/
etc
/
apache2
/
conf.d
/
modsec2
/
File Upload :
llllll
Current File: //etc/apache2/conf.d/modsec2/50_asl_rootkits.conf
# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Known shells, remote toolkits, etc. signatures for modsec 2.x # # Created by Prometheus Global (http://www.prometheus-group.com) # Copyright 2005-2013 by Prometheus Global, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security #Master list of known malware script file names #SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \ #"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'" #SecRule REQUEST_URI "@pmFromFile malware_scripts.txt" #SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'" SecDefaultAction "log,deny,auditlog,phase:2,status:403" #Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc. SecRule SERVER_PORT "@streq 30000" phase:4,id:333852,pass,t:none,nolog,skipAfter:END_ROOTKIT_ALL SecRule REQUEST_FILENAME "\.(?:flv|ico|avi|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt|wbk)$" phase:2,pass,t:none,t:lowercase,nolog,id:333853,skipAfter:END_ROOTKIT_FINAL SecRule REQUEST_URI|ARGS "@pm http:// https:// gopher:// ogg:// zlib:// ftp:// ftps://" \ "id:333854,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:333760,t:none,pass,nolog,skipAfter:END_ROOTKIT_RFI #SecRule REQUEST_URI|!ARGS:/redirect/|!ARGS:/referrer/|!ARGS:/url/|!ARGS:/img/|!ARGS:/^link/|!ARGS:loc|!ARGS:/referer/ "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|html?|tmp)\x20?\?" \ # "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,chain,id:390144,rev:21,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'" #SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http|/gltr_dontrunhttps?://|/plugins/wpeditimage/editimage\.html|/spc\.php)" \ #shell patterns SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|sh|te?xt|dat|tmp)\?" \ "t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,chain,id:390145,rev:11,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Rootkit attack: Generic Attempt to install shell'" SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?|/plugins/wpeditimage/editimage\.html|/spc\.php)" \ SecRule ARGS "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \ "t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,id:390902,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Unauthorized Download Client'" #SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \ #"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_RFI #Jooma PHP Shells #SecRule REQUEST_URI SecRule REQUEST_URI "/images/stories/.+\.php" \ "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318812,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Attempt to Access unauthorized shell or exploit in Joomla images directory',logdata:'%{TX.0}'" #Fake Major domains SecRule REQUEST_URI|ARGS "(?:wordpress|img\.youtube|picasa|blogger|flickr)\.com\.[a-z0-9]+" \ "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:318813,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Fake Domain name used in URL, Possible Injection Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS "@pm cmd inc= name= x_key x_file act= appfileexplorer thepath=" \ "id:333855,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:333761,t:none,pass,nolog,skipAfter:END_KNOWN_ROOTKITS #known shell URLS SecRule REQUEST_URI|ARGS|!ARGS:description|!ARGS:resolution|!ARGS:solution|!ARGS:message|!ARGS:/text/|!ARGS:prefix|!ARGS:suffix "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|\.php\?act=?:(chmod&f|cmd|ls|f&f))" \ "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340033,rev:7,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible attempt to run malware',logdata:'%{TX.0}'" #Body sigs SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \ "capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Backdoor or shell access blocked',id:392146,severity:'2',logdata:'%{TX.0}'" #ASP sigs SecRule REQUEST_FILENAME "\.asp" \ "chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:391150,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Rootkit attack: ASP shell attempt',logdata:'%{TX.0}'" SecRule REQUEST_URI "(?:theact=inject&thepath=|pagename=appfileexplorer|showupload&thepath=|system32/cmd\.exe)" SecMarker END_KNOWN_ROOTKITS SecRule RESPONSE_BODY "@pm boff