diff options
Diffstat (limited to 'files/mod_security/custom_rules/rootkits.conf')
-rw-r--r-- | files/mod_security/custom_rules/rootkits.conf | 182 |
1 files changed, 0 insertions, 182 deletions
diff --git a/files/mod_security/custom_rules/rootkits.conf b/files/mod_security/custom_rules/rootkits.conf deleted file mode 100644 index 0fe477b..0000000 --- a/files/mod_security/custom_rules/rootkits.conf +++ /dev/null @@ -1,182 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Known rootkits, remote toolkits, etc. signatures for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rootkits.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# modsecurity is a trademark of Thinking Stone, Ltd. -# -# Version: N-20061022-01 -# -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - -SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" -SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?" -SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" -SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?" - -SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" -SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " -SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?" -SecRule REQUEST_URI "/\.it/viewde" -SecRule REQUEST_URI "/cmd\?&(command|cmd)=" -SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" -SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" -SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" -SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" -SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" -SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" - -#Known rootkits -SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" -SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;" -SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c" -SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)" - -#Generic remote perl execution with .pl extension -SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" -SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" - -#Known rootkit Defacing Tool 2.0 -SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" -SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" -SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" -SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" - -#other known tools -SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" -SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" - -#New kit -SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" -SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)" - -#new kir -SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" - -#suntzu -SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" - -#proxysx.gif? -SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?" - -#phpbackdoor -SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" - -#new unknown kit -SecRule REQUEST_URI "/oops?&" - -# known PHP attack shells -#value of these sigs, pretty low, but here to catch -# any lose threads, honeypoting, etc. -SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" -SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" -SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" -SecRule REQUEST_URI "/phpterm" - -#Frantastico worm -SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" - -#new unknown kits -SecRule REQUEST_URI "/iblis\.htm\?" -SecRule REQUEST_URI "/gif\.gif\?" -SecRule REQUEST_URI "/go\.php\.txt\?" -SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/zehir\.asp" -SecRule REQUEST_URI "/aflast\.txt\?" -SecRule REQUEST_URI "/sikat\.txt\?&cmd" -SecRule REQUEST_URI "/t\.gif\?" -SecRule REQUEST_URI "/phpbb_patch\?&" -SecRule REQUEST_URI "/phpbb2_patch\?&" -SecRule REQUEST_URI "/lukka\?&" - -#new kit -SecRule REQUEST_URI "/c99shell\.txt" -SecRule REQUEST_URI "/c99\.txt\?" - -#remote bash shell -SecRule REQUEST_URI "/shell\.php\&cmd=" -SecRule ARGS "/shell\.php\&cmd=" - -#zencart exploit -SecRule REQUEST_URI "/ipn\.php\?cmd=" - -#new pattern -SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "dsoul/tool\?" - -#generic suntzu payload -SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\(" -SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" -SecRule REQUEST_URI "help_text_vars\.php\?suntzu=" - -#25dec new one -SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?" - -#26dec new kit -SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/vsf\.vsf\?&" - -#27dec -SecRule REQUEST_URI "/scan1\.0/scan/" -SecRule REQUEST_URI "test\.txt\?&" - -#30dec -SecRule REQUEST_URI "\.k4ka\.txt\?" -#31dec -SecRule REQUEST_URI "/php\.txt\?" - -#1 jan -SecRule REQUEST_URI "/sql\.txt\?" -SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?" - -#22feb -SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?" -SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?" - -#24mar -SecRule REQUEST_URI "/docLib/cmd\.asp" -SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer" -SecRule REQUEST_URI "\.asp\?.*showUpload&thePath=" -SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath=" - -#some broken attack program -SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@" -SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm" - -SecRule REQUEST_URI "/r57en\.php" - -#c99 rootshell -SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" - -#generic shell -SecRule REQUEST_URI "shell\.txt" - -#bad scanner -SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" - -#wormsign -SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" - -#New SEL attack seen -SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables" - -#New SQL attack seen -SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)" |