SecDefaultAction "log,deny,auditlog,phase:2,status:403" SecRule REQUEST_FILENAME "homecounter\.php" "phase:2,id:95286,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144,ctl:ruleRemovebyID=390145" SecRule REQUEST_FILENAME "moderation\.php" "phase:2,id:95287,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148" SecRule REQUEST_FILENAME "/paadmin/file_manager\.php" "phase:2,id:95288,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/__utm\.gif" "phase:2,id:95289,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144" SecRule REQUEST_FILENAME "/administrator/index\.php" "phase:2,id:95290,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/ota/admin/file_manager\.php" "phase:2,id:95291,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/admin/shop_file_manager\.php" "phase:2,id:95292,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/admin/file_manager\.php" "phase:2,id:95293,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/modules/mod_oneononechat/chatfiles/*" "phase:2,id:95294,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147" SecRule REQUEST_FILENAME "/fud/adm/admbrowse\.php" "phase:2,id:95295,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/wp-cron\.php" "phase:2,id:95296,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147" SecRule REQUEST_FILENAME "/admin/mods/easymod/easymod_install\.php" "phase:2,id:95297,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/autogallery/autogallery\.php" "phase:2,id:95298,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/alfresco/scripts/onload\.js" "phase:2,id:95299,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/assets/files/who/" "phase:2,id:95300,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147" SecRule REQUEST_FILENAME "/forum/viewtopic\.php" "phase:2,id:95301,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/setup/" "phase:2,id:95302,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/administrator/index2\.php" "phase:2,id:95303,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/sales/soap\.php" "phase:2,id:95304,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/twg177/admin/" "phase:2,id:95305,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/images/smilies/" "phase:2,id:95306,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148" SecRule REQUEST_FILENAME "/admin/dogen_display\.php" "phase:2,id:95307,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811" SecRule REQUEST_FILENAME "/horde/themes/graphics/" "phase:2,id:95308,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800" SecRule REQUEST_FILENAME "/whois/quick\.php" "phase:2,id:95309,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145" SecRule REQUEST_FILENAME "/ubbthreads\.php" "phase:2,id:95310,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390902" SecRule REQUEST_FILENAME "/administrator/" "phase:2,id:95311,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390902" SecRule REQUEST_FILENAME "^/img/logos_square/shell\.gif$" "phase:2,id:95312,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800" SecRule REQUEST_FILENAME "^/plugins/editors/jckeditor/plugins/jfilebrowser/images/icons/gif\.gif$" "phase:2,id:95313,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147" SecRule REQUEST_FILENAME "/admin/templates/data_templates/data_templates\.php" "phase:2,id:95314,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811" SecRule REQUEST_FILENAME "/nagios/cgi-bin/cmd\.cgi" "phase:2,id:95315,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390800" SecRule REQUEST_FILENAME "/tools_cron\.php" "phase:2,id:95316,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390904" SecRule REQUEST_FILENAME "/admin/layout/edit/" "phase:2,id:95317,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811" SecRule REQUEST_FILENAME "/nagios/stylesheets/cmd\.css" "phase:2,id:95318,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390800" SecRule REQUEST_FILENAME "/adjs\.php" "phase:2,id:95319,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144" SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95320,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801" SecRule REQUEST_FILENAME "/wp-admin/plugin-editor\.php" "phase:2,id:95321,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801" SecRule REQUEST_FILENAME "/import\.php" "phase:2,id:95322,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390804" SecRule REQUEST_FILENAME "/terms\.php" "phase:2,id:95323,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/jfilebrowser/images/icons/gif\.gif" "phase:2,id:95324,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147" SecRule REQUEST_FILENAME "/thumbs/" "phase:2,id:95325,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147" SecRule