 WordPress.HTTP.Pat Path Traversal Critical 12
h.Traversal
5 ThinkPHP.Controller. Code Injection Critical 12
Parameter.Remote.Code
.Execution
6 TrueOnline.ZyXEL.P6 Code Injection Critical 9
60HN.V1.Unauthenticate
d.Command.Injection
7 Zeroaccess.Botnet Critical 7
8 Oracle.WebLogic.Serv Code Injection Critical 6
er.wls9_async.Compone
nt.Code.Injection
9 Dasan.GPON.Remote OS Command Injection Critical 5
.Code.Execution
10 Oracle.WebLogic.Serv Code Injection Critical 4
er.wls9_async.Method.C
ode.Injection
11 NETGEAR.DGN1000.C Code Injection Critical 3
GI.Unauthenticated.Rem
ote.Code.Execution
12 DrayTek.Vigor.Router OS Command Injection Critical 3
.Web.Management.Page.
Command.Injection
13 Citrix.Application.Deli Path Traversal Critical 2
very.Controller.VPNs.Dir
ectory.Traversal
14 Gh0st.Rat.Botnet Critical 2
15 D-Link.DSL-2750B.CLI OS Command Injection Critical 2
.OS.Command.Injection
16 Remote.CMD.Shell Malware Critical 2
17 Bladabindi.Botnet Critical 2
18 PHPCMS.Type.php.C Code Injection Critical 1
ode.Injection
19 MS.Windows.HTTP.sy Buffer Errors Critical 1
s.Request.Handling.Rem
ote.Code.Execution
20 D-Link.Devices.HNAP. OS Command Injection Critical 1
SOAPAction-Header.Com
mand.Execution

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 7 of 11
Intrusions Monitored
# Intrusion Name Intrusion Type Severity Counts
1 Wind.River.VxWorks. Other Low 93
WDB.Debug.Service.Vers
ion.Number.Scanner
2 Port.Scanning Other Low 43
3 IKE.Exchange.DoS.Ve DoS Low 6
rsion
4 Cisco.Smart.Install.Fe Anomaly Low 1
ature.Enable.Scanner
5 DNS.Invalid.OPcode Anomaly Info 5,797
6 SSL.Anonymous.Ciph Other Info 42
ers.Negotiation
7 HTTP.Unknown.Tunn Permission/Priviledge/Ac Info 17
elling cess Control
8 HTTP.Overly.Long.UR Buffer Errors Info 12
I
9 FTP.Login.Failed Anomaly Info 3
10 SMTP.Unknown.Repl Permission/Priviledge/Ac Info 3
y cess Control

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 8 of 11
Attacks Over HTTP/HTTPs
# Attack Name Severity Attack Counts
1 Zeroshell.Kerbynet.Type.Paramet Critical 76
er.Remote.Command.Execution
2 PHPUnit.Eval-stdin.PHP.Remote.C Critical 43
ode.Execution
3 WordPress.HTTP.Path.Traversal Critical 12
4 ThinkPHP.Controller.Parameter.R Critical 12
emote.Code.Execution
5 TrueOnline.ZyXEL.P660HN.V1.Una Critical 9
uthenticated.Command.Injection
6 Oracle.WebLogic.Server.wls9_asyn Critical 6
c.Component.Code.Injection
7 Dasan.GPON.Remote.Code.Execut Critical 5
ion
8 Oracle.WebLogic.Server.wls9_asyn Critical 4
c.Method.Code.Injection
9 DrayTek.Vigor.Router.Web.Manag Critical 3
ement.Page.Command.Injection
10 NETGEAR.DGN1000.CGI.Unauthen Critical 3
ticated.Remote.Code.Execution
11 Bladabindi.Botnet Critical 2
12 Citrix.Application.Delivery.Controll Critical 2
er.VPNs.Directory.Traversal
13 D-Link.DSL-2750B.CLI.OS.Comma Critical 2
nd.Injection
14 Gh0st.Rat.Botnet Critical 2
15 PHPCMS.Type.php.Code.Injection Critical 1
16 D-Link.Realtek.SDK.Miniigd.UPnP. Critical 1
SOAP.Command.Execution
17 MS.Windows.HTTP.sys.Request.Ha Critical 1
ndling.Remote.Code.Execution
18 D-Link.Devices.HNAP.SOAPAction- Critical 1
Header.Command.Execution
19 HTTP.URI.SQL.Injection High 1,009
20 Mirai.Botnet High 26
21 Oracle.WebLogic.Server.wls-wsat. High 10
Component.Code.Injection
22 PHP.CGI.Argument.Injection High 9
23 HTTP.Request.URI.Directory.Trave High 8
rsal
24 ThinkPHP.HTTP.VARS.S.Remote.C High 5
ode.Injection
25 ThinkPHP.Request.Method.Remot High 4
e.Code.Execution
26 Linksys.Routers.Administrative.Co High 4
nsole.Authentication.Bypass
27 Netlink.GPON.Router.formPing.Re High 4
mote.Command.Injection
28 PHP.URI.Code.Injection High 2
29 Comtrend.VR-3033.Remote.Comm High 1
and.Injection
30 MS.IIS.Command.Shell.SQL.Injecti High 1
on
31 HTTP.Unix.Shell.IFS.Remote.Code. High 1
Execution
32 HTTP.Header.SQL.Injection High 1

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 9 of 11
# Attack Name Severity Attack Counts
33 Tomato.Router.Default.Credential High 1
s

34 WordPress.xmlrpc.php.system.mu Medium 1,746


lticall.Amplification.Attack
35 Cross.Site.Scripting Medium 27
36 WordPress.xmlrpc.Pingback.DoS Medium 17
37 WordPress.REST.API.Username.En Medium 15
umeration.Information.Disclosure
38 Web.Server.Password.Files.Access Medium 11

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 10 of 11
Appendix A
Devices

FT-IPS-SRV-UAH[vlan-zone](Invalid Device or Vdom)


FW-DMZ-IPS[L2-VWP]
FW-DMZ-IPS[L2-Vlan]
FW-DMZ-IPS[L2-vlan]
FW-DMZ-IPS[VDOM-192]
FW-DMZ-IPS[VDOM-30]
FW-DMZ-IPS[root]
FW-DMZ-IPS[vlan-zone]
FW_Uni

IPS Report uni (by admin) - FortiAnalyzer Host Name: FAZ200D page 11 of 11

You might also like