modsecurity-waf/nginx-waf/50_asl_rootkits.conf

346 lines
33 KiB
Plaintext
Raw Permalink Normal View History

2024-12-11 16:57:51 -05:00
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "homecounter\.php" "phase:2,id:95286,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "moderation\.php" "phase:2,id:95287,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148"
SecRule REQUEST_FILENAME "/paadmin/file_manager\.php" "phase:2,id:95288,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/__utm\.gif" "phase:2,id:95289,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144"
SecRule REQUEST_FILENAME "/administrator/index\.php" "phase:2,id:95290,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/ota/admin/file_manager\.php" "phase:2,id:95291,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/admin/shop_file_manager\.php" "phase:2,id:95292,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/admin/file_manager\.php" "phase:2,id:95293,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/modules/mod_oneononechat/chatfiles/*" "phase:2,id:95294,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/fud/adm/admbrowse\.php" "phase:2,id:95295,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-cron\.php" "phase:2,id:95296,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/admin/mods/easymod/easymod_install\.php" "phase:2,id:95297,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/autogallery/autogallery\.php" "phase:2,id:95298,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/alfresco/scripts/onload\.js" "phase:2,id:95299,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/assets/files/who/" "phase:2,id:95300,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/forum/viewtopic\.php" "phase:2,id:95301,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/setup/" "phase:2,id:95302,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/administrator/index2\.php" "phase:2,id:95303,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/sales/soap\.php" "phase:2,id:95304,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/twg177/admin/" "phase:2,id:95305,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/images/smilies/" "phase:2,id:95306,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148"
SecRule REQUEST_FILENAME "/admin/dogen_display\.php" "phase:2,id:95307,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811"
SecRule REQUEST_FILENAME "/horde/themes/graphics/" "phase:2,id:95308,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/whois/quick\.php" "phase:2,id:95309,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/ubbthreads\.php" "phase:2,id:95310,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390902"
SecRule REQUEST_FILENAME "/administrator/" "phase:2,id:95311,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390902"
SecRule REQUEST_FILENAME "^/img/logos_square/shell\.gif$" "phase:2,id:95312,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "^/plugins/editors/jckeditor/plugins/jfilebrowser/images/icons/gif\.gif$" "phase:2,id:95313,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/admin/templates/data_templates/data_templates\.php" "phase:2,id:95314,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811"
SecRule REQUEST_FILENAME "/nagios/cgi-bin/cmd\.cgi" "phase:2,id:95315,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/tools_cron\.php" "phase:2,id:95316,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390904"
SecRule REQUEST_FILENAME "/admin/layout/edit/" "phase:2,id:95317,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811"
SecRule REQUEST_FILENAME "/nagios/stylesheets/cmd\.css" "phase:2,id:95318,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/adjs\.php" "phase:2,id:95319,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144"
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95320,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801"
SecRule REQUEST_FILENAME "/wp-admin/plugin-editor\.php" "phase:2,id:95321,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801"
SecRule REQUEST_FILENAME "/import\.php" "phase:2,id:95322,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390804"
SecRule REQUEST_FILENAME "/terms\.php" "phase:2,id:95323,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/jfilebrowser/images/icons/gif\.gif" "phase:2,id:95324,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/thumbs/" "phase:2,id:95325,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/modules/mod_jw_ajaxnf/" "phase:2,id:95326,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/wp-admin/nav-menus\.php" "phase:2,id:95327,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/themes/default/graphics/" "phase:2,id:95328,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/catalog/product/cache/" "phase:2,id:95329,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/installation/index\.php" "phase:2,id:95330,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390907"
SecRule REQUEST_FILENAME "/wp-admin/theme-editor\.php" "phase:2,id:95331,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-admin/post\.php" "phase:2,id:95332,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149,ctl:ruleRemovebyID=390801"
SecRule REQUEST_FILENAME "/admin/scripts/shell\.js" "phase:2,id:95333,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148"
SecRule REQUEST_FILENAME "/timthumb\.php" "phase:2,id:95334,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/connectors/workspace/packages-rest\.php" "phase:2,id:95335,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/admin/supporttickets\.php" "phase:2,id:95336,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/piwik\.php" "phase:2,id:95337,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/pwiki\.php" "phase:2,id:95338,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/json-api/cpanel" "phase:2,id:95339,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390904,ctl:ruleRemovebyID=390907"
SecRule REQUEST_FILENAME "/picat/admin/" "phase:2,id:95340,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/viewticket\.php" "phase:2,id:95341,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/supporttickets\.php" "phase:2,id:95342,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/dokuwiki/doku\.php" "phase:2,id:95343,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-admin/edit-comments\.php" "phase:2,id:95344,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/clientsservices\.php" "phase:2,id:95345,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95346,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Known shells, remote toolkits, etc. signatures for modsec 2.x
#
# Copyright 2005-2023 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#Master list of known malware script file names
#SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"
#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"
#Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc.