REQUEST_FILENAME "/modules/mod_jw_ajaxnf/" "phase:2,id:95326,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147" SecRule REQUEST_FILENAME "/wp-admin/nav-menus\.php" "phase:2,id:95327,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/themes/default/graphics/" "phase:2,id:95328,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800" SecRule REQUEST_FILENAME "/catalog/product/cache/" "phase:2,id:95329,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800" SecRule REQUEST_FILENAME "/installation/index\.php" "phase:2,id:95330,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390907" SecRule REQUEST_FILENAME "/wp-admin/theme-editor\.php" "phase:2,id:95331,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/wp-admin/post\.php" "phase:2,id:95332,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149,ctl:ruleRemovebyID=390801" SecRule REQUEST_FILENAME "/admin/scripts/shell\.js" "phase:2,id:95333,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148" SecRule REQUEST_FILENAME "/timthumb\.php" "phase:2,id:95334,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145" SecRule REQUEST_FILENAME "/connectors/workspace/packages-rest\.php" "phase:2,id:95335,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/admin/supporttickets\.php" "phase:2,id:95336,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/piwik\.php" "phase:2,id:95337,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145" SecRule REQUEST_FILENAME "/pwiki\.php" "phase:2,id:95338,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145" SecRule REQUEST_FILENAME "/json-api/cpanel" "phase:2,id:95339,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390904,ctl:ruleRemovebyID=390907" SecRule REQUEST_FILENAME "/picat/admin/" "phase:2,id:95340,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/viewticket\.php" "phase:2,id:95341,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/supporttickets\.php" "phase:2,id:95342,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/dokuwiki/doku\.php" "phase:2,id:95343,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/wp-admin/edit-comments\.php" "phase:2,id:95344,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/clientsservices\.php" "phase:2,id:95345,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95346,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Known shells, remote toolkits, etc. signatures for modsec 2.x # # Copyright 2005-2023 by Atomicorp, Inc., all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security #Master list of known malware script file names #SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'" #SecRule REQUEST_URI "@pmFromFile malware_scripts.txt" #SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'" #Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc. SecRule SERVER_PORT "@streq 30000" "phase:4,id:333852,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_ALL" SecRule REQUEST_FILENAME "\.(?:flv|ico|avi|w(?:m(?:v|a)|ebp|bk)|mp(?:3|4|e?g)|cgm|s(?:vg|wf)|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt)$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333853,skipAfter:END_ROOTKIT_FINAL" SecRule REQUEST_URI "^/(?:eprocservice/supplierinboundservice|\?_task=mail)" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:331853,skipAfter:END_ROOTKIT_FINAL" #possible crypto mining tools #mining.submit mining.subscribe mining.authorize #EthereumStratum|MinerName/1.0.0|cpuminer/2.5.1 SecRule REQUEST_URI|ARGS "(?:mining\.(submit|authorized|subscribe)|ethereumstratum|minername/|cpuminer/|eth_submitlogin|ethereumstratum|xmrig/|xmr-stak-cpu)" "t:none,t:urlDecodeUni,t:lowercase,capture,id:391111,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Cryptomalware attack blocked',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm http:// https:// gopher:// ogg:// zlib:// ftp:// ftps://" "id:333854,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:333760,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_RFI" #SecRule REQUEST_URI|!ARGS:/redirect/|!ARGS:/referrer/|!ARGS:/url/|!ARGS:/img/|!ARGS:/^link/|!ARGS:loc|!ARGS:/referer/ "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|html?|tmp)\x20?\?" "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,chain,id:390144,rev:21,severity:2,msg:'Atomicorp.com WAF Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'" #SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http|/gltr_dontrunhttps?://|/plugins/wpeditimage/editimage\.html|/spc\.php)" # #shell patterns SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|sh|te?xt|dat|tmp)\?" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,chain,id:390145,rev:11,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell'" SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?