Security Report

Period: 2016-06-15 to 2016-06-15

Generated At: 2016-06-15 09:57:39

Application Server Domain/IP: All

User: All
Security Report
Security Summary
Summary
Period: 2016-06-15 to 2016-06-15
Before Protection: Poor
Overall Security Status
With Sangfor NGAF's protection, overall security rating is raised to Excellent.
Without protection, it may suffer the following attacks:
200.200.1.1 server(1) has been Hacked
202.96.134.134,202.96.134.133,192.6.134.133
host(3) has been Infected
200.200.1.1 has(have) been defaced and
injected 5 backlink(s).
158 attack(s) occured
42 vulnerability(ies) has been detected,
among which 17 is(are) high risk.
1
logologol
After Protection: Excellent
Overall Security Status After Protection
Recommendations:
Follow the security enhancement
recommendations in the corresponding
server security or endpoint security sections
to fix the issues as soon as possible for fear of
business losses.
Recommendations:
1. Remove the backlink from the
corresponding webpage.
2. Download the anti-malware software and
perform full scan over the website.
Comments:
Overall security rating is Poor, though most
of the attacks are blocked by Sangfor NGAF.
Comments:
Certain server is very vulnerable. To learn how
to fix the vulnerabilities, log in to the NGAF
GUI and go to Status > Real-Time
Vulnerability Analysis to generate the report.
Security Report logologol

Trends
Total Attacks: Indicates the total number of attacks detected by the Sangfor NGAF that are
against protected zones. The more the attacks, the worse the network security.

Attack Events: Indicates the major attack events extracted and categorized based on a variety of
security logs and attack chain analysis techniques. The more the attack events, the more the
attacks. The servers in protected zone will be more likely attacked, and network security will
become worse.

Vulnerability Distribution

The vulnerabilities detected in specific protected zone fall into the following major types:

2
Security Report logologol

42 vulnerability(ies) has been detected, 17 is(are) high-risk, 21 is(are) medium-risk, 4 is(are) low-risk, 0 is exploited

According to analysis of vulnerability impacts, the follow servers will be or have been influenced the most:

3
Security Report logologol

Application Server Security

The following are the top attacked servers:

No. Action Taken Target Server Application Server Severity (Level) Latest Threat Threat Count

1 No 200.200.1.1 - Hacked(5) 2016-06-15 09:33:57 86

miserupdate.aliyun.
2 No - Ever been attacked(3) 2016-06-15 09:33:57 30
com (200.200.1.1)

3 No 200.200.1.2 - Ever been attacked(3) 2016-06-15 09:33:58 10

4 No 200.200.1.3 - Ever been attacked(3) 2016-06-15 09:33:58 2

Server Risk Distribution

Attack Events

The following are the major attack events categorized and extracted according to analysis of security logs, i
n conjunction with attack chain analysis techniques.
● Hacked (server has been infected with Trojan or defaced)
● Bot Controlled (host or server has become “zombie")
● Ever been attacked (server has ever been attacked, but no data proves that any attack is successful)

No. Event Category Details

1 server(s) has been hacked. 200.200.1.1 is(are) among the 1 server(s) injected Backlink
1 Hacked
Injection

2 Bot Controlled No data available

1) 200.200.1.1 has suffered 76 attack(s), which fall into the following major types: SQL

injection,Sensitive data protection,Information disclosure,Website scan. Attack

sources: 92.96.134.133(U.A.E) 76 occurrence(s)

2) miserupdate.aliyun.com (200.200.1.1) has suffered 30 attack(s), which fall into the

3 Ever been attacked
following major types: Information disclosure. Attack sources: 92.96.134.133(U.A.E) 30

occurrence(s)

3) 200.200.1.2 has suffered 10 attack(s), which fall into the following major types: User

login security. Attack sources: 192.6.134.136(United States) 10 occurrence(s)

4
Security Report logologol

All Attack Sources

The following are the attack sources that have launched the most attacks. We are recommended to log in t
o the NGAF GUI and add those attack sources into the Global Blacklist in System > Global Whitelist/Blacklist.

