Illegal File Scanner / Mod_Security Rules

**robert420** · 17th Jun 2010, 06:00 PM

This source was posted on WHT. I've recently updated it.

Server I"m using is a Centos 5 server the commands I'm getting ready to use might be little be difference for your server operating system.

Step1.

First you need to loggin into SSH on your server using Putty or other SSH Client

Step2.

After you've logged into root using ssh type the following command below

Code:

Type cd /home then after type mkdir server_scan

Step 3.

After you've type the command above now type the following command below:

Code:

Type cd /home/server_scan

After you've type the command above to change into the directory server_scan type the following command below

Code:

Type nano scan.sh

After you've type the command above copy & paste the following below into your SSH. But don't forget to change youremail_address_here with your actual email address you check everyday.

Code:

#!/bin/sh
 email=robertf2010@clear.net ( Replace This with your Email Address)
# Locate & E-mail banned script results

updatedb
locate lstmrge.cgi | mail -s Banned-Spam-Tools $email
locate phpshell.php | mail -s PHPShell $email
locate c99shell.php | mail -s c99shell $email
locate r57shell.php | mail -s r57shell $email
locate bomber.php | mail -s EmailBomber $email
locate post.php | mail -s EmailScript $email
locate vbulletin | mail -s vbulletin $email
locate nph-proxy.cgi | mail -s Banned-Proxy-Utils $email
locate *.mp3 | mail -s MP3s $email
locate *.rar | mail -s RAR-Files $email
(locate warez; locate ftf; locate vcd; locate svcd; locate xxx; locate telesync; locate 
screener; locate divx; locate *.nfo) | mail -s warez $email
locate *.zip | mail -s zip-files $email
(locate *.avi; locate *.mov; locate *.mpeg; locate *.mpg; locate *.rm; locate *.ram; 
locate *.divx; locate *.wmv; locate *.asf ) | mail -s Movie-Files $email
locate adcycle.cgi | mail -s ad-systems $email
locate clientexec | mail -s Clientexec $email
locate whmcs | mail -s WHMCS $email
locate invision | mail -s InvisionBoard  $email
locate vbulletin | mail -s Vbulletin  $email
find / -size +5000000c | mail -s Over5MB $email

How to setup to run automatically as a cronjobs

Type the command below

Code:

Type crontab -e

After you've type the following command below copy & paste the line below this will run the scan.sh at 1AM every day including weekdays.

Code:

0 1 * * * /home/server_scan/scan.sh >/dev/null 2>&1

After you've setup the cronjobs don't forget to save

You can run this script manual by running the following command below

Code:

sh /home/server_scan/scan.sh

This script will email the results to your email address you've listed in scan.sh

Once you've finished I would recommended you to run the script manual first since updatedb command it does take alongtime.

Now time to setup mod_security in disable a few php functions

If you don't have mod_security installed on your vps server or dedicated server you can do this by loggin into WHM as Root User > Then Software > Then click on Easy Apache Click on Start customizing based on profile > Keep clicking next step until you get to the Short Options List Once you've reached that list you'll see something like this as shown in the example below

Please choose specific options:
Frontpage []
Mod SuPHP [] This option will make the following changes to your profile prior to the build: Enables:
CGI (PHP v4)
CGI (PHP v5)

After mod_security has installed how to set the rules

After mod_security has been successfully installed on your server now goto WHM Look underneath plugins now you'll see Mod Security click on Mod Security.

Now settings the rules sets

After you've clicked on Mod Security click on edit config

Copy the following rule sets listed below

Code:

SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "config"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/home" 
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "public_html" 
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/etc" 
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/usr"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/bin"
 
SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"
 
SecRule ARGS|HTTP_Content-Length|REQUEST_COOKIES  "/etc"
 
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Server Secured By yourdomainhere"
 
SecUploadDir /tmp
SecUploadKeepFiles Off
 
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
 
# You normally won't need debug logging
SecDebugLogLevel 0
SecDebugLog logs/modsec_debug_log
 
SecDataDir /tmp
SecTmpDir /tmp
 
 
#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"
 
#Code injection via content length
SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"
 
##generic recursion signatures
SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecRule REQUEST_URI "\.\./\.\./"
#generic path recurision sig
 
#generic bogus path sigs
SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
 
#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
 
#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
 
#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
 
 
#Prevent command injection through cookies
SecRule REQUEST_COOKIES "\; cmd="
 