dark-mailer telnet shell exploit-db.com phpftp explorer aventis remote injection rhtools commander terminal remoteview ntdaddy fux0r www.sanalteror.org haxplor konsole c99 zfxid1.txt c100 r57 aventgrup exploit safe_mode open_basedir feecomz shirohigomz pshyco safemode safe-mode sh-inf: sh-err: emailbases prioritet leech uname leech ehennemdea obzerve feelcomz shirohigeshirohige lusif3r_666 sience emp3ror undetectable hack pshyco owned backdoor jaheem networkfilemanagerphp bots suid sguid service.pwd .bash_history .fetchmailrc #mhpver11 vulner4bl3 /etc/passwd mode: alucar rst/ghc netsploit bruteforce" \ "id:333856,rev:2,phase:4,t:none,pass,nolog,skip:1" SecAction phase:4,id:333762,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails)|<title>dark-mailer v|xerror was here|title>\:\: mailer inbox \:\:)" \ "phase:4,t:none,t:lowercase,t:compressWhitespace,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible spamtool installed on system',id:'390150',rev:5,severity:'2'" #Rapid Leech blocks SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|you are not allowed to leech from|alt=\"rapidleech plugmod|<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \ "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Unauthorized Download Client - Rapidleech',id:'390900',rev:10,severity:'2'" SecRule REQUEST_METHOD "^REPORT$" \ phase:4,rev:2,id:334785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY SecRule REQUEST_URI "/wp-admin/plugin-install\.php\?tab=plugin-information&plugin=wordfence" \ phase:4,rev:2,id:364785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY #Request Body patterns SecRule RESPONSE_BODY "<title>(?:.{0,64}Web[m|M]ail|Horde \:\:)" \ phase:4,rev:2,id:333785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY #trick them with a 404 SecRule RESPONSE_BODY "(?:(?:ne(?:ws remote php shell injection|tworkfilemanagerphp|tsploit)|c(?:(?:99 ?(?:mad)?|100 ?)shell|ehennemden|gi-?telnet)|php(?: ?(?:commander|shell)|-?terminal| backdoor|ftp)|SvT SheLL|WSO 2.4|WebRooT Hack Tools|\b(?:r(?:emote explorer|57 ?sh(?:e|3)ll)|(?:alucar|saudi) sh(?:3|e)ll)\b|inbox mass mailer by hack|r(?:57 ?shell|emoteview|htools)|(?:konsole |stun ?)shell|\.sanalteror\.org|haxplorer|gamma ?web|fux0r inc| - n3t)|s(?:h(?:ell by (?:rst/ghc|alucar)|irohigeshirohige|-(?:err|inf): )|afe(?: mode(?: bypass|execdir)|-mode bypass|modeexecdir)|tunshell)|f(?:ind (?:.(?:bash_history|fetchmailrc)|[gs]uid|all) files|eelcomz)|(?:e(?:mp3ror undetectabl|xecution php-cod))e|b(?:(?:\.o\.v sience 2|off 1\.)0|y pshyco, © 2008 error|indshell)|php ?(?:4|5).{1,200}? safe_mode ?(\&|/|and)? ?open_basedir ?bypass|t(?:his is an? exploit from|otal bots active)|design by (?:rst/ghc|alucar)|l(?:ocus7shell|usif3r_666)|(?:o|0)wned by (?:hacker|#)|jaheem galaxy 2|reverseshell|\#mhpver11)" \ "capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible remote shell or bot access denied',id:'390149',rev:48,severity:'2',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_BODY SecRule REQUEST_URI|ARGS "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc @@rndstr@@ netenberg psybnc fantastico_de_luxe arta.zip information_schema.tables char( php_uname eval decode_base64 base64_decode gzuncompress base64_url_decode" \ "id:333857,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:333763,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_2 #generic payload #if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd'])); # SecRule REQUEST_URI|ARGS|!ARGS:code|!ARGS:/description/|!ARGS:/^layout/|!ARGS:message|!ARGS:email|!ARGS:description|!ARGS:body|!ARGS:/text/|!ARGS:/txt/ "(?:<\? ?php (?:echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \ "t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,chain,capture,id:390801,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shellkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&)" #some broken attack program SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \ "capture,t:none,t:urlDecodeUni,t:lowercase,id:390803,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Known Wormsign',logdata:'%{TX.0}'" #New SEL attack seen #SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user\schar\()" \ #"capture,t:none,t:urlDecodeUni,t:lowercase,id:390804,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Known shell SQL payload',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_BODY_2 SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \ "phase:2,id:333786,t:none,t:hexDecode,pass,nolog,skip:1" SecAction phase:2,id:333764,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_3 SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \ "chain,capture,t:none,t:hexDecode,t:lowercase,t:compressWhitespace,id:390810,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:description|!ARGS:message|!ARGS:problem|!ARGS:solution "(?:<\? ?php (echo ?