summaryrefslogtreecommitdiff
path: root/files/mod_security/custom_rules/rootkits.conf
diff options
context:
space:
mode:
Diffstat (limited to 'files/mod_security/custom_rules/rootkits.conf')
-rw-r--r--files/mod_security/custom_rules/rootkits.conf182
1 files changed, 0 insertions, 182 deletions
diff --git a/files/mod_security/custom_rules/rootkits.conf b/files/mod_security/custom_rules/rootkits.conf
deleted file mode 100644
index 0fe477b..0000000
--- a/files/mod_security/custom_rules/rootkits.conf
+++ /dev/null
@@ -1,182 +0,0 @@
-# http://www.gotroot.com/mod_security+rules
-# Known rootkits, remote toolkits, etc. signatures for modsec 2.x
-#
-# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rootkits.conf
-#
-# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
-# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
-# Redistribution is strictly prohibited in any form, including whole or in part.
-#
-# modsecurity is a trademark of Thinking Stone, Ltd.
-#
-# Version: N-20061022-01
-#
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-# THE POSSIBILITY OF SUCH DAMAGE.
-
-SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
-SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
-SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
-SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
-
-SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
-SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
-SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
-SecRule REQUEST_URI "/\.it/viewde"
-SecRule REQUEST_URI "/cmd\?&(command|cmd)="
-SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
-SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
-SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
-SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
-SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
-SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
-SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
-
-#Known rootkits
-SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
-SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
-SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
-SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
-
-#Generic remote perl execution with .pl extension
-SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
-SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
-
-#Known rootkit Defacing Tool 2.0
-SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
-SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
-SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
-SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
-
-#other known tools
-SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
-SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
-
-#New kit
-SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
-SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
-
-#new kir
-SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
-
-#suntzu
-SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
-
-#proxysx.gif?
-SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
-
-#phpbackdoor
-SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
-
-#new unknown kit
-SecRule REQUEST_URI "/oops?&"
-
-# known PHP attack shells
-#value of these sigs, pretty low, but here to catch
-# any lose threads, honeypoting, etc.
-SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
-SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
-SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
-SecRule REQUEST_URI "/phpterm"
-
-#Frantastico worm
-SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
-
-#new unknown kits
-SecRule REQUEST_URI "/iblis\.htm\?"
-SecRule REQUEST_URI "/gif\.gif\?"
-SecRule REQUEST_URI "/go\.php\.txt\?"
-SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
-SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
-SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
-SecRule REQUEST_URI "/zehir\.asp"
-SecRule REQUEST_URI "/aflast\.txt\?"
-SecRule REQUEST_URI "/sikat\.txt\?&cmd"
-SecRule REQUEST_URI "/t\.gif\?"
-SecRule REQUEST_URI "/phpbb_patch\?&"
-SecRule REQUEST_URI "/phpbb2_patch\?&"
-SecRule REQUEST_URI "/lukka\?&"
-
-#new kit
-SecRule REQUEST_URI "/c99shell\.txt"
-SecRule REQUEST_URI "/c99\.txt\?"
-
-#remote bash shell
-SecRule REQUEST_URI "/shell\.php\&cmd="
-SecRule ARGS "/shell\.php\&cmd="
-
-#zencart exploit
-SecRule REQUEST_URI "/ipn\.php\?cmd="
-
-#new pattern
-SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
-SecRule REQUEST_URI "dsoul/tool\?"
-
-#generic suntzu payload
-SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\("
-SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
-SecRule REQUEST_URI "help_text_vars\.php\?suntzu="
-
-#25dec new one
-SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?"
-
-#26dec new kit
-SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
-SecRule REQUEST_URI "/vsf\.vsf\?&"
-
-#27dec
-SecRule REQUEST_URI "/scan1\.0/scan/"
-SecRule REQUEST_URI "test\.txt\?&"
-
-#30dec
-SecRule REQUEST_URI "\.k4ka\.txt\?"
-#31dec
-SecRule REQUEST_URI "/php\.txt\?"
-
-#1 jan
-SecRule REQUEST_URI "/sql\.txt\?"
-SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?"
-
-#22feb
-SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?"
-SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
-
-#24mar
-SecRule REQUEST_URI "/docLib/cmd\.asp"
-SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer"
-SecRule REQUEST_URI "\.asp\?.*showUpload&thePath="
-SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath="
-
-#some broken attack program
-SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
-SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
-
-SecRule REQUEST_URI "/r57en\.php"
-
-#c99 rootshell
-SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
-
-#generic shell
-SecRule REQUEST_URI "shell\.txt"
-
-#bad scanner
-SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
-
-#wormsign
-SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
-
-#New SEL attack seen
-SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
-
-#New SQL attack seen
-SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-20 00:39:56 +0000