#Prevent SQL injection in UA
SecRule HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"
 
# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult 
# to prevent false postives and negatives.  
# Pplease report false positives/negatives to mike@gotroot.com
SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
 
#Generic SQL sigs
SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'"
 
#Generic SQL sigs
SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
 
#Generic SQL sigs
SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'"
SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" 
 
#Meta character SQL injection
SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)"  "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"
 
#Generic command line attack filter
SecRule REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'"
SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|"
 
#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecRule ARGS compress\.zlib:
 
#Generic XSS filter
#please report false positives
SecRule REQUEST_URI "!/mt\.cgi" chain
SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
 
#XSS in referrer and UA headers
SecRule HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
 
#PHP Injection Attack generic signature
SecRule REQUEST_URI  "\.php" chain
SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
 
#PHP Injection Attack generic signature
SecRule REQUEST_URI  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
 
#Generic PHP remote file inclusion attack signature
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
 
#Generic PHP remote file inclusion attack signature with command
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
 
#really broad furl_fopen attack sig
#tune this for your system
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/" 
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" 
 
 
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
 
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
 
#script, perl, etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"
 
#generic command line attack
SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"
 
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
 
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
 
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
 
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
 
#Bogus file extensions generic signature
SecRule REQUEST_URI  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"
 
#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
 
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
 
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 
 
#Generic argument protection rule against bad meta characters
#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"
 
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
 
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
 
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
 
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
 
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"
 
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 
 
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
 
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
 
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
 
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
 
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
 
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
 
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
 
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
 
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 
 
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"
 
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"
 
# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 
 
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 
 
# WEB-MISC nessus 1.X 404 probe
SecRule REQUEST_URI "/nessus_is_probing_you_" 
 
# WEB-MISC nessus 2.x 404 probe
SecRule REQUEST_URI "/NessusTest" 
 
# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 
 
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 
 
#musicat empower attempt
SecRule REQUEST_URI "/empower\?DB="
 
# WEB-MISC *%0a.pl access
SecRule REQUEST_URI "/*\x0a\.pl" 
 
#PHPBB worm sigs
SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
 
#PHP defenses
SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" 
 
#PHP defenses
SecRule ARGS "^(globals($|\[)|php:/)"
 
#PHP defenses
SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"
 
#PHP defenses
SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"
 
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
 
# TIKIWIKI
SecRule REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"
 
#SMTP redirects
SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 
 
#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
 
#Command inline detection
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
 
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
 
#Commands, also need a major rework, these also have issues
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" 
 
SecRule REQUEST_URI "cd \.\." 
SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" 
 
#generic block for fwrite fopen uploads
SecRule REQUEST_URI "fwrite" chain
SecRule REQUEST_URI "fopen" 
 
#generic sig for more bad PHP functions
SecRule REQUEST_URI "chr\(([0-9]{1,3})\)"
SecRule ARGS_NAMES "^php:/"
 
# WEB-MISC Tomcat view source attempt
SecRule REQUEST_URI "\x252ejsp"
 
# WEB-MISC whisker HEAD/./
#SecRule "HEAD/./"
 
# WEB-FRONTPAGE .... request
SecRule REQUEST_URI "\.\.\.\./"
 
#experimental CSS rule
#SecRule REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)"
 
#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*="
 
#cross site scripting attempt TYPE + JAVASCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript"
 
#cross site scripting attempt STYLE + JAVASCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript"
 
#cross site scripting attempt STYLE + JSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript"
 
# cross site scripting attempt STYLE + VBSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript"
 
#cross site scripting attempt STYLE + VBSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript"
 
#cross site scripting attempt STYLE + ECMACRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript"
 
# cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\("
 
#cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>"
 
# cross site scripting attempt using XML
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
 
#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"
 
#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "window\.execScript[\s]*\("
 
#cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"
 
#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
 
#Apache /server-info accessible
SecRule REQUEST_URI   "/server-info" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
 
#Apache /server-status accessible
#Modified so apache-protect can run
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
 
#generic Common HTTP vulnerability
SecRule REQUEST_URI "/\?cwd=/"
 
#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"
 
#Experimental XML-RPC generic attack sigs
SecRule REQUEST_BODY "\'\,\'\'\)\)\;"
SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;"
 
#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
SecRule REQUEST_BODY "methodCall\>"
 
#Specific XML-RPC attacks on xmlrpc.php
SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
 
