/etc/apache2/conf.d/modsec2/ Current File: //etc/apache2/conf.d/modsec2/50_asl_rootkits.conf
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Known shells, remote toolkits, etc. signatures for modsec 2.x
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is 
# prohibited unless prior written permission is obtained from the 
# copyright holder. 
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS   
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security


#Master list of known malware script file names
#SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \
#"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"  

#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"

SecDefaultAction "log,deny,auditlog,phase:2,status:403"

#Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc.
SecRule SERVER_PORT "@streq 30000" phase:4,id:333852,pass,t:none,nolog,skipAfter:END_ROOTKIT_ALL

SecRule REQUEST_FILENAME "\.(?:flv|ico|avi|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt|wbk)$" phase:2,pass,t:none,t:lowercase,nolog,id:333853,skipAfter:END_ROOTKIT_FINAL

SecRule REQUEST_URI|ARGS "@pm http:// https:// gopher:// ogg:// zlib:// ftp:// ftps://" \
        "id:333854,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333760,t:none,pass,nolog,skipAfter:END_ROOTKIT_RFI

#SecRule REQUEST_URI|!ARGS:/redirect/|!ARGS:/referrer/|!ARGS:/url/|!ARGS:/img/|!ARGS:/^link/|!ARGS:loc|!ARGS:/referer/ "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|html?|tmp)\x20?\?" \
#	"t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,chain,id:390144,rev:21,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http|/gltr_dontrunhttps?://|/plugins/wpeditimage/editimage\.html|/spc\.php)" \

#shell patterns
SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|sh|te?xt|dat|tmp)\?" \
	"t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,chain,id:390145,rev:11,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Rootkit attack: Generic Attempt to install shell'"
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?|/plugins/wpeditimage/editimage\.html|/spc\.php)" \

SecRule ARGS "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
"t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,id:390902,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Unauthorized Download Client'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
#"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_RFI

#Jooma PHP Shells
#SecRule REQUEST_URI
SecRule REQUEST_URI  "/images/stories/.+\.php" \
        "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318812,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Attempt to Access unauthorized shell or exploit in Joomla images directory',logdata:'%{TX.0}'"

#Fake Major domains
SecRule REQUEST_URI|ARGS  "(?:wordpress|img\.youtube|picasa|blogger|flickr)\.com\.[a-z0-9]+" \
        "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:318813,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Fake Domain name used in URL, Possible Injection Attack',logdata:'%{TX.0}'"

SecRule REQUEST_URI|ARGS "@pm cmd inc= name= x_key x_file act= appfileexplorer thepath=" \
        "id:333855,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333761,t:none,pass,nolog,skipAfter:END_KNOWN_ROOTKITS


#known shell URLS
SecRule REQUEST_URI|ARGS|!ARGS:description|!ARGS:resolution|!ARGS:solution|!ARGS:message|!ARGS:/text/|!ARGS:prefix|!ARGS:suffix  "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|\.php\?act=?:(chmod&f|cmd|ls|f&f))" \
        "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340033,rev:7,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible attempt to run malware',logdata:'%{TX.0}'"

#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \
"capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Backdoor or shell access blocked',id:392146,severity:'2',logdata:'%{TX.0}'"

#ASP sigs
SecRule REQUEST_FILENAME "\.asp" \
	"chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:391150,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Rootkit attack: ASP shell attempt',logdata:'%{TX.0}'"
SecRule REQUEST_URI   "(?:theact=inject&thepath=|pagename=appfileexplorer|showupload&thepath=|system32/cmd\.exe)" 

