(?:.{0,64}Web[m|M]ail|Horde \:\:)" \ phase:4,rev:2,id:333785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails)|<title>dark-mailer v|xerror was here|title>\:\: mailer inbox \:\:)" \ "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible spamtool installed on system',id:'390150',rev:5,severity:'2'" #Rapid Leech blocks SecRule RESPONSE_BODY "(?:rapidleech plugmod -|you are not allowed to leech from|=\"http://www\.rapidleech\.com)" \ "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client - Rapidleech',id:'390900',rev:12,severity:'2'" #trick them with a 404 SecRule RESPONSE_BODY "(?:(?:ne(?:ws remote php shell injection|tworkfilemanagerphp|tsploit)|c(?:(?:99 ?(?:mad)?|100 ?) ?(web)shell|ehennemden|gi-?telnet)|php(?: ?(?:commander|shell)|-?terminal| backdoor|ftp)|SvT SheLL|WSO 2.4|WebRooT Hack Tools|\b(?:r(?:emote explorer|57 ?sh(?:e|3)ll)|(?:alucar|saudi) sh(?:3|e)ll)\b|inbox mass mailer by hack|r(?:57 ?shell|htools)|(?:konsole |stun ?)shell|\.sanalteror\.org|haxplorer|gamma ?web|fux0r inc| - n3t)|s(?:h(?:ell by (?:rst/ghc|alucar)|irohigeshirohige|-(?:err|inf): )|afe(?: mode(?: bypass|execdir)|-mode bypass|modeexecdir)|tunshell)|f(?:ind (?:.(?:bash_history|fetchmailrc)|[gs]uid|all) files|eelcomz)|(?:e(?:mp3ror undetectabl|xecution php-cod))e|b(?:(?:\.o\.v sience 2|off 1\.)0|y pshyco, © 2008 error|indshell)|php ?(?:4|5).{1,200}? safe_mode ?(\&|/|and)? ?open_basedir ?bypass|t(?:his is an? exploit from|otal bots active)|design by (?:rst/ghc|alucar)|l(?:ocus7shell|usif3r_666)|(?:o|0)wned by (?:hacker|#)|jaheem galaxy 2|reverseshell|\#mhpver)" \ "capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible remote shell or bot access denied',id:'390149',rev:50,severity:'2',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_BODY SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc @@rndstr@@ netenberg psybnc fantastico_de_luxe arta.zip information_schema.tables char( php_uname eval decode_base64 base64_decode gzuncompress base64_url_decode" \ "id:333857,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:333763,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_2 #generic payload #if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd'])); # SecRule REQUEST_URI|ARGS|!ARGS:code|!ARGS:/description/|!ARGS:/^layout/|!ARGS:message|!ARGS:email|!ARGS:description|!ARGS:body|!ARGS:/text/|!ARGS:/txt/ "(?:<\? ?php (?:echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?(?:$|@|\: ?'?))|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \ "t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,chain,capture,id:390801,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI "!(wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&)" #some broken attack program SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \ "capture,t:none,t:urlDecodeUni,t:lowercase,id:390803,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known Wormsign',logdata:'%{TX.0}'" #New SEL attack seen #SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*$.+user\schar\()" \ #"capture,t:none,t:urlDecodeUni,t:lowercase,id:390804,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known shell SQL payload',logdata:'%{TX.0}'" SecMarker END_ROOTKIT_BODY_2 SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \ "phase:2,id:333786,t:none,t:hexDecode,pass,nolog,skip:1" SecAction phase:2,id:333764,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_3 SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \ "chain,capture,t:none,t:hexDecode,t:lowercase,t:compressWhitespace,id:390810,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:description|!ARGS:message|!ARGS:problem|!ARGS:solution "(?:<\? ?php (echo ?