#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
#SecRule REQUEST_URI "/xmlrpc\.php" chain
#SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
 
#XML-RPC SQL injection generic signature
SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain
SecRule REQUEST_BODY  "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"
 
#generic remote file inclusion vulns
SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"
 
#catch smuggling attacks
#SecRule "^(GET|POST).*Host:.*^(GET|POST)" 
 
#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
#Slightly stronger version of the above
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
 
#Generic PHP attack sig
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
 
#Generic Nessus request filter
SecRule REQUEST_URI "NessusTest*\.html"
 
#Generic PHP payload command injection and upload vulnerabilities
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
 
#Generic XML RPC attack sig
SecRule REQUEST_BODY "\'(______BEGIN______|_____FIM_____)\'\;"
 
#HTTP header PHP code injection attacks
SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"
#wormsign
SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"
 
#phpbb wormsign
SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_"
 
#Generic PHP avatar upload exploits
SecRule REQUEST_URI "\.php" chain
SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecRule REQUEST_BODY "\<\?php" chain
SecRule REQUEST_BODY "\?>"
 
#Fake image file shell attacvk
SecRule REQUEST_HEADERS:Content-Type "image/.*"
SecRule REQUEST_BODY "chr\("
 
#bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"
 
#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
 
#Special account protection
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
 
#Generic PHP fopen sig
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
 
 
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
 
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
 
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
 
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
 
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
 
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
 
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
 
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
 
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
 
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
 
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
 
#new unknown kit
SecRule REQUEST_URI "/oops?&"
 
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"
 
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
 
#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"
 
#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"
 
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
 
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
 
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
 
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
 
#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
 
#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"
 
#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"
 
#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"
 
#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
 
#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
 
#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
 
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
 
SecRule REQUEST_URI "/r57en\.php"
 
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
 
#generic shell
SecRule REQUEST_URI "shell\.txt"
 
 
SecRule REQUEST_URI "files/.*\.php\.menu\?cmd="
 
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
 
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
 
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
 
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
 
 
 
 
 
 
 
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
 
SecRule REQUEST_URI|REQUEST_BASENAME|REQUEST_FILENAME|REQUEST_HEADERS|RESPONSE_BODY|REQUEST_BODY "/(r0nin|m0rtix|r57shell|too20|phpshell|shell|sniper_sa|sniper_sa2|64|c99|r57|xp|.xp|mohajer|mysql|cgitelnet|Locus7|msql|safe|symlink|sym4|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\*****|brute)\.ph(p(3|4)?|tml)" log,redirect:http://www.hosting-shack.com/security.html
 
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI   "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI   "/iblis\.htm\?" 
SecRule REQUEST_URI   "/gif\.gif\?" 
SecRule REQUEST_URI   "/go\.php\.txt\?" 
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
SecRule REQUEST_URI   "/zehir\.asp"
SecRule REQUEST_URI   "/aflast\.txt\?"
SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
SecRule REQUEST_URI   "/t\.gif\?" 
SecRule REQUEST_URI   "/phpbb_patch\?&"
SecRule REQUEST_URI   "/phpbb2_patch\?&"
SecRule REQUEST_URI   "/lukka\?&"
#new kit
SecRule REQUEST_URI   "/c99shell\.txt"
SecRule REQUEST_URI   "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI   "/scan1\.0/scan/"
SecRule REQUEST_URI   "test\.txt\?&"
#30dec
SecRule REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI   "/php\.txt\?"
#1 jan
SecRule REQUEST_URI   "/sql\.txt\?"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI   "/docLib/cmd\.asp"
SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=|tools|ftpquickbrute|mkdir|phpinfo|upload|delete|eval|)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#PHP remote path attach generic signature
SecRule REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a" 
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI  "/usr/bin/id" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI  "/bin/echo" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI  "/bin/kill" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI  "/bin/chmod" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI   "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI  "gcc" chain
SecRule REQUEST_URI "x20-o" 
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI  "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI  "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI  "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI  "g\+\+\x20" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI  "bin/python" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI  "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI  "/bin/ping" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI  "/bin/mail" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20" 
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI  "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI  "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI  "\.htpasswd" 
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI  "/etc/passwd" 
# WEB-MISC ls%20-l
SecRule REQUEST_URI  "ls" chain
SecRule REQUEST_URI "\x20-l" 
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////" 
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecRule REQUEST_URI "echo\x20" 
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20" 
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "fopen"
SecRule REQUEST_URI "\.\.\.\./"
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" 
 