SecMarker END_KNOWN_ROOTKITS

SecRule RESPONSE_BODY "@pm boff dark-mailer telnet shell exploit-db.com phpftp explorer aventis remote injection rhtools commander terminal remoteview ntdaddy fux0r www.sanalteror.org haxplor konsole c99 zfxid1.txt c100 r57 aventgrup exploit safe_mode open_basedir feecomz shirohigomz pshyco safemode safe-mode sh-inf: sh-err: emailbases prioritet leech uname leech ehennemdea obzerve feelcomz shirohigeshirohige lusif3r_666 sience emp3ror undetectable hack pshyco owned backdoor jaheem networkfilemanagerphp bots suid sguid service.pwd .bash_history .fetchmailrc #mhpver11 vulner4bl3 /etc/passwd mode: alucar rst/ghc netsploit bruteforce" \
        "id:333856,rev:2,phase:4,t:none,pass,nolog,skip:1"
SecAction phase:4,id:333762,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY

SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails)|<title>dark-mailer v|xerror was here|title>\:\: mailer inbox \:\:)" \
        "phase:4,t:none,t:lowercase,t:compressWhitespace,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible spamtool installed on system',id:'390150',rev:5,severity:'2'"

#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|you are not allowed to leech from|alt=\"rapidleech plugmod|<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \
        "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Unauthorized Download Client - Rapidleech',id:'390900',rev:10,severity:'2'"

SecRule REQUEST_METHOD "^REPORT$" \
phase:4,rev:2,id:334785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY

SecRule REQUEST_URI "/wp-admin/plugin-install\.php\?tab=plugin-information&plugin=wordfence" \
phase:4,rev:2,id:364785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY

#Request Body patterns
SecRule RESPONSE_BODY  "<title>(?:.{0,64}Web[m|M]ail|Horde \:\:)" \
phase:4,rev:2,id:333785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY

#trick them with a 404
SecRule RESPONSE_BODY  "(?:(?:ne(?:ws remote php shell injection|tworkfilemanagerphp|tsploit)|c(?:(?:99 ?(?:mad)?|100 ?)shell|ehennemden|gi-?telnet)|php(?: ?(?:commander|shell)|-?terminal| backdoor|ftp)|SvT SheLL|WSO 2.4|WebRooT Hack Tools|\b(?:r(?:emote explorer|57 ?sh(?:e|3)ll)|(?:alucar|saudi) sh(?:3|e)ll)\b|inbox mass mailer by hack|r(?:57 ?shell|emoteview|htools)|(?:konsole |stun ?)shell|\.sanalteror\.org|haxplorer|gamma ?web|fux0r inc| - n3t)|s(?:h(?:ell by (?:rst/ghc|alucar)|irohigeshirohige|-(?:err|inf): )|afe(?: mode(?: bypass|execdir)|-mode bypass|modeexecdir)|tunshell)|f(?:ind (?:.(?:bash_history|fetchmailrc)|[gs]uid|all) files|eelcomz)|(?:e(?:mp3ror undetectabl|xecution php-cod))e|b(?:(?:\.o\.v sience 2|off 1\.)0|y pshyco, © 2008 error|indshell)|php ?(?:4|5).{1,200}? safe_mode ?(\&|/|and)? ?open_basedir ?bypass|t(?:his is an? exploit from|otal bots active)|design by (?:rst/ghc|alucar)|l(?:ocus7shell|usif3r_666)|(?:o|0)wned by (?:hacker|#)|jaheem galaxy 2|reverseshell|\#mhpver11)" \
        "capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible remote shell or bot access denied',id:'390149',rev:48,severity:'2',logdata:'%{TX.0}'"

SecMarker END_ROOTKIT_BODY


SecRule REQUEST_URI|ARGS "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc @@rndstr@@ netenberg psybnc fantastico_de_luxe arta.zip information_schema.tables char( php_uname eval decode_base64 base64_decode gzuncompress base64_url_decode" \
        "id:333857,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333763,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_2
#generic payload
#if (isset($_GET['cmd']))          passthru(stripslashes($_GET['cmd']));
#
SecRule REQUEST_URI|ARGS|!ARGS:code|!ARGS:/description/|!ARGS:/^layout/|!ARGS:message|!ARGS:email|!ARGS:description|!ARGS:body|!ARGS:/text/|!ARGS:/txt/ "(?:<\? ?php (?:echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \
"t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,chain,capture,id:390801,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shellkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&)"

