DDI RULE 2671
Vulnerability Scanner - HTTP (Request) - Variant 3
Overview
This is Trend Micro detection for packets passing through HTTP network protocol that manifests hacking tool actions that can generally crack or break systems and network security measures. Hacking tools have different capabilities depending on the systems they have been designed to penetrate. System administrators and malicious actors may have the same approach in using hacking tools but have different intent. Both wanted to identify possible avenues for intrusion, but for system administrators it is to test the security of the system while malicious actors take advantage of this.
Détails techniques
Protocol: HTTP
Risk Type: OTHERS
(Note: OTHERS can be network connections related to hacking attempts, exploits, connections done by grayware, or suspicious traffic.)
Threat Type: Grayware
Confidence Level: High
Severity: Low
DDI Default Rule Status: Disable
Behavior Indicator: Grayware
APT Related: NO
Solutions
Immediate Action
- If the host exhibiting this kind of network behavior is within the internal network, change all passwords of the host and ensure the use of strong passwords.
- Strong passwords should contain upper case letters, lower case letters, digits, punctuation marks, and other symbols. Remove any unrecognizable files, software, or services.
- Update your Trend Micro products and pattern files to the latest version.
- Scan the host for possible malware detection and to clean any detected items.
Secondary Action
If scanning fails to detect a malware infection:
- If possible, disconnect the host from the network to prevent any further communication or malicious activities the malware may attempt.
- Run RootkitBuster to check through hidden files, registry entries, processes, drivers, and hooked system services.
- Use the Anti-Threat Toolkit (ATTK) tools to collect undetected malware information.
- Identify and clean threats with Rescue Disk, specific to suspected threats that are persistent or difficult-to-clean. Rescue Disk allows you to use a CD, DVD, or USB drive to examine your computer without launching Microsoft Windows. If the host exhibiting this kind of network behavior is in the external network, ensure the following to prevent risk of attacks:
- Systems are not in default configuration
- Firewall is enabled
- Change all passwords of the host and ensure the use of strong passwords. Strong passwords should contain upper case letters, lower case letters, digits, punctuation marks, and other symbols.
- Firmware of devices, routers, and other hardware are up to date. As well as the hosts and others that are visible to the external network, have their browsers, plugins, and operating systems fully updated with the latest patches.
Participez à notre enquête!