 
 
 
## -- General rules -------------------- 
 
SecRule ARGS "c:/" t:normalisePathWin 
SecRule ARGS "\.\./" t:normalisePathWin 
SecRule ARGS "d:/" t:normalisePathWin 
 
## -- phpBB attack -------------------- 
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
SecRule REQUEST_LINE "wget "
SecRule REQUEST_LINE "lynx "
SecRule REQUEST_LINE "Fhome"
SecRule REQUEST_LINE "ftp "
SecRule REQUEST_LINE "cvs"
SecRule REQUEST_LINE "php?phpinfo"
SecRule REQUEST_LINE "php?phpini"
SecRule REQUEST_LINE "php?mem"
SecRule REQUEST_LINE "php?cpu"
SecRule REQUEST_LINE "php?users"
SecRule REQUEST_LINE "php?tmp"
SecRule REQUEST_LINE "php?delete"
SecRule REQUEST_LINE "cmd"
SecRule REQUEST_LINE "curl "
SecRule REQUEST_LINE "act=sql&"
SecRule REQUEST_LINE "ssh "
SecRule REQUEST_LINE "echo "
SecRule REQUEST_LINE "links -dump "
SecRule REQUEST_LINE "links -dump-charset "
SecRule REQUEST_LINE "links -dump-width "
SecRule REQUEST_LINE "links http:// "
SecRule REQUEST_LINE "links ftp:// "
SecRule REQUEST_LINE "links -source "
SecRule REQUEST_LINE "mkdir "
SecRule REQUEST_LINE "cd /tmp "
SecRule REQUEST_LINE "cd /var/tmp "
SecRule REQUEST_LINE "cd /etc/httpd/proxy "
SecRule REQUEST_LINE "/config.php?v=1&DIR "
SecRule REQUEST_LINE "&highlight=%2527%252E "
SecRule REQUEST_LINE "changedir=%2Ftmp%2F.php "
SecRule REQUEST_LINE "arta\.zip "
SecRule REQUEST_LINE "cmd=cd\x20/var "
SecRule REQUEST_LINE "HCL_path=http "
SecRule REQUEST_LINE "clamav-partial "
SecRule REQUEST_LINE "vi\.recover "
SecRule REQUEST_LINE "netenberg "
SecRule REQUEST_LINE "psybnc "
SecRule REQUEST_LINE "fantastico_de_luxe "
SecRule REQUEST_LINE "2Fpublic_html&"
SecRule REQUEST_LINE ".htaccess"
SecRule REQUEST_LINE "sql_passwd"
SecRule REQUEST_LINE "c99sh_datapipe.pl"
SecRule REQUEST_LINE "listDBs"
SecRule REQUEST_LINE "%2home%2"
SecRule REQUEST_LINE "%2home%"
SecRule REQUEST_LINE "%home%"
SecRule REQUEST_LINE "%home"
SecRule REQUEST_LINE "home%"
SecRule REQUEST_LINE "%2Fhome%2"
SecRule REQUEST_LINE "%2Fhome%"
SecRule REQUEST_LINE "%Fhome%"
SecRule REQUEST_LINE "%Fhome"
SecRule REQUEST_LINE "Fhome%"
SecRule REQUEST_LINE "2Fpublic_html&"         
SecRule REQUEST_LINE "/etc/"         
SecRule REQUEST_LINE "bcc:" 
SecRule REQUEST_LINE "bcc\x3a" 
SecRule REQUEST_LINE "cc:" 
SecRule REQUEST_LINE "cc\x3a" 
SecRule REQUEST_LINE "bcc:|Bcc:|BCC:" chain  
SecRule REQUEST_BODY "Bcc:" 
SecRule REQUEST_BODY "Bcc:\x20" 
SecRule REQUEST_BODY "cc:" 
SecRule REQUEST_BODY "cc:\x20" 
SecRule REQUEST_BODY "bcc:" 
SecRule REQUEST_BODY "bcc:\x20" 
SecRule REQUEST_BODY "bcc: " 
SecRule REQUEST_LINE "Bcc:" 
SecRule REQUEST_LINE "Bcc:\x20" 
SecRule REQUEST_LINE "cc:" 
SecRule REQUEST_LINE "cc:\x20" 
SecRule REQUEST_LINE "bcc:" 
SecRule REQUEST_LINE "bcc:\x20" 
SecRule REQUEST_LINE "bcc: " 
SecRule REQUEST_LINE "cd "
#SecRule REQUEST_LINE "cat "
#SecRule REQUEST_LINE "ls "
SecRule REQUEST_LINE "id "
#SecRule REQUEST_URI "/admincp/user\.php" chain
#WEB-PHP phpbb quick-reply.php arbitrary command attempt 
SecRule REQUEST_LINE "/quick-reply\.php" chain 
SecRule REQUEST_BODY "wget "
SecRule REQUEST_BODY "lynx "
SecRule REQUEST_BODY "Fhome"
SecRule REQUEST_BODY "ftp "
SecRule REQUEST_BODY "cvs "
#SecRule REQUEST_BODY "cmd"
SecRule REQUEST_BODY "curl "
SecRule REQUEST_BODY "act=sql&"
SecRule REQUEST_BODY "ssh "
SecRule REQUEST_BODY "echo "
SecRule REQUEST_BODY "links -dump "
SecRule REQUEST_BODY "links -dump-charset "
SecRule REQUEST_BODY "links -dump-width "
SecRule REQUEST_BODY "links http:// "
SecRule REQUEST_BODY "links ftp:// "
SecRule REQUEST_BODY "links -source "
SecRule REQUEST_BODY "mkdir "
SecRule REQUEST_BODY "cd /tmp "
SecRule REQUEST_BODY "cd /var/tmp "
SecRule REQUEST_BODY "cd /etc/httpd/proxy "
SecRule REQUEST_BODY "/config.php?v=1&DIR "
SecRule REQUEST_BODY "&highlight=%2527%252E "
SecRule REQUEST_BODY "changedir=%2Ftmp%2F.php "
SecRule REQUEST_BODY "arta\.zip "
SecRule REQUEST_BODY "cmd=cd\x20/var "
SecRule REQUEST_BODY "HCL_path=http "
SecRule REQUEST_BODY "clamav-partial "
SecRule REQUEST_BODY "vi\.recover "
SecRule REQUEST_BODY "netenberg "
SecRule REQUEST_BODY "psybnc "
SecRule REQUEST_BODY "fantastico_de_luxe "
SecRule REQUEST_BODY ".htaccess"
#SecRule REQUEST_BODY "sql_passwd"
SecRule REQUEST_BODY "c99sh_datapipe.pl"
SecRule REQUEST_BODY "listDBs"
SecRule REQUEST_BODY "%2home%2"
SecRule REQUEST_BODY "%2home%"
SecRule REQUEST_BODY "%home%"
SecRule REQUEST_BODY "%home"
SecRule REQUEST_BODY "home%"
SecRule REQUEST_BODY "%2Fhome%2"
SecRule REQUEST_BODY "%2Fhome%"
SecRule REQUEST_BODY "%Fhome%"
SecRule REQUEST_BODY "%Fhome"
SecRule REQUEST_BODY "Fhome%"
SecRule REQUEST_BODY "2Fpublic_html&"         
SecRule REQUEST_BODY "/etc/"      
SecRule REQUEST_BODY "db_server"     
SecRule REQUEST_BODY "SHOW DATABASES "