#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
"capture,t:none,t:urlDecodeUni,t:lowercase,id:390803,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Known Wormsign',logdata:'%{TX.0}'"

#New SEL attack seen
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user\schar\()" \
#"capture,t:none,t:urlDecodeUni,t:lowercase,id:390804,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Known shell SQL payload',logdata:'%{TX.0}'"

SecMarker END_ROOTKIT_BODY_2

SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \
        "phase:2,id:333786,t:none,t:hexDecode,pass,nolog,skip:1"
SecAction phase:2,id:333764,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_3

SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \
"chain,capture,t:none,t:hexDecode,t:lowercase,t:compressWhitespace,id:390810,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:description|!ARGS:message|!ARGS:problem|!ARGS:solution   "(?:<\? ?php (echo ?\"hi ?master|(system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \

SecMarker END_ROOTKIT_BODY_3

SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \
        "id:333859,phase:2,t:none,t:base64Decode,pass,nolog,skip:1"
SecAction phase:2,id:333765,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_4

SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \
"chain,capture,t:none,t:base64Decode,t:lowercase,t:compressWhitespace,id:390811,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?\()|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \

SecMarker END_ROOTKIT_BODY_4

#SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \
#        "phase:2,t:none,t:decodeBase64Ext,pass,nolog,skip:1"
#SecAction phase:2,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5
#
#SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|gzuncompress) ?\()" \
#"capture,t:none,t:decodeBase64Ext,t:lowercase,t:compressWhitespace,id:390811,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
#SecMarker END_ROOTKIT_BODY_5

SecRule REQUEST_URI "@pm perl xkernel kaiten mampus trojan r57 c99 zfxid1.txt c100 fuckthepolice.php 404.php.jpg webadmin.php.flv" \
        "id:333860,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333766,t:none,pass,nolog,skipAfter:END_PERL_EXEC
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt)|fuckthepolice\.php|404\.php\.jpg|webadmin\.php\.flv|zfxid1\.txt)" \
"capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390802,rev:7,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"
SecMarker END_PERL_EXEC

SecRule RESPONSE_HEADERS:WWW-Authenticate "rapidleech" \
        "capture,t:none,t:lowercase,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"

SecRule ARGS|REQUEST_URI "@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet cc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar" \
        "id:333861,phase:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1"
SecAction phase:2,id:333767,rev:3,t:none,pass,nolog,skipAfter:END_KNOWN_SIGNS

#Known shells
SecRule ARGS:cmd|ARGS:act|ARGS:command|ARGS:action "(?:ls(?: -|\&)|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)|mv |unzip |tar |rm |cat |rar |selfremove)" \
"capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390904,rev:12,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"

#for direct CGI type commands
#http://example.com/cmd.cgi?cat /etc/passwd
SecRule REQUEST_URI "\?(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)|mv |unzip |tar |rm |cat |rar )" \
"capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390907,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"

SecRule ARGS:ev "^print [0-9];" \
"capture,id:390905,rev:1,t:none,t:lowercase,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"

#new known injected payload
#SecRule ARGS "(?:cd /(?:tmp|var/tmp) ?; ?(?:lwp-download|wget|curl|elinks|fetch|rm -[r|f][r|f])|killall -9 perl ?; ? rm -[r|f][r|f])" \
#"capture,t:none,t:urlDecodeUni,t:cmdline,id:390906,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"

SecMarker END_KNOWN_SIGNS

#Uploaded php files in the WP cache directories
SecRule REQUEST_FILENAME "/wp-content/themes/.+/cache/.+\.php[345]?$" "log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:318811,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory',logdata:'%{TX.0}',chain"
SecRule REQUEST_FILENAME "!(/cache/timthumb\.php$)"