No. IP Address Attack Type Attack Count Location

Information disclosure (82)

SQL injection (12)

1 92.96.134.133 106 U.A.E
Sensitive data protection (10)

Website scan (2)

2 192.6.134.136 User login security (10) 10 United States

3 192.6.134.135 Information disclosure (2) 2 United States

Endpoint Security
Top Bot-Infected Hosts
The following are the top bot-infected hosts:

No. Action Taken Host Zone Severity (Level) Latest Threat Threat Count

1 No 202.96.134.134 - Infected(8) 2016-06-15 09:33:57 6

2 No 202.96.134.133 - Infected(8) 2016-06-15 09:33:57 2

3 No 192.6.134.133 - Infected(8) 2016-06-15 09:33:58 2

4 No 92.96.134.134 - High(7) 2016-06-15 09:33:57 8

5 No 192.96.134.133 - High(7) 2016-06-15 09:33:58 4

6 No 192.6.134.139 - High(7) 2016-06-15 09:33:58 2

7 No 192.6.134.134 - High(7) 2016-06-15 09:33:58 2

8 No 192.96.134.134 - High(7) 2016-06-15 09:33:58 2

9 No 92.96.134.139 - High(7) 2016-06-15 09:33:57 2

Malicious Files
The following are the top malicious files detected based on sandbox technology that involved in 0-Day vulnerability exploit:

No. File MD5 Virus Name Threat Level Host Infected Hosts Threat Count Latest Threat

569def15112e43­
SF/IPS.WIN.Lo­
1 a511ae7af2cbb6­ High 192.6.134.131 (2) 1 2 2016-06-15 09:33:58
ophole
5803

07577c5a49fda3­
Win32/Trojan.­
2 3069910fcd5c28­ High 192.6.134.138 (2) 1 2 2016-06-15 09:33:58
Gen.PK
a66b

5
Security Report logologol

Malicious Websites
The following are the top malicious websites detected based on sandbox technology that have involved in
0-Day vulnerability exploit:

No. Website Category Host Hosts Threat Count Latest Threat

hncredit.gov.cn/article/rea­ Malicious web­

1 192.6.134.138 (2) 1 2 2016-06-15 09:33:58
d-2706.html page

www.doolittleraider.com/i­ Malicious web­

2 192.6.134.131 (2) 1 2 2016-06-15 09:33:58
mages/Manch002.jpg page

Recommendations: Download anti-malware software to scan for and remove malware on the infected hos­
ts. (Download Anti-malware Software: http://sec.sangfor.com/apt)

Overall Security Enhancement Recommendations

1. Log in to the NGAF GUI and follow the recommendations in Alerts tab to fix the vulnerabilities.
2. Log in to the NGAF GUI and go to Status > Real-Time Vulnerability Analysis to generate the report and
follow the recommendations to fix the existing vulnerabilities.
3. Add the attack sources to Global Blacklist in System > Global Whitelist/Blacklist.
4. Carefully read all the Security Enhancement Recommendations in every Security Detail section in this report.

6
Security Report logologol

Server Security
200.200.1.1 Security Details (Waiting for Action)

200.200.1.1 overall security rating is Critical (Hacked)

200.200.1.1 is controlled by the attacker and has suffered 86 attack(s) , and is detected 42 vulnerability(ies).
The attacker has injected 5 backlink(s) to Pornography,Gambling,Game contents

Attack Events

Category Hacked (Backlink Injection)

Summary 200.200.1.1 has been injected 5 backlink(s)

Injected backlink(s):

192.168.114.117/test/heilianfan.html
Type: Counteraction & Other Illegalities
Contents: <a href="http://www.testurl.com">办毕业证</a>

192.168.114.117/test/heiliandu.html
Type: Gambling
Contents: <a href="http://www.testurl.com">六合彩</a>

Log Examples 192.168.114.117/test/heilianse.html

Type: Pornography
Contents: <a href="http://www.xtube.com">你懂得</a>

192.168.114.117/test/heilianyao.html
Type: Illegal Drugs
Contents: <a href="http://www.testurl.com">催情药</a>

192.168.114.117/test/heilianyouxi.html
Type: Game
Contents: <a href="http://www.testurl.com">精品复古</a>

7
Security Report logologol

Vulnerabilities

No. Vulnerability Vulnerabilities Exploited Protection Threat Level

1 Apache Httpd Vulnerability 34 No Protected High

2 Wrong Configuration 6 No Protected High

3 IIS Vulnerability 2 No Protected High

Recommendations:
● Log in to the NGAF GUI and go to Status > Real-Time Vulnerability Analysis to generate the Full Report
and follow the recommendations to fix the existing vulnerabilities.