Now when anyone trys to run c99shell.php, r57.php they'll get a page something like this below you'll need to create your own page you would need to change hosting-shack.com/security.html link to yours.

http://www.hosting-shack.com/security.html

robert420 Reviewed by robert420 on 17th Jun 2010. Illegal File Scanner / Mod_Security Rules This source was posted on WHT. I've recently updated it. Server I"m using is a Centos 5 server the commands I'm getting ready to use might be little be difference for your server operating system. Step1. First you need to loggin into SSH on your server using Putty or other SSH Client Step2. Rating: 5

**BlaZe** · 17th Jun 2010, 06:04 PM

Thanks !

I'm gonna try this right now

Illegal File Scanner / Mod_Security Rules

Thread Tools

Display

Illegal File Scanner / Mod_Security Rules

Sponsored Links

Thread Information

Users Browsing this Thread

Similar Threads

Open WiFi Owner Not Liable For Illegal File-Sharing, Court Rules

Russia Moves To Hold ISPs Responsible For Illegal File-Sharing

ACS:Law in trouble with the courts over illegal file-sharing case

Tags for this Thread

Posting Permissions

themaManager - edit and manage...

themaManager - edit and manage...

themaLeecher - leech and manage...

themaCreator - create posts from...

themaCreator - create posts from...