SecRule SERVER_PORT "@streq 30000" "phase:4,id:333852,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_ALL"
SecRule REQUEST_FILENAME "\.(?:flv|ico|avi|w(?:m(?:v|a)|ebp|bk)|mp(?:3|4|e?g)|cgm|s(?:vg|wf)|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt)$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333853,skipAfter:END_ROOTKIT_FINAL"
SecRule REQUEST_URI "^/(?:eprocservice/supplierinboundservice|\?_task=mail)" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:331853,skipAfter:END_ROOTKIT_FINAL"
#possible crypto mining tools
#mining.submit mining.subscribe mining.authorize
#EthereumStratum|MinerName/1.0.0|cpuminer/2.5.1
SecRule REQUEST_URI|ARGS "(?:mining\.(submit|authorized|subscribe)|ethereumstratum|minername/|cpuminer/|eth_submitlogin|ethereumstratum|xmrig/|xmr-stak-cpu)" "t:none,t:urlDecodeUni,t:lowercase,capture,id:391111,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Cryptomalware attack blocked',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm http:// https:// gopher:// ogg:// zlib:// ftp:// ftps://" "id:333854,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333760,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_RFI"
#SecRule REQUEST_URI|!ARGS:/redirect/|!ARGS:/referrer/|!ARGS:/url/|!ARGS:/img/|!ARGS:/^link/|!ARGS:loc|!ARGS:/referer/ "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|html?|tmp)\x20?\?" "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,chain,id:390144,rev:21,severity:2,msg:'Atomicorp.com WAF Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http|/gltr_dontrunhttps?://|/plugins/wpeditimage/editimage\.html|/spc\.php)"
#
#shell patterns
SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|sh|te?xt|dat|tmp)\?" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,chain,id:390145,rev:11,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell'"
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?|/plugins/wpeditimage/editimage\.html|/spc\.php)"
SecRule ARGS "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,id:390902,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" "capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_RFI
#Jooma and wordpress PHP Shells
#SecRule REQUEST_URI
SecRule REQUEST_URI "(?:/images/stories/|/components/com_smartformer/files/|/uploaded_files/user/|uploads/job-manager-uploads/).*\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318812,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in images directory',logdata:'%{TX.0}'"
SecRule REQUEST_URI "/(?:title|sourceinc|xml|general|info|dir|javascript|cache|menu|themes|functions|dump|inc)[0-9]+\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:removewhitespace,capture,id:318814,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "(?:cache\.uniq_[0-9]+|cache\.managed|/components/com_remository_files/*/*)\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318912,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in joomla modules directory',logdata:'%{TX.0}'"
SecRule REQUEST_URI "media/banner/.+\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Kaboozu CMS banner directory',logdata:'%{TX.0}'"
SecRule REQUEST_URI "/wp-(?:settings|config)\.php" "chain,deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:342153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Attempt to inject code into wordpress',logdata:'%{TX.0}'"
SecRule ARGS_NAMES "code(?:s|z)"
SecRule REQUEST_URI "forums?\.php" "chain,deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,capture,id:342154,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known vBulletin backdoor',logdata:'%{TX.0}'"
SecRule ARGS:x "(?:shell|exec|passthru)"
#Fake Major domains
SecRule REQUEST_URI|ARGS "(?:wordpress|img\.youtube|picasa|blogger|flickr)\.com\.[a-z0-9]+" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:318813,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS "@pm cmd inc= name= x_key x_file act= appfileexplorer thepath=" "id:333855,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333761,t:none,pass,nolog,noauditlog,skipAfter:END_KNOWN_ROOTKITS"
#known shell URLS
SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/message/|!ARGS:/text/|!ARGS:prefix|!ARGS:suffix "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name|action)=|\.php\?act=?:(chmod&f|cmd|ls|f&f)|/cmd\?&(?:(?:ch|mk)dir=/|action=(?:ch|mk)dir))" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340033,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Possible attempt to run malware',logdata:'%{TX.0}'"
#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "capture,phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Backdoor or shell access blocked',id:392146,severity:'2',logdata:'%{TX.0}'"
#ASP sigs
SecRule REQUEST_FILENAME "\.asp" "deny,log,auditlog,status:404,chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:391150,rev:6,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt',logdata:'%{TX.0}'"
SecRule REQUEST_URI "(?:theact=inject&thepath=|pagename=appfileexplorer|showupload&thepath=|system32/cmd\.exe)"
SecMarker END_KNOWN_ROOTKITS
SecRule ARGS_NAMES "c99shcook" "deny,log,auditlog,status:404,id:391158,phase:2,capture,t:none,t:lowercase,severity:1,rev:1,msg:'Atomicorp.com WAF Rules: PHP c99 webshell',logdata:'%{TX.0}'"
#Check body of responses for known or suspected malicious web applications
SecRule REQUEST_METHOD "^REPORT$" "phase:4,rev:2,id:334785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
SecRule REQUEST_URI "/wp-admin/plugin-install\.php\?tab=plugin-information&plugin=wordfence" "phase:4,rev:2,id:364785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
SecRule RESPONSE_BODY "@pm boff rapidleech mailer telnet shell hacke sh3ll SecurityCrewz phpftp explorer aventis xerror injection rhtools commander terminal ntdaddy fux0r www.sanalteror.org haxplor konsole c99 zfxid1.txt c100 r57 aventgrup exploit safe_mode open_basedir feecomz shirohigomz pshyco safemode safe-mode sh-inf: sh-err: emailbases prioritet leech uname leech ehennemdea obzerve feelcomz shirohigeshirohige lusif3r_666 sience emp3ror undetectable hack pshyco owned backdoor jaheem networkfilemanagerphp bots suid sguid service.pwd .bash_history .fetchmailrc #mhpver vulner4bl3 /etc/passwd mode: alucar rst/ghc netsploit bruteforce M4st3r Indishell GIF89 Upl04d3r uploader FilesMan JPEG-1.1<base64_encoded bypass 3xp1r3 Cracker Symlink Symlink hijack connected backdoor woman-five companies-best-man million-support" "id:333856,rev:2,phase:4,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:4,id:333762,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
#Moved from embargoed rules
SecRule RESPONSE_BODY "(?:<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>|<p>Companies-Best-Man-Vendors-Best</p>|<p>Million-Support-Years-Week-Agents</p>)" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked Solarwinds malware on system',id:'340004',rev:1,severity:'2'"
#Fake GIF89
SecRule RESPONSE_BODY "^GIF89" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked malware on system',id:'393150',rev:5,severity:'2',chain"
SecRule REQUEST_FILENAME "!@endswith .gif" "t:none,t:lowercase"
SecRule RESPONSE_BODY "^JPEG-1.1<base64_encoded" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked malware on system',id:'393151',rev:5,severity:'2'"
SecRule RESPONSE_BODY "Connected to root:" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible web shell blocked on system',id:'393152',rev:5,severity:'1'"
#Request Body patterns that are not malicious
SecRule RESPONSE_BODY "<title>(?:.{0,64}Web[m|M]ail|Horde \:\:)" "phase:4,rev:2,id:333785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails)|<title>dark-mailer v|xerror was here|title>\:\: mailer inbox \:\:)" "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible spamtool installed on system',id:'390150',rev:5,severity:'2'"
#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:rapidleech plugmod -|you are not allowed to leech from|=\"http://www\.rapidleech\.com)" "deny,log,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client - Rapidleech',id:'390900',rev:12,severity:'2'"
SecRule REQUEST_URI "^/wp-admin/admin\.php\?page=WordfenceOptions$" "id:321117,rev:1,phase:4,t:none,pass,nolog,noauditlog,skipAfter:SKIP_AFTER_RULE_390149"