\"hi ?master|(system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \ SecMarker END_ROOTKIT_BODY_3 SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \ "id:333859,phase:2,t:none,t:base64Decode,pass,nolog,skip:1" SecAction phase:2,id:333765,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_4 SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \ "chain,capture,t:none,t:base64Decode,t:lowercase,t:compressWhitespace,id:390811,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:code "(?:<\? ?php (echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?$)|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \ SecMarker END_ROOTKIT_BODY_4 #SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5 #SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \ # "phase:2,t:none,t:decodeBase64Ext,pass,nolog,skip:1" #SecAction phase:2,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5 # #SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*$ ?\; ?if ?$isset ?\(.*$ ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|gzuncompress) ?\()" \ #"capture,t:none,t:decodeBase64Ext,t:lowercase,t:compressWhitespace,id:390811,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'" #SecMarker END_ROOTKIT_BODY_5 SecRule REQUEST_URI "@pm perl xkernel kaiten mampus trojan r57 c99 zfxid1.txt c100 fuckthepolice.php 404.php.jpg webadmin.php.flv" \ "id:333860,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1" SecAction phase:2,id:333766,t:none,pass,nolog,skipAfter:END_PERL_EXEC #Generic remote perl execution with .pl extension SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt)|fuckthepolice\.php|404\.php\.jpg|webadmin\.php\.flv|zfxid1\.txt)" \ "capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390802,rev:7,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'" SecMarker END_PERL_EXEC SecRule RESPONSE_HEADERS:WWW-Authenticate "rapidleech" \ "capture,t:none,t:lowercase,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'" SecRule ARGS|REQUEST_URI "@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet cc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar" \ "id:333861,phase:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1" SecAction phase:2,id:333767,rev:3,t:none,pass,nolog,skipAfter:END_KNOWN_SIGNS #Known shells SecRule ARGS:cmd|ARGS:act|ARGS:command|ARGS:action "\b(?:ls\b(?: -|\&)|find /|mysqldump |ifconfig |chdir=|php |echo |perl |killall |kill -|python |rpm |yum |apt-get |emerge |lynx |links\b |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|\bmv\b |unzip |tar |\brm\b |\bcat\b (?:/|\.\.)|\brar\b )" \ "capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390904,rev:14,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" #for direct CGI type commands #http://example.com/cmd.cgi?cat /etc/passwd #SecRule REQUEST_URI "\b(?:ls\b -|find /|mysqldump |php |echo |perl |killall |kill |python |lynx |e?links (?:[0-9]|h|f) |mkdir |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|mv\b |unzip |tar\b |rm\b |cat (?:/|\.\.)|rar\b )" \ #"capture,t:none,t:urlDecodeUni,t:compresswhitespace,multimatch,id:390907,rev:9,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" SecRule ARGS:ev "^print [0-9]+ ?;" \ "capture,id:390905,rev:1,t:none,t:lowercase,severity:2,msg:'Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'" #new known injected payload #SecRule ARGS "(?:cd /(?:tmp|var/tmp) ?; ?(?:lwp-download|wget|curl|elinks|fetch|rm -[r|f][r|f])|killall -9 perl ?; ? rm -[r|f][r|f])" \ #"capture,t:none,t:urlDecodeUni,t:cmdline,id:390906,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'" SecMarker END_KNOWN_SIGNS #Uploaded php files in the WP cache directories SecRule REQUEST_FILENAME "/wp-content/(?:themes/.+/cache|uploads/[0-9]+/[0-9]+)/.+\.php[345]?$" "log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:318811,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory',logdata:'%{TX.0}',chain" SecRule REQUEST_FILENAME "!(/cache/timthumb\.php$)" SecMarker END_ROOTKIT_FINAL SecMarker END_ROOTKIT