Attack Sources

The following are the major sources launched attacks against 200.200.1.1, 86 attack(s) in total. We are reco­
mmended to add them into the Global Blacklist in System > Global Whitelist/Blacklist.

No. Attack Source Attack Type Source Location Attack Count

Information disclosure (52)

SQL injection (12)

1 92.96.134.133 U.A.E 76
Sensitive data protection (10)

Website scan (2)

Security Enhancement Recommendations

The server has been hacked. Follow the recommendations below to enhance security.

1. Backlink Injection
● Check source code of the victim webpages and delete all the modified codes. For more information, log
in to the NGAF GUI and go to Status > System > Alerts.
● Download, install and launch anti-malware software to scan websites for and remove the backlinks. (Do­
wnload Anti-malware Software: http://sec.sangfor.com/apt)

2. Blacklist Attack Sources

● To prevent subsequent attacks from the above sources, log in to the NGAF GUI and add the above IP a­
ddresses into global blacklist in System > Global Whitelist/Blacklist.

miserupdate.aliyun.com (200.200.1.1) Security Details (Waiting for Action)

miserupdate.aliyun.com (200.200.1.1) overall security rating is High (Ever been attacked)

200.200.1.1 suffered 30 attack(s)

8
Security Report logologol

Attack Events

Category Ever been attacked

miserupdate.aliyun.com (200.200.1.1) has been attacked by 92.96.134.133(U.A.E, 30 occurrences),

Summary
Information disclosure(30)

Start Time: 2016-06-15 09:31:04

End Time: 2016-06-15 09:33:57

Log Examples

More logs are available in Internal Report Center, in Logs > WAF and IPS.

Vulnerabilities

No data available

Attack Sources

The following are the major sources launched attacks against 200.200.1.1, 30 attack(s) in total. We are reco­
mmended to add them into the Global Blacklist in System > Global Whitelist/Blacklist.

No. Attack Source Attack Type Source Location Attack Count

1 92.96.134.133 Information disclosure (30) U.A.E 30

Security Enhancement Recommendations

1. Ever been attacked

● All the attacks against the server have been blocked by Sangfor NGAF and the existing vulnerabilities h­
ave been fixed. No more action is required.

2. Blacklist Attack Sources

● To prevent subsequent attacks from the above sources, log in to the NGAF GUI and add the above IP a­
ddresses into global blacklist in System > Global Whitelist/Blacklist.

9
Security Report logologol

200.200.1.2 Security Details (Waiting for Action)

200.200.1.2 overall security rating is High (Ever been attacked)

200.200.1.2 suffered 10 attack(s)

Attack Events

Category Ever been attacked

Summary 200.200.1.2 has been attacked by 192.6.134.136(United States, 10 occurrences), User login security(10)

Start Time: 2016-06-15 09:31:04

End Time: 2016-06-15 09:33:58

Log Examples

More logs are available in Internal Report Center, in Logs > WAF and IPS.

Vulnerabilities

No data available

Attack Sources

The following are the major sources launched attacks against 200.200.1.2, 10 attack(s) in total. We are reco­
mmended to add them into the Global Blacklist in System > Global Whitelist/Blacklist.

No. Attack Source Attack Type Source Location Attack Count

1 192.6.134.136 User login security (10) United States 10

10
Security Report logologol

Security Enhancement Recommendations

1. Ever been attacked

● All the attacks against the server have been blocked by Sangfor NGAF and the existing vulnerabilities h­
ave been fixed. No more action is required.

2. Blacklist Attack Sources

● To prevent subsequent attacks from the above sources, log in to the NGAF GUI and add the above IP a­
ddresses into global blacklist in System > Global Whitelist/Blacklist.

200.200.1.3 Security Details (Waiting for Action)

200.200.1.3 overall security rating is High (Ever been attacked)

200.200.1.3 suffered 2 attack(s)

Attack Events

Category Ever been attacked

200.200.1.3 has been attacked by 192.6.134.135(United States, 2 occurrences), Information

Summary
disclosure(2)

Start Time: 2016-06-15 09:31:04

End Time: 2016-06-15 09:33:58

Log Examples

More logs are available in Internal Report Center, in Logs > WAF and IPS.