#trick them with a 40
SecRule RESPONSE_BODY "(?:(?:ne(?:ws remote php shell injection|tworkfilemanagerphp|tsploit)|c(?:(?:99 ?(?:mad)?|100 ?) ?(web)shell|ehennemden|gi-?telnet)|php(?: ?(?:commander|shell)|-?terminal| backdoor|ftp)|SvT SheLL|WSO 2.4|WebRooT Hack Tools|\b(?:r(?:emote explorer|57 ?sh(?:e|3)ll)|(?:alucar|saudi) sh(?:3|e)ll)\b|inbox mass mailer by hack|r(?:57 ?shell|htools)|(?:konsole |stun ?)shell|\.sanalteror\.org|haxplorer|gamma ?web|fux0r inc| - n3t)|[Ss](?:h(?:ell by (?:rst/ghc|alucar)|irohigeshirohige|-(?:err|inf): )|afe(?:(?:-| )?mode(?: bypass|execdir| ?\[ ?[Ss]afe(?:-| )?mode\:)|-mode bypass|modeexecdir)|tunshell)|f(?:ind (?:.(?:bash_history|fetchmailrc)|[gs]uid|all) files|eelcomz)|(?:e(?:mp3ror undetectabl|xecution php-cod))e|b(?:(?:\.o\.v sience 2|off 1\.)0|y pshyco, © 2008 error|indshell)|php ?(?:4|5).{1,200}? safe_mode ?(\&|/|and)? ?open_basedir ?bypass|t(?:his is an? exploit from|otal bots active)|design by (?:rst/ghc|alucar)|l(?:ocus7shell|usif3r_666)|(?:o|0)wned by (?:hacker|#)|jaheem galaxy 2|reverseshell|\#mhpver|\[Exploit-DB|syrian-shell.com|SyRiAn Sh3ll|Sh(?:3|e)ll Uploader|W3lc0m3 M4st3r|Indishell|Safe ?(?:-| )?mode ?\: ?OFF|Upl04d3r|FilesMan|>Hacked by <|(?:Da3s|Da3s HaCkEr) File Manager|Symlink Bypass|3xp1r3|Finder/Cracke|Symlink</title>|Index Hijack|Smoker Backdoor)" "deny,log,capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible remote shell or bot access denied',id:'390149',rev:59,severity:'2',logdata:'%{TX.0}'"
SecMarker SKIP_AFTER_RULE_390149
#This protects the victims, by preventing compromised files from being loaded
SecRule RESPONSE_BODY "(?:SecurityCrewz|Exploit-DB)" "deny,log,capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible compromised website detected and 404 sent to user',id:'392149',rev:1,severity:'2',logdata:'%{TX.0}',tag:'no_ar'"
SecMarker END_ROOTKIT_BODY
SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc @@rndstr@@ netenberg psybnc fantastico_de_luxe arta.zip information_schema.tables char( php_uname eval decode_base64 base64_decode gzuncompress base64_url_decode" "id:333857,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333763,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_2"
#generic payload
#if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd']));
#
SecRule REQUEST_URI|ARGS|!ARGS:code|!ARGS:/description/|!ARGS:/^layout/|!ARGS:message|!ARGS:email|!ARGS:description|!ARGS:body|!ARGS:/text/|!ARGS:/txt/ "(?:<\? ?php (?:echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,chain,capture,id:390801,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&)"
#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" "deny,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,t:lowercase,id:390803,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known Wormsign',logdata:'%{TX.0}'"
#New SEL attack seen
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user\schar\()" #"capture,t:none,t:urlDecodeUni,t:lowercase,id:390804,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known shell SQL payload',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_BODY_2
SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "phase:2,id:333786,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333764,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_3"
SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" "deny,log,auditlog,status:403,chain,capture,t:none,t:lowercase,t:compressWhitespace,id:390810,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:description|!ARGS:message|!ARGS:problem|!ARGS:solution "(?:<\? ?php (echo ?\"hi ?master|(system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()"
SecMarker END_ROOTKIT_BODY_3
SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "id:333859,phase:2,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333765,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_4"
SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" "deny,log,auditlog,status:403,chain,capture,t:none,t:lowercase,t:compressWhitespace,id:390811,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:code "(?:<\? ?php (echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?\()|(?:passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()"