FILE: C:\Program Files (x86)\Plesk\ModSecurity\rules\atomic\modsec\50_asl_rootkits.conf

--
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Known shells, remote toolkits, etc. signatures for modsec 2.x
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is 
# prohibited unless prior written permission is obtained from the 
# copyright holder. 
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS   
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security


#Master list of known malware script file names
#SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \
#"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"  

#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"

SecDefaultAction "log,deny,auditlog,phase:2,status:403"

#Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc.
SecRule SERVER_PORT "@streq 30000" phase:4,id:333852,pass,t:none,nolog,skipAfter:END_ROOTKIT_ALL

SecRule REQUEST_FILENAME "\.(?:flv|ico|avi|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt|wbk)$" phase:2,pass,t:none,t:lowercase,nolog,id:333853,skipAfter:END_ROOTKIT_FINAL

SecRule REQUEST_URI "^/eprocservice/supplierinboundservice" phase:2,pass,t:none,t:lowercase,nolog,id:331853,skipAfter:END_ROOTKIT_FINAL

SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm http:// https:// gopher:// ogg:// zlib:// ftp:// ftps://" \
        "id:333854,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333760,t:none,pass,nolog,skipAfter:END_ROOTKIT_RFI

#SecRule REQUEST_URI|!ARGS:/redirect/|!ARGS:/referrer/|!ARGS:/url/|!ARGS:/img/|!ARGS:/^link/|!ARGS:loc|!ARGS:/referer/ "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|html?|tmp)\x20?\?" \
#	"t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,chain,id:390144,rev:21,severity:2,msg:'Atomicorp.com WAF Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http|/gltr_dontrunhttps?://|/plugins/wpeditimage/editimage\.html|/spc\.php)" \

#shell patterns
SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|sh|te?xt|dat|tmp)\?" \
	"t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,chain,id:390145,rev:11,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell'"
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?|/plugins/wpeditimage/editimage\.html|/spc\.php)" \

SecRule ARGS "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
"t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,id:390902,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
#"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_RFI

#Jooma PHP Shells
#SecRule REQUEST_URI
SecRule REQUEST_URI  "/images/stories/.+\.php" \
        "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318812,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Joomla images directory',logdata:'%{TX.0}'"

#Fake Major domains
SecRule REQUEST_URI|ARGS  "(?:wordpress|img\.youtube|picasa|blogger|flickr)\.com\.[a-z0-9]+" \
        "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:318813,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack',logdata:'%{TX.0}'"

SecRule REQUEST_URI|ARGS "@pm cmd inc= name= x_key x_file act= appfileexplorer thepath=" \
        "id:333855,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333761,t:none,pass,nolog,skipAfter:END_KNOWN_ROOTKITS


#known shell URLS
SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/message/|!ARGS:/text/|!ARGS:prefix|!ARGS:suffix  "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name|action)=|\.php\?act=?:(chmod&f|cmd|ls|f&f)|/cmd\?&(?:(?:ch|mk)dir=/|action=(?:ch|mk)dir))" \
        "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340033,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Possible attempt to run malware',logdata:'%{TX.0}'"

#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \
"capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com WAF Rules: Backdoor or shell access blocked',id:392146,severity:'2',logdata:'%{TX.0}'"

#ASP sigs
SecRule REQUEST_FILENAME "\.asp" \
	"chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:391150,rev:6,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt',logdata:'%{TX.0}'"
SecRule REQUEST_URI   "(?:theact=inject&thepath=|pagename=appfileexplorer|showupload&thepath=|system32/cmd\.exe)" 

SecMarker END_KNOWN_ROOTKITS

SecRule ARGS_NAMES "c99shcook" \
    "id:391158,phase:2,capture,t:none,t:lowercase,deny,severity:1,rev:1,msg:'Atomicorp.com WAF Rules: PHP c99 webshell'logdata:'%{TX.0}'"

#Check body of responses for known or suspected malicious web applications
SecRule REQUEST_METHOD "^REPORT$" \
phase:4,rev:2,id:334785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY

SecRule REQUEST_URI "/wp-admin/plugin-install\.php\?tab=plugin-information&plugin=wordfence" \
phase:4,rev:2,id:364785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY

SecRule RESPONSE_BODY "@pm boff rapidleech mailer telnet shell exploit-db.com phpftp explorer aventis xerror injection rhtools commander terminal ntdaddy fux0r www.sanalteror.org haxplor konsole c99 zfxid1.txt c100 r57 aventgrup exploit safe_mode open_basedir feecomz shirohigomz pshyco safemode safe-mode sh-inf: sh-err: emailbases prioritet leech uname leech ehennemdea obzerve feelcomz shirohigeshirohige lusif3r_666 sience emp3ror undetectable hack pshyco owned backdoor jaheem networkfilemanagerphp bots suid sguid service.pwd .bash_history .fetchmailrc #mhpver vulner4bl3 /etc/passwd mode: alucar rst/ghc netsploit bruteforce" \
        "id:333856,rev:2,phase:4,t:none,pass,nolog,skip:1"
SecAction phase:4,id:333762,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY

#Request Body patterns that are not malicious
SecRule RESPONSE_BODY  "(?:.{0,64}Web[m|M]ail|Horde \:\:)" \
phase:4,rev:2,id:333785,pass,t:none,nolog,skipAfter:END_ROOTKIT_BODY

SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails)|<title>dark-mailer v|xerror was here|title>\:\: mailer inbox \:\:)" \
        "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible spamtool installed on system',id:'390150',rev:5,severity:'2'"

#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:rapidleech plugmod -|you are not allowed to leech from|=\"http://www\.rapidleech\.com)" \
        "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client - Rapidleech',id:'390900',rev:12,severity:'2'"

#trick them with a 404
SecRule RESPONSE_BODY  "(?:(?:ne(?:ws remote php shell injection|tworkfilemanagerphp|tsploit)|c(?:(?:99 ?(?:mad)?|100 ?) ?(web)shell|ehennemden|gi-?telnet)|php(?: ?(?:commander|shell)|-?terminal| backdoor|ftp)|SvT SheLL|WSO 2.4|WebRooT Hack Tools|\b(?:r(?:emote explorer|57 ?sh(?:e|3)ll)|(?:alucar|saudi) sh(?:3|e)ll)\b|inbox mass mailer by hack|r(?:57 ?shell|htools)|(?:konsole |stun ?)shell|\.sanalteror\.org|haxplorer|gamma ?web|fux0r inc| - n3t)|s(?:h(?:ell by (?:rst/ghc|alucar)|irohigeshirohige|-(?:err|inf): )|afe(?: mode(?: bypass|execdir)|-mode bypass|modeexecdir)|tunshell)|f(?:ind (?:.(?:bash_history|fetchmailrc)|[gs]uid|all) files|eelcomz)|(?:e(?:mp3ror undetectabl|xecution php-cod))e|b(?:(?:\.o\.v sience 2|off 1\.)0|y pshyco, © 2008 error|indshell)|php ?(?:4|5).{1,200}? safe_mode ?(\&|/|and)? ?open_basedir ?bypass|t(?:his is an? exploit from|otal bots active)|design by (?:rst/ghc|alucar)|l(?:ocus7shell|usif3r_666)|(?:o|0)wned by (?:hacker|#)|jaheem galaxy 2|reverseshell|\#mhpver)" \
        "capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible remote shell or bot access denied',id:'390149',rev:50,severity:'2',logdata:'%{TX.0}'"

SecMarker END_ROOTKIT_BODY


SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc @@rndstr@@ netenberg psybnc fantastico_de_luxe arta.zip information_schema.tables char( php_uname eval decode_base64 base64_decode gzuncompress base64_url_decode" \
        "id:333857,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333763,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_2
#generic payload
#if (isset($_GET['cmd']))          passthru(stripslashes($_GET['cmd']));
#
SecRule REQUEST_URI|ARGS|!ARGS:code|!ARGS:/description/|!ARGS:/^layout/|!ARGS:message|!ARGS:email|!ARGS:description|!ARGS:body|!ARGS:/text/|!ARGS:/txt/ "(?:<\? ?php (?:echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \
"t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,chain,capture,id:390801,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&)"

#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
"capture,t:none,t:urlDecodeUni,t:lowercase,id:390803,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known Wormsign',logdata:'%{TX.0}'"

#New SEL attack seen
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user\schar\()" \
#"capture,t:none,t:urlDecodeUni,t:lowercase,id:390804,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known shell SQL payload',logdata:'%{TX.0}'"

SecMarker END_ROOTKIT_BODY_2

SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \
        "phase:2,id:333786,t:none,t:hexDecode,pass,nolog,skip:1"
SecAction phase:2,id:333764,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_3

SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \
"chain,capture,t:none,t:hexDecode,t:lowercase,t:compressWhitespace,id:390810,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:description|!ARGS:message|!ARGS:problem|!ARGS:solution   "(?:<\? ?php (echo ?\"hi ?master|(system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \

SecMarker END_ROOTKIT_BODY_3

SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \
        "id:333859,phase:2,t:none,t:base64Decode,pass,nolog,skip:1"
SecAction phase:2,id:333765,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_4

SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" \
"chain,capture,t:none,t:base64Decode,t:lowercase,t:compressWhitespace,id:390811,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:code   "(?:<\? ?php (echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?\()|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" \

SecMarker END_ROOTKIT_BODY_4

#SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" \
#        "phase:2,t:none,t:decodeBase64Ext,pass,nolog,skip:1"
#SecAction phase:2,t:none,pass,nolog,skipAfter:END_ROOTKIT_BODY_5
#
#SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|gzuncompress) ?\()" \
#"capture,t:none,t:decodeBase64Ext,t:lowercase,t:compressWhitespace,id:390811,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
#SecMarker END_ROOTKIT_BODY_5

SecRule REQUEST_URI "@pm perl xkernel kaiten mampus trojan r57 c99 zfxid1.txt c100 fuckthepolice.php 404.php.jpg webadmin.php.flv" \
        "id:333860,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333766,t:none,pass,nolog,skipAfter:END_PERL_EXEC
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt)|fuckthepolice\.php|404\.php\.jpg|webadmin\.php\.flv|zfxid1\.txt)" \
"capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390802,rev:7,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"
SecMarker END_PERL_EXEC

SecRule RESPONSE_HEADERS:WWW-Authenticate "rapidleech" \
        "capture,t:none,t:lowercase,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"

SecRule ARGS|REQUEST_URI "@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet cc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar" \
        "id:333861,phase:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1"
SecAction phase:2,id:333767,rev:3,t:none,pass,nolog,skipAfter:END_KNOWN_SIGNS

#Known shells
SecRule ARGS:cmd|ARGS:act|ARGS:command|ARGS:action "\b(?:ls\b(?: -|\&)|find /|mysqldump |ifconfig |chdir=|php |echo |perl |killall |kill -|python |rpm |yum |apt-get |emerge |lynx |links\b |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|\bmv\b |unzip |tar |\brm\b |\bcat\b (?:/|\.\.)|\brar\b )" \
"capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390904,rev:14,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"

#for direct CGI type commands
#http://example.com/cmd.cgi?cat /etc/passwd
#SecRule REQUEST_URI  "\b(?:ls\b -|find /|mysqldump |php |echo |perl |killall |kill |python |lynx |e?links (?:[0-9]|h|f) |mkdir |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|mv\b |unzip |tar\b |rm\b |cat (?:/|\.\.)|rar\b )" \
#"capture,t:none,t:urlDecodeUni,t:compresswhitespace,multimatch,id:390907,rev:9,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"

SecRule ARGS:ev "^print [0-9]+ ?;" \
"capture,id:390905,rev:1,t:none,t:lowercase,severity:2,msg:'Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"

#new known injected payload
#SecRule ARGS "(?:cd /(?:tmp|var/tmp) ?; ?(?:lwp-download|wget|curl|elinks|fetch|rm -[r|f][r|f])|killall -9 perl ?; ? rm -[r|f][r|f])" \
#"capture,t:none,t:urlDecodeUni,t:cmdline,id:390906,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"

SecMarker END_KNOWN_SIGNS

#Uploaded php files in the WP cache directories
SecRule REQUEST_FILENAME "/wp-content/(?:themes/.+/cache|uploads/[0-9]+/[0-9]+)/.+\.php[345]?$" "log,deny,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:318811,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory',logdata:'%{TX.0}',chain"
SecRule REQUEST_FILENAME "!(/cache/timthumb\.php$)"

SecMarker END_ROOTKIT_FINAL


SecMarker END_ROOTKIT_ALL
<br>--</pre>

</body>
</html>