|/plugins/wpeditimage/editimage\.html|/spc\.php)" SecRule ARGS "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,id:390902,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client'" #SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" "capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_RFI #Jooma and wordpress PHP Shells #SecRule REQUEST_URI SecRule REQUEST_URI "(?:/images/stories/|/components/com_smartformer/files/|/uploaded_files/user/|uploads/job-manager-uploads/).*\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318812,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in images directory',logdata:'%{TX.0}'" SecRule REQUEST_URI "/(?:title|sourceinc|xml|general|info|dir|javascript|cache|menu|themes|functions|dump|inc)[0-9]+\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:removewhitespace,capture,id:318814,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit',logdata:'%{TX.0}'" SecRule REQUEST_URI "(?:cache\.uniq_[0-9]+|cache\.managed|/components/com_remository_files/*/*)\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318912,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in joomla modules directory',logdata:'%{TX.0}'" SecRule REQUEST_URI "media/banner/.+\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Kaboozu CMS banner directory',logdata:'%{TX.0}'" SecRule REQUEST_URI "/wp-(?:settings|config)\.php" "chain,deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:342153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Attempt to inject code into wordpress',logdata:'%{TX.0}'" SecRule ARGS_NAMES "code(?:s|z)" SecRule REQUEST_URI "forums?\.php" "chain,deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,capture,id:342154,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known vBulletin backdoor',logdata:'%{TX.0}'" SecRule ARGS:x "(?:shell|exec|passthru)" #Fake Major domains SecRule REQUEST_URI|ARGS "(?:wordpress|img\.youtube|picasa|blogger|flickr)\.com\.[a-z0-9]+" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:318813,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS "@pm cmd inc= name= x_key x_file act= appfileexplorer thepath=" "id:333855,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:333761,t:none,pass,nolog,noauditlog,skipAfter:END_KNOWN_ROOTKITS" #known shell URLS SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/message/|!ARGS:/text/|!ARGS:prefix|!ARGS:suffix "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name|action)=|\.php\?act=?:(chmod&f|cmd|ls|f&f)|/cmd\?&(?:(?:ch|mk)dir=/|action=(?:ch|mk)dir))" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340033,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Possible attempt to run malware',logdata:'%{TX.0}'" #Body sigs SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "capture,phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Backdoor or shell access blocked',id:392146,severity:'2',logdata:'%{TX.0}'" #ASP sigs SecRule REQUEST_FILENAME "\.asp" "deny,log,auditlog,status:404,chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:391150,rev:6,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt',logdata:'%{TX.0}'" SecRule REQUEST_URI "(?:theact=inject&thepath=|pagename=appfileexplorer|showupload&thepath=|system32/cmd\.exe)" SecMarker END_KNOWN_ROOTKITS SecRule ARGS_NAMES "c99shcook" "deny,log,auditlog,status:404,id:391158,phase:2,capture,t:none,t:lowercase,severity:1,rev:1,msg:'Atomicorp.com WAF Rules: PHP c99 webshell',logdata:'%{TX.0}'" #Check body of responses for known or suspected malicious web applications SecRule REQUEST_METHOD "^REPORT$" "phase:4,rev:2,id:334785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY" SecRule REQUEST_URI "/wp-admin/plugin-install\.php\?tab=plugin-information&plugin=wordfence" "phase:4,rev:2,id:364785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY" SecRule RESPONSE_BODY "@pm boff rapidleech mailer telnet shell hacke sh3ll SecurityCrewz phpftp explorer aventis xerror injection rhtools commander terminal ntdaddy fux0r www.sanalteror.org haxplor konsole c99 zfxid1.txt c100 r57 aventgrup exploit safe_mode open_basedir feecomz shirohigomz pshyco safemode safe-mode sh-inf: sh-err: emailbases prioritet leech uname leech ehennemdea obzerve feelcomz shirohigeshirohige lusif3r_666 sience emp3ror undetectable hack pshyco owned backdoor jaheem networkfilemanagerphp bots suid sguid service.pwd .bash_history .fetchmailrc #mhpver vulner4bl3 /etc/passwd mode: alucar rst/ghc netsploit bruteforce M4st3r Indishell GIF89 Upl04d3r uploader FilesMan JPEG-1.1Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand|

Companies-Best-Man-Vendors-Best

|

Million-Support-Years-Week-Agents

)" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked Solarwinds malware on system',id:'340004',rev:1,severity:'2'" #Fake GIF89 SecRule RESPONSE_BODY "^GIF89" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked malware on system',id:'393150',rev:5,severity:'2',chain" SecRule REQUEST_FILENAME "!@endswith .gif" "t:none,t:lowercase" SecRule RESPONSE_BODY "^JPEG-1.1(?:.{0,64}Web[m|M]ail|Horde \:\:)" "phase:4,rev:2,id:333785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY" SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails)|dark-mailer v|xerror was here|title>\:\: mailer inbox \:\:)" "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible spamtool installed on system',id:'390150',rev:5,severity:'2'" #Rapid Leech blocks SecRule RESPONSE_BODY "(?:rapidleech plugmod -|you are not allowed to leech from|=\"http://www\.rapidleech\.com)" "deny,log,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client - Rapidleech',id:'390900',rev:12,severity:'2'" SecRule REQUEST_URI "^/wp-admin/admin\.php\?page=WordfenceOptions$" "id:321117,rev:1,phase:4,t:none,pass,nolog,noauditlog,skipAfter:SKIP_AFTER_RULE_390149" #trick them with a 40 SecRule RESPONSE_BODY "(?:(?:ne(?:ws remote php shell injection|tworkfilemanagerphp|tsploit)|c(?:(?:99 ?(?:mad)?|100 ?) ?(web)shell|ehennemden|gi-?telnet)|php(?: ?(?:commander|shell)|-?terminal| backdoor|ftp)|SvT SheLL|WSO 2.4|WebRooT Hack Tools|\b(?:r(?:emote explorer|57 ?sh(?:e|3)ll)|(?:alucar|saudi) sh(?:3|e)ll)\b|inbox mass mailer by hack|r(?:57 ?shell|htools)|(?:konsole |stun ?)shell|\.sanalteror\.org|haxplorer|gamma ?web|fux0r inc| - n3t)|[Ss](?:h(?:ell by (?:rst/ghc|alucar)|irohigeshirohige|-(?:err|inf): )|afe(?:(?:-| )?mode(?: bypass|execdir| ?\[ ?[Ss]afe(?:-| )?mode\:)|-mode bypass|modeexecdir)|tunshell)|f(?:ind (?:.(?:bash_history|fetchmailrc)|[gs]uid|all) files|eelcomz)|(?:e(?:mp3ror undetectabl|xecution php-cod))e|b(?:(?:\.o\.v sience 2|off 1\.)0|y pshyco, © 2008 error|indshell)|php ?(?:4|5).{1,200}? safe_mode ?(\&|/|and)? ?open_basedir ?bypass|t(?:his is an? exploit from|otal bots active)|design by (?:rst/ghc|alucar)|l(?:ocus7shell|usif3r_666)|(?:o|0)wned by (?:hacker|#)|jaheem galaxy 2|reverseshell|\#mhpver|\[Exploit-DB|syrian-shell.com|SyRiAn Sh3ll|Sh(?:3|e)ll Uploader|W3lc0m3 M4st3r|Indishell|Safe ?(?:-| )?mode ?\: ?OFF|Upl04d3r|FilesMan|>Hacked by <|(?:Da3s|Da3s HaCkEr) File Manager|Symlink Bypass|3xp1r3|Finder/Cracke|Symlink|Index Hijack|Smoker Backdoor)" "deny,log,capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible remote shell or bot access denied',id:'390149',rev:59,severity:'2',logdata:'%{TX.0}'" SecMarker SKIP_AFTER_RULE_390149 #This protects the victims, by preventing compromised files from being loaded SecRule RESPONSE_BODY "(?:SecurityCrewz|Exploit-DB)" "deny,log,capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible compromised website detected and 404 sent to user',id:'392149',rev:1,severity:'2',logdata:'%{TX.0}',tag:'no_ar'" SecMarker END_ROOTKIT_BODY SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc @@rndstr@@ netenberg psybnc fantastico_de_luxe arta.zip information_schema.tables char( php_uname eval decode_base64 base64_decode gzuncompress base64_url_decode" "id:333857,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:333763,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_2" #generic payload #if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd'])); # SecRule REQUEST_URI|ARGS|!ARGS:code|!ARGS:/description/|!ARGS:/^layout/|!ARGS:message|!ARGS:email|!ARGS:description|!ARGS:body|!ARGS:/text/|!ARGS:/txt/ "(?:<\? ?php (?:echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,chain,capture,id:390801,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&)" #some broken attack program SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" "deny,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,t:lowercase,id:390803,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known Wormsign',logdata:'%{TX.0}'" #New SEL attack seen #SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user\schar\()" #"capture,t:none,t:urlDecodeUni,t:lowercase,id:390804,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known shell SQL payload',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_BODY_2 SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "phase:2,id:333786,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:333764,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_3" SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" "deny,log,auditlog,status:403,chain,capture,t:none,t:lowercase,t:compressWhitespace,id:390810,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:description|!ARGS:message|!ARGS:problem|!ARGS:solution "(?:<\? ?php (echo ?