\"hi ?master|(system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \ SecMarker END_ROOTKIT_BODY_3 SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \ "id:333859,phase:2,t:none,t:base64Decode,pass,nolog,skip:1" SecAction phase:2,id:333765,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_4 SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \ "chain,capture,t:none,t:base64Decode,t:lowercase,t:compressWhitespace,id:390811,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?\()|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \ SecMarker END_ROOTKIT_BODY_4 #SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5 #SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \ # "phase:2,t:none,t:decodeBase64Ext,pass,nolog,skip:1" #SecAction phase:2,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5 # #SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|gzuncompress) ?\()" \ #"capture,t:none,t:decodeBase64Ext,t:lowercase,t:compressWhitespace,id:390811,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" #SecMarker END_ROOTKIT_BODY_5 SecRule REQUEST_URI "@pm perl xkernel kaiten mampus trojan r57 c99 zfxid1.txt c100 fuckthepolice.php 404.php.jpg webadmin.php.flv" \ "id:333860,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:333766,t:none,pass,nolog,skipAfter:END_PERL_EXEC #Generic remote perl execution with .pl extension SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt)|fuckthepolice\.php|404\.php\.jpg|webadmin\.php\.flv|zfxid1\.txt)" \ "capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390802,rev:7,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'" SecMarker END_PERL_EXEC SecRule RESPONSE_HEADERS:WWW-Authenticate "rapidleech" \ "capture,t:none,t:lowercase,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'" SecRule ARGS|REQUEST_URI "@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet cc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar" \ "id:333861,phase:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1" SecAction phase:2,id:333767,rev:3,t:none,pass,nolog,skipAfter:END_KNOWN_SIGNS #Known shells SecRule ARGS:cmd|ARGS:act|ARGS:command|ARGS:action "(?:ls(?: -|\&)|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)|mv |unzip |tar |rm |cat |rar |selfremove)" \ "capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390904,rev:12,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" #for direct CGI type commands #http://example.com/cmd.cgi?cat /etc/passwd SecRule REQUEST_URI "\?(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)|mv |unzip |tar |rm |cat |rar )" \ "capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390907,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" SecRule ARGS:ev "^print [0-9];" \ "capture,id:390905,rev:1,t:none,t:lowercase,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'" #new known injected payload #SecRule ARGS "(?:cd /(?:tmp|var/tmp) ?; ?(?:lwp-download|wget|curl|elinks|fetch|rm -[r|f][r|f])|killall -9 perl ?; ? rm -[r|f][r|f])" \ #"capture,t:none,t:urlDecodeUni,t:cmdline,id:390906,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" SecMarker END_KNOWN_SIGNS #Uploaded php files in the WP cache directories SecRule REQUEST_FILENAME "/wp-content/themes/.+/cache/.+\.php[345]?$" "log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:318811,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory',logdata:'%{TX.0}',chain" SecRule REQUEST_FILENAME "!(/cache/timthumb\.php$)" SecMarker END_ROOTKIT_FINAL <LocationMatch homeCounter.php> SecRuleRemoveById 390144 SecRuleRemoveById 390145 </LocationMatch> <LocationMatch moderation.php> SecRuleRemoveById 390148 </LocationMatch> <LocationMatch /paadmin/file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /__utm.gif> SecRuleRemoveById 390144 </LocationMatch> <LocationMatch /administrator/index.