Vulnerabilities

No data available

11
Security Report logologol

Attack Sources

The following are the major sources launched attacks against 200.200.1.3, 2 attack(s) in total. We are reco­
mmended to add them into the Global Blacklist in System > Global Whitelist/Blacklist.

No. Attack Source Attack Type Source Location Attack Count

1 192.6.134.135 Information disclosure (2) United States 2

Security Enhancement Recommendations

1. Ever been attacked

● All the attacks against the server have been blocked by Sangfor NGAF and the existing vulnerabilities h­
ave been fixed. No more action is required.

2. Blacklist Attack Sources

● To prevent subsequent attacks from the above sources, log in to the NGAF GUI and add the above IP a­
ddresses into global blacklist in System > Global Whitelist/Blacklist.

12
Security Report logologol

Endpoint Security
202.96.134.134 Security Details (Waiting for Action)

Overall security rating: Critical (Infected)

202.96.134.134 has undergone 6 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host visited a C&C Communication URL proved by CNCERT.

2016-06-15 09:33:57 BitCoin mining activity is detected the host(192.168.183.188). It may have
become a bot. (3 occurrence(s))
Log Examples
2016-06-15 09:33:57 The host(192.168.183.188) is transmit data via IRC protocol and might be
infected. Please view details for more information. (2 occurrence(s))

Security Enhancement Recommendations

● The host is infected with malware. We are recommended to download anti-malware software to scan for
and remove malware on the infected hosts. (Download Anti-malware Software: http://sec.sangfor.com/
apt）

202.96.134.133 Security Details (Waiting for Action)

Overall security rating: Critical (Infected)

202.96.134.133 has undergone 2 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host visited a C&C Communication URL proved by CNCERT.

Log Examples 2016-06-15 09:33:57 Host 192.168.183.188 is infected with Gh0st trojan (2 occurrence(s))

13
Security Report logologol

Security Enhancement Recommendations

● The host is infected with malware. We are recommended to download anti-malware software to scan for
and remove malware on the infected hosts. (Download Anti-malware Software: http://sec.sangfor.com/
apt）

192.6.134.133 Security Details (Waiting for Action)

Overall security rating: Critical (Infected)

192.6.134.133 has undergone 2 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host visited a C&C Communication URL proved by CNCERT.

2016-06-15 09:33:58 BitCoin mining activity is detected the host(192.168.183.188). It may have
Log Examples
become a bot. (2 occurrence(s))

Security Enhancement Recommendations

● The host is infected with malware. We are recommended to download anti-malware software to scan for
and remove malware on the infected hosts. (Download Anti-malware Software: http://sec.sangfor.com/
apt）

92.96.134.134 Security Details (Waiting for Action)

Overall security rating: High (Most likely infected)

92.96.134.134 has undergone 8 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host initiated DDoS attack to external network.

14
Security Report logologol

2016-06-15 09:33:57 Server(192.168.183.188) is infected with trojan and sending numerous s­

uspicious DNS packets. (2 occurrence(s))

2016-06-15 09:33:57 Server(192.168.183.188) is infected with trojan and sending numerous s­

uspicious UDP packets. (1 occurrence(s))
Log Examples
2016-06-15 09:33:57 Server( 192.168.183.188) is infected with trojan and sending numerous s­
uspicious ICMP packets. (1 occurrence(s))

2016-06-15 09:33:57 Server(192.168.183.188) is infected with trojan and sending numerous s­

uspicious SYN packets. (1 occurrence(s))

Security Enhancement Recommendations

● The host is most likely infected with malware. We are recommended to download anti-malware software
to scan for and remove malware on the potential infected hosts. (Download Anti-malware Software: http://
sec.sangfor.com/apt）

192.96.134.133 Security Details (Waiting for Action)

Overall security rating: High (Most likely infected)

192.96.134.133 has undergone 4 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host initiated DDoS attack to external network.

2016-06-15 09:33:58 Server(192.168.183.188) is infected with trojan and sending numerous s­

uspicious SYN packets. (2 occurrence(s))
Log Examples
2016-06-15 09:33:57 Server( 192.168.183.188) is infected with trojan and sending numerous s­
uspicious ICMP packets. (2 occurrence(s))

Security Enhancement Recommendations

● The host is most likely infected with malware. We are recommended to download anti-malware software
to scan for and remove malware on the potential infected hosts. (Download Anti-malware Software: http://
sec.sangfor.com/apt）

15
Security Report logologol

192.6.134.139 Security Details (Waiting for Action)

Overall security rating: High (Most likely infected)

192.6.134.139 has undergone 2 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host visited Conficker worm C&C domain.

