Forum Discussion
WireX DDoS Android Malware Question
Hi
I'm re-posting here this question I found in this site because I'm facing the same behavior in our F5-ASM:
https://www.ethicalhacker.net/forums/topic/wirex-ddos-android-malware-question/
So if someone faced the same please advise :)
Hello everyone
I help to manage a WAF in my organization and we get approximately 2000 log entries per month, mainly on our main corporate website’s WAF policy, that trigger a signature that concerns the WireX DDoS Android Malware. Here is an example request (headers only):
GET
/blah/blah/blah
HTTP/1.1
Host: http://www..com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A102U Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-language: en
x-requested-with:
content-language: en
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Referer: https://blablabal.com/redirect
Accept-Encoding: gzip, deflate
I believe the empty x-requested-with: header is what is triggering this signature.
My question for you is – is this still a concern? Should we still continue to block these requests or based on what you see above, could this be a false positive?
Thank you.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com