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /ota/admin/file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /admin/shop_file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /admin/file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /modules/mod_oneononechat/chatfiles/*> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /fud/adm/admbrowse.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /wp-cron.php> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /admin/mods/easymod/easymod_install.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /autogallery/autogallery.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /alfresco/scripts/onload.js> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /assets/Files/who/> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /forum/viewtopic.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /setup/> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /administrator/index2.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /sales/soap.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /twg177/admin/> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /images/smilies/> SecRuleRemoveById 390148 </LocationMatch> <LocationMatch /admin/dogen_display.php> SecRuleRemoveById 390801 SecRuleRemoveById 390810 SecRuleRemoveById 390811 </LocationMatch> <LocationMatch /horde/themes/graphics/> SecRuleRemoveById 390148 390800 </LocationMatch> <LocationMatch /whois/quick.php> SecRuleRemoveById 390145 </LocationMatch> <LocationMatch /ubbthreads.php> SecRuleRemoveById 390902 </LocationMatch> <LocationMatch /administrator/> SecRuleRemoveById 390902 </LocationMatch> <LocationMatch ^/img/logos_square/shell.gif$> SecRuleRemoveById 390148 390800 </LocationMatch> <LocationMatch ^/plugins/editors/jckeditor/plugins/jfilebrowser/images/icons/gif.gif$> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /admin/templates/data_templates/data_templates.php> SecRuleRemoveById 390801 SecRuleRemoveById 390810 SecRuleRemoveById 390811 </LocationMatch> <LocationMatch /nagios/cgi-bin/cmd.cgi> SecRuleRemoveById 390800 </LocationMatch> <LocationMatch /tools_cron.php> SecRuleRemoveById 390904 </LocationMatch> <LocationMatch /admin/layout/edit/> SecRuleRemoveById 390801 SecRuleRemoveById 390810 SecRuleRemoveById 390811 </LocationMatch> <LocationMatch /nagios/stylesheets/cmd.css> SecRuleRemoveById 390800 </LocationMatch> <LocationMatch /adjs.php> SecRuleRemoveById 390144 </LocationMatch> <LocationMatch /wp-admin/admin-ajax.php> SecRuleRemoveById 390801 </LocationMatch> <LocationMatch /wp-admin/plugin-editor.php> SecRuleRemoveById 390801 </LocationMatch> <LocationMatch /import.php> SecRuleRemoveById 390804 </LocationMatch> <LocationMatch /terms.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /jfilebrowser/images/icons/gif.gif> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /thumbs/> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /modules/mod_jw_ajaxnf/> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /wp-admin/nav-menus.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /themes/default/graphics/> SecRuleRemoveById 390148 390800 </LocationMatch> <LocationMatch /catalog/product/cache/> SecRuleRemoveById 390148 390800 </LocationMatch> <LocationMatch /installation/index.php> SecRuleRemoveById 390907 </LocationMatch> <LocationMatch /wp-admin/theme-editor.php> SecRuleRemoveById 390801 SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /wp-admin/post.php> SecRuleRemoveById 390149 SecRuleRemoveById 390801 </LocationMatch> <LocationMatch /admin/scripts/shell.js> SecRuleRemoveById 390148 </LocationMatch> <LocationMatch /timthumb.php> SecRuleRemoveById 390145 </LocationMatch> <LocationMatch /connectors/workspace/packages-rest.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /admin/supporttickets.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /piwik.php> SecRuleRemoveById 390145 </LocationMatch> <LocationMatch /pwiki.php> SecRuleRemoveById 390145 </LocationMatch> <LocationMatch /json-api/cpanel> SecRuleRemoveById 390904 </LocationMatch> <LocationMatch /picat/admin/> SecRuleRemoveById 390149 </LocationMatch> SecMarker END_ROOTKIT_ALL
Copyright ©2k19 -
Hexid
|
Tex7ure