SecMarker END_ROOTKIT_BODY_4
#SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_5
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "phase:2,t:none,t:decodeBase64Ext,pass,nolog,noauditlog,skip:1"
#SecAction phase:2,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_5
#
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|gzuncompress) ?\()" "capture,t:none,t:decodeBase64Ext,t:lowercase,t:compressWhitespace,id:390811,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
#SecMarker END_ROOTKIT_BODY_5
SecRule REQUEST_URI "@pm perl xkernel kaiten mampus trojan r57 c99 zfxid1.txt c100 fuckthepolice.php test.php 404.php.jpg webadmin.php.flv dump footer.php press60.php gallery.php" "id:333860,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333766,t:none,pass,nolog,noauditlog,skipAfter:END_PERL_EXEC"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt)|fuckthepolice\.php|404\.php\.jpg|webadmin\.php\.flv|zfxid1\.txt|(?:royalslider/languages/test|/js/imgareaselect/footer|/cgi-bin/whm/press60|wp-content/themes/avada/fonts/gallery)\.php)" "capture,status:500,deny,log,auditlog,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390802,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"
SecMarker END_PERL_EXEC
SecRule RESPONSE_HEADERS:WWW-Authenticate "rapidleech" "deny,log,capture,t:none,t:lowercase,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"
SecRule ARGS|REQUEST_URI "@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget ftpget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet gcc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar" "id:333861,phase:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333767,rev:3,t:none,pass,nolog,noauditlog,skipAfter:END_KNOWN_SIGNS"
#Known shells
SecRule ARGS:cmd|ARGS:act|ARGS:command|ARGS:action "\b(?:ls\b(?: -|\&)|find /|mysqldump |ifconfig |chdir=|php |echo |perl |killall |kill -|python |rpm |yum |apt-get |emerge |lynx |links\b |mkdir |elinks |(?:ftp|w)get |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|\bmv\b |unzip |tar |\brm\b |\bcat\b (?:/|\.\.)|\brar\b )" "chain,deny,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390904,rev:15,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(^/components/com_clm/clm/)"
#for direct CGI type commands
#http://example.com/cmd.cgi?cat /etc/passwd
#SecRule REQUEST_URI "\b(?:ls\b -|find /|mysqldump |php |echo |perl |killall |kill |python |lynx |e?links (?:[0-9]|h|f) |mkdir |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|mv\b |unzip |tar\b |rm\b |cat (?:/|\.\.)|rar\b )" "capture,t:none,t:urlDecodeUni,t:compresswhitespace,multimatch,id:390907,rev:9,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"
SecRule ARGS:ev "^print [0-9]+ ?;" "deny,log,auditlog,status:403,capture,id:390905,rev:1,t:none,t:lowercase,severity:2,msg:'Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
#new known injected payload
#SecRule ARGS "(?:cd /(?:tmp|var/tmp) ?; ?(?:lwp-download|wget|curl|elinks|fetch|rm -[r|f][r|f])|killall -9 perl ?; ? rm -[r|f][r|f])" "capture,t:none,t:urlDecodeUni,t:cmdline,id:390906,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"
SecMarker END_KNOWN_SIGNS
#Uploaded php files in the WP cache directories
SecRule REQUEST_FILENAME "/wp-content/(?:themes/.+/cache|uploads/(?:[0-9]+/[0-9]+|tmp)|plugins/revslider/temp/update_extract/resume|plugins/wp-mobile-detector/cache)/.+\.ph(?:p[345]|tml|t)$" "log,deny,log,status:404,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:318811,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory',logdata:'%{TX.0}',chain"
SecRule REQUEST_FILENAME "!(/cache/timthumb\.php$)"
#/modules/simpletest/files/
#/files/stats38.php
SecRule REQUEST_FILENAME "/file(?:s/.*\.php[0-9]+?$|manager/userfiles/.*\.ph(?:p|tml|t))" "log,deny,status:404,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:316812,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in upload directory',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_FINAL
SecMarker END_ROOTKIT_ALL