SecMarker END_ROOTKIT_FINAL

<LocationMatch homeCounter.php> 
  SecRuleRemoveById 390144
  SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch moderation.php> 
  SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /paadmin/file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /__utm.gif>
  SecRuleRemoveById 390144
</LocationMatch>
<LocationMatch /administrator/index.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /ota/admin/file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/shop_file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/file_manager.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /modules/mod_oneononechat/chatfiles/*>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /fud/adm/admbrowse.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /wp-cron.php>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /admin/mods/easymod/easymod_install.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /autogallery/autogallery.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /alfresco/scripts/onload.js>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /assets/Files/who/>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /forum/viewtopic.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /setup/>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /administrator/index2.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /sales/soap.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /twg177/admin/>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /images/smilies/>
  SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /admin/dogen_display.php>
  SecRuleRemoveById 390801
  SecRuleRemoveById 390810
  SecRuleRemoveById 390811
</LocationMatch>
<LocationMatch /horde/themes/graphics/>
  SecRuleRemoveById 390148 390800
</LocationMatch>
<LocationMatch /whois/quick.php>
  SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /ubbthreads.php>
  SecRuleRemoveById 390902
</LocationMatch>
<LocationMatch /administrator/>
  SecRuleRemoveById 390902
</LocationMatch>
<LocationMatch ^/img/logos_square/shell.gif$>
  SecRuleRemoveById 390148 390800
</LocationMatch>
<LocationMatch ^/plugins/editors/jckeditor/plugins/jfilebrowser/images/icons/gif.gif$>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /admin/templates/data_templates/data_templates.php>
  SecRuleRemoveById 390801
  SecRuleRemoveById 390810
  SecRuleRemoveById 390811
</LocationMatch>
<LocationMatch /nagios/cgi-bin/cmd.cgi>
  SecRuleRemoveById 390800
</LocationMatch>
<LocationMatch /tools_cron.php>
SecRuleRemoveById 390904
</LocationMatch>
<LocationMatch /admin/layout/edit/>
  SecRuleRemoveById 390801
  SecRuleRemoveById 390810
  SecRuleRemoveById 390811
</LocationMatch>
<LocationMatch  /nagios/stylesheets/cmd.css>
  SecRuleRemoveById 390800
</LocationMatch>
<LocationMatch /adjs.php>
  SecRuleRemoveById 390144
</LocationMatch>
<LocationMatch /wp-admin/admin-ajax.php>
  SecRuleRemoveById 390801
</LocationMatch>
<LocationMatch /wp-admin/plugin-editor.php>
  SecRuleRemoveById 390801
</LocationMatch>
<LocationMatch /import.php>
  SecRuleRemoveById 390804
</LocationMatch>
<LocationMatch /terms.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /jfilebrowser/images/icons/gif.gif>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /thumbs/>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /modules/mod_jw_ajaxnf/>
  SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /wp-admin/nav-menus.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /themes/default/graphics/>
  SecRuleRemoveById 390148 390800
</LocationMatch>
<LocationMatch /catalog/product/cache/>
  SecRuleRemoveById 390148 390800
</LocationMatch>
<LocationMatch /installation/index.php>
  SecRuleRemoveById 390907
</LocationMatch>
<LocationMatch /wp-admin/theme-editor.php>
  SecRuleRemoveById 390801
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /wp-admin/post.php>
  SecRuleRemoveById 390149
  SecRuleRemoveById 390801
</LocationMatch>
<LocationMatch /admin/scripts/shell.js>
  SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /timthumb.php>
  SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /connectors/workspace/packages-rest.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/supporttickets.php>
  SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /piwik.php>
  SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /pwiki.php>
  SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /json-api/cpanel>
  SecRuleRemoveById 390904
</LocationMatch>
<LocationMatch  /picat/admin/>
  SecRuleRemoveById 390149
</LocationMatch>

SecMarker END_ROOTKIT_ALL