\"hi ?master|(system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" SecMarker END_ROOTKIT_BODY_3 SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "id:333859,phase:2,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:333765,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_4" SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" "deny,log,auditlog,status:403,chain,capture,t:none,t:lowercase,t:compressWhitespace,id:390811,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:code "(?:<\? ?php (echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?\()|(?:passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" SecMarker END_ROOTKIT_BODY_4 #SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_5 #SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "phase:2,t:none,t:decodeBase64Ext,pass,nolog,noauditlog,skip:1" #SecAction phase:2,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_5 # #SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|gzuncompress) ?\()" "capture,t:none,t:decodeBase64Ext,t:lowercase,t:compressWhitespace,id:390811,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" #SecMarker END_ROOTKIT_BODY_5 SecRule REQUEST_URI "@pm perl xkernel kaiten mampus trojan r57 c99 zfxid1.txt c100 fuckthepolice.php test.php 404.php.jpg webadmin.php.flv dump footer.php press60.php gallery.php" "id:333860,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:333766,t:none,pass,nolog,noauditlog,skipAfter:END_PERL_EXEC" #Generic remote perl execution with .pl extension SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt)|fuckthepolice\.php|404\.php\.jpg|webadmin\.php\.flv|zfxid1\.txt|(?:royalslider/languages/test|/js/imgareaselect/footer|/cgi-bin/whm/press60|wp-content/themes/avada/fonts/gallery)\.php)" "capture,status:500,deny,log,auditlog,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390802,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'" SecMarker END_PERL_EXEC SecRule RESPONSE_HEADERS:WWW-Authenticate "rapidleech" "deny,log,capture,t:none,t:lowercase,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'" SecRule ARGS|REQUEST_URI "@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget ftpget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet gcc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar" "id:333861,phase:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:333767,rev:3,t:none,pass,nolog,noauditlog,skipAfter:END_KNOWN_SIGNS" #Known shells SecRule ARGS:cmd|ARGS:act|ARGS:command|ARGS:action "\b(?:ls\b(?: -|\&)|find /|mysqldump |ifconfig |chdir=|php |echo |perl |killall |kill -|python |rpm |yum |apt-get |emerge |lynx |links\b |mkdir |elinks |(?:ftp|w)get |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|\bmv\b |unzip |tar |\brm\b |\bcat\b (?:/|\.\.)|\brar\b )" "chain,deny,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390904,rev:15,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(^/components/com_clm/clm/)" #for direct CGI type commands #http://example.com/cmd.cgi?cat /etc/passwd #SecRule REQUEST_URI "\b(?:ls\b -|find /|mysqldump |php |echo |perl |killall |kill |python |lynx |e?links (?:[0-9]|h|f) |mkdir |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|mv\b |unzip |tar\b |rm\b |cat (?:/|\.\.)|rar\b )" "capture,t:none,t:urlDecodeUni,t:compresswhitespace,multimatch,id:390907,rev:9,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" SecRule ARGS:ev "^print [0-9]+ ?;" "deny,log,auditlog,status:403,capture,id:390905,rev:1,t:none,t:lowercase,severity:2,msg:'Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'" #new known injected payload #SecRule ARGS "(?:cd /(?:tmp|var/tmp) ?; ?(?:lwp-download|wget|curl|elinks|fetch|rm -[r|f][r|f])|killall -9 perl ?; ? rm -[r|f][r|f])" "capture,t:none,t:urlDecodeUni,t:cmdline,id:390906,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" SecMarker END_KNOWN_SIGNS #Uploaded php files in the WP cache directories SecRule REQUEST_FILENAME "/wp-content/(?:themes/.+/cache|uploads/(?:[0-9]+/[0-9]+|tmp)|plugins/revslider/temp/update_extract/resume|plugins/wp-mobile-detector/cache)/.+\.ph(?:p[345]|tml|t)$" "log,deny,log,status:404,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:318811,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory',logdata:'%{TX.0}',chain" SecRule REQUEST_FILENAME "!(/cache/timthumb\.php$)" #/modules/simpletest/files/ #/files/stats38.php SecRule REQUEST_FILENAME "/file(?:s/.*\.php[0-9]+?$|manager/userfiles/.*\.ph(?:p|tml|t))" "log,deny,status:404,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:316812,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in upload directory',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_FINAL SecMarker END_ROOTKIT_ALL