Log Examples 2016-06-15 09:33:58 Host (192.168.183.188) is infected with virus Conficker.Worm. (2 occurrence(s))

Security Enhancement Recommendations

● The host is most likely infected with malware. We are recommended to download anti-malware software
to scan for and remove malware on the potential infected hosts. (Download Anti-malware Software: http://
sec.sangfor.com/apt）

192.6.134.134 Security Details (Waiting for Action)

Overall security rating: High (Most likely infected)

192.6.134.134 has undergone 2 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host visited Conficker worm C&C domain.

2016-06-15 09:33:58 Try to resolve address of Botnet C&C server sfdsfdsfsdfssdf.com,sfdsfdsf­

Log Examples sdfssdf.net,sfdsfdsfsdfssdf.org in short time. The host may be infected with conficker worm. For
details, view Risk Details. (2 occurrence(s))

Security Enhancement Recommendations

● The host is most likely infected with malware. We are recommended to download anti-malware software
to scan for and remove malware on the potential infected hosts. (Download Anti-malware Software: http://
sec.sangfor.com/apt）

16
Security Report logologol

192.96.134.134 Security Details (Waiting for Action)

Overall security rating: High (Most likely infected)

192.96.134.134 has undergone 2 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host initiated DDoS attack to external network.

2016-06-15 09:33:58 Server(192.168.183.188) is infected with trojan and sending numerous s­

Log Examples
uspicious UDP packets. (2 occurrence(s))

Security Enhancement Recommendations

● The host is most likely infected with malware. We are recommended to download anti-malware software
to scan for and remove malware on the potential infected hosts. (Download Anti-malware Software: http://
sec.sangfor.com/apt）

92.96.134.139 Security Details (Waiting for Action)

Overall security rating: High (Most likely infected)

92.96.134.139 has undergone 2 threat(s). It is at the stage of C&C Communication currently. At this attack
stage, host is infected with malware and controlled by hacker.

Threat Details

Event Category C&C Communication

Details Host initiated DDoS attack to external network.

2016-06-15 09:33:57 Server(192.168.183.188) is infected with trojan and sending numerous s­

Log Examples
uspicious DNS packets. (2 occurrence(s))

Security Enhancement Recommendations

● The host is most likely infected with malware. We are recommended to download anti-malware software
to scan for and remove malware on the potential infected hosts. (Download Anti-malware Software: http://
sec.sangfor.com/apt）

17
Security Report logologol

Risk Assessment & Impacts

Risk Assessment

Server security is based on comprehensive analysis of all the security logs related to the internal servers in
protected zones. Server security rating falls into four types, namely, Hacked, Ever been attacked, Data ever
been harvested and Vulnerable. Endpoint security is based on comprehensive analysis of all network secur­
ity logs related to all the hosts in protected zones, and rating also falls into four types, namely, Infected, Hi­
gh, Medium and Low.Overall security is assessed according to server security and endpoint security, and t­
he rating falls into the following:

Overall security rating Poor:

● It indicates that severity of at least one server is rated Critical(hacked), or severity of at least one host

is rated Critical(infected with malware).

Overall security rating Fair:

● It indicates that severity of at least one server is rated High(ever been attacked), or severity of at least

one host is rated High(most likely infected with malware).

● It indicates that severity of at least one server is rated Medium(data ever been harvested), or severity

of at least one host is rated Medium(likely infected with malware).

Overall security rating Good:

● It indicates that severity of at least one server is rated Medium(data ever been harvested), or severity

of at least one host is rated Medium(less likely infected with malware).

Overall security rating Excellent:

● It indicates that no server is vulnerable, or no host is likely infected with malware

Impacts
Backlink

A backlink is a hidden hyperlink that links from a defaced webpage, back to a specific webpage or website,
also called inbound link. Backlink is generally used to illegitimately link to another website, or to obtain W­
EBSHELL of websites with high Page Rank(PR) or weight in search engine after employing the vulnerabiliti­
es on the web server. The attacker will then inject backlink that link to its own website. Backlink is no differ­
ent from outbound link in nature, with the same purpose of getting higher page rank, but may cause legal
risk if website is linked to gambling, games, porn or other illegal contents.

18
Security Report logologol

Read more: http://sec.sangfor.com/attacks/4.html

Solution:
● Scan for and remove the backlink injections in HTML source codes
● Download anti-malware software, scan for and remove the backlink injected into the website (Download
Anti-Malware software: http://sec.sangfor.com/apt)

WEBSHELL Backdoor

The attacker takes advantage of the proved vulnerability on the web server and injects WebShell onto the
web server. With the help of WEBSHELL, the attacker could visit the database, execute system commands
and manipulate the web server in the long run.

Read more: https://en.wikipedia.org/wiki/Backdoor_Shell

Solution:
● Download anti-malware software, scan for and remove the potential WEBSHELL or viruses on the server
(Download Anti-Malware software: http://sec.sangfor.com/apt)
● Configure a corresponding web application protection rule and set Action to Deny.

Bot Controlled

Once a host is infected with worm, virus or Trojan, the host could be remotely controlled by the attacker w­
ho may launch a variety of attacks(DoS, APT, etc.), aiming to destroy customer's network or crucial applic­
ation system and steal confidential data.

Read more: https://en.wikipedia.org/wiki/Botnet

Solution:
● Download anti-malware software to scan for and remove malware on the infected host. (Download Anti-malware Software:
http://sec.sangfor.com/apt)

Ever been attacked

The attacker employs advanced techniques to initiate intrusions and attacks against a specific enterprise n­
etwork, with the purpose of stealing cooperate data. This type of attack is often more hidden, organized a­
nd persistent, after long-term planning and operating. Since the attacker is very good at hiding, data theft
may turn to cyber spying eventually.

19
Security Report logologol

● SQL Injection: The attacker makes use of the vulnerability on database and steal data from it, causing
data and account leaks.
● Brute-force Attack: The attacker uses tools to perform brute-force attacks against the servers that are
with password-based authentication enabled. After attack success, the attacker can execute arbitrary com­
mand through that server.
● XSS Attack: The attacker makes use of the vulnerability to execute command, obtain system running in­
formation, create new system user account and enable remote control to control the web server.

Read more: https://en.wikipedia.org/wiki/SQL_injection

Solution:
● Configure a corresponding web application protection rule and set Action to Deny.
● Configure a corresponding IPS rule and set action to Deny.

Server Security Ratings

● Stages of Attack

● Severity Ratings

No. Severity Description Level

1 Hacked Server has been hacked with WEBSHELL or backlink, etc. 5

Ever been a­ No data proves that server has been hacked, but some logs show that intrusions
2 3-4
ttacked have ever occurred, such as SQL injection, brute-force login, WEBSHELL upload, etc.

Data ever b­
3 No data proves that server has been hacked, but there is proof that data have been harvested. 2
een harvested

20
Security Report logologol

4 Vulnerable No data or log proves that server has been hacked, but server contains security vulnerabilities. 1

Bot Threat

● Stages of Attack

● Severity Ratings

No. Severity Threat Level Description

10 Host visits malicious URL, domain name and IP address related to known m­

alware, sends data out and may have infected database server.
Infected
Host is acting like a
1 9 Host visits malicious URL, domain name and IP address related to known m­
host infected with
malware. alware, attempts to spread malicious file to other hosts.

8 Host visits URL, domain name or IP address related to known malware.

7 Host launches outgoing DDoS attacks or visits suspicious Conficker domain names.

High
Host sends or receives suspicious packets related to malware, or spreads m­
2 Host is most likely 6
alicious shellcode.
infected with malware

5 Host visits DGA-generated domain names, or initiates reverse connection.

21
Security Report logologol

Host downloads malicious executable files, PDF files or Trojan virus-infected

Medium 4
Host is not acting l­ webpage, but has not been infected yet.

3 ike an infected host

but malware intrusi­ Host downloads suspicious files with unmatching extension or name, but has
on has ever occurred
3
not been infected yet.

Host uses protocols related to malware(such as IRC, HFS, etc) and accesses
2
suspicious domain names or IP addresses related to malware.
Low
4 Host is less likely in­
Abnormal traffic is detected, such as SSL protocol uses other ports rather th­
fected with malware
an the standard port 443, but threat level is low. Host may visit phishing/fak­
1
e websites/emails that steal accounts.

22