FILE: C:\Program Files (x86)\Plesk\ModSecurity\rules\atomic\modsec\99_asl_jitp.conf

--
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Virtual Just In Time Patches for Vulnerable Applications Rules 
# for modsec 2.7.3+ and up
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is 
# prohibited unless prior written permission is obtained from the 
# copyright holder. 
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS and CONTRIBUTORS AS IS   
# and ANY EXPRESS or IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY and FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER or CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, or   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS or SERVICES; LOSS OF USE, DATA, or PROFITS; or BUSINESS   
# INTERRUPTION) HOWEVER CAUSED and ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, or TORT (INCLUDING NEGLIGENCE or OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security


#--------------------------------
# notes
#--------------------------------
# Rules work with modsecurity 2.7.3 and above only

#--------------------------------
#start rules
#--------------------------------

#Bash attacks
SecRule REQUEST_HEADERS|FILES_NAMES|ARGS|ARGS_NAMES|!ARGS:/msg/|!ARGS:/message/|!ARGS:/txt/|!ARGS:/text/ "^ ?\( ?\) ?{" "phase:1,deny,id:330701,rev:3,severity:1,t:none,t:urlDecodeUni,t:compressWhiteSpace,status:403,log,msg:'Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack'"

SecRule REQUEST_LINE "^ ?\( ?\) ?{" "phase:1,deny,id:330702,rev:3,severity:1,t:none,t:compressWhiteSpace,status:403,log,msg:'Atomicorp.com WAF Rules: Potential CVE-2014-6271 Bash Attack'"

#CryptoPHP
SecRule REQUEST_METHOD "@streq POST" \
"chain,id:394667,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible CryptoPHP backdoor attempt',rev:1,severity:2"
SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?serverkey" "t:none,t:lowercase,t:compressWhiteSpace,chain"
SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?data" "t:none,t:lowercase,t:compressWhiteSpace,chain"
SecRule REQUEST_HEADERS:Content-Disposition "form-data; name ?= ?\"?key" "t:none,t:lowercase,t:compressWhiteSpace,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"

SecRule REQUEST_METHOD "@streq POST" \
"chain,id:394666,phase:2,t:none,deny,auditlog,log,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible CryptoPHP backdoor attempt',rev:1,severity:2"
SecRule &REQUEST_HEADERS:serverKey "@eq 1" "t:none,chain"
SecRule &REQUEST_HEADERS:data "@eq 1" "t:none,chain"
SecRule &REQUEST_HEADERS:key "@eq 1" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"

SecRule REQUEST_URI "@pm .bat .cmd" \
        "id:357876,phase:2,t:none,pass,nolog,skip:1"
        SecAction phase:2,id:359931,t:none,pass,nolog,skipAfter:END_RFD

#RFD attacks
SecRule REQUEST_URI "@rx (?i:^[^?]*\.(?:bat|cmd)(?:\W|$))" \
"phase:2,id:312863,t:none,t:urlDecodeUni,deny,status:403,,msg:'Atomicorp.com WAF Rules: Potential Reflected File Download (RFD) Attack.'"

SecMarker END_RFD

# Phase 2 rules
#
SecDefaultAction "log,deny,auditlog,phase:2,status:403"


SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df|s)|gif|js|css|ico|avi|w(?:mv|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,pass,t:none,t:lowercase,nolog,id:333863,skipAfter:END_JITP

SecRule REQUEST_URI "^/eprocservice/supplierinboundservice" phase:2,pass,t:none,t:lowercase,nolog,id:373863,skipAfter:END_JITP_SPECIAL

#/cmdownloads/?CMDsearch=".
SecRule REQUEST_URI "/cmdownloads/\?cmdsearch=\"\." \
"id:393663,phase:2,t:none,pass,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress CM Download Manager RCE attempt',rev:1,severity:2"

#Possible WP brute force login attempt
SecRule REQUEST_METHOD "@streq POST" \
"chain,id:393666,phase:2,t:none,pass,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible Wordpress brute force attempt, direct Login Missing Referer (not blocked)',rev:3,severity:4,tag:'no_ar'"
SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule RESPONSE_STATUS "200" 

SecRule REQUEST_URI "node" \
"chain,id:391235,deny,status:403,phase:2,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,t:compressWhiteSpace,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal pre-auth SQL injection attack',rev:8,severity:1"
SecRule ARGS|ARGS_NAMES|!ARGS:/^field_aut_content/ "(?:update {?users}? set|insert into {?users}?|concat ?\(|truncate table)"

SecRule SCRIPT_BASENAME "^(index\.php)?$" \
"chain,id:391236,deny,status:403,phase:2,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,t:compressWhiteSpace,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal pre-auth SQL injection attack',rev:1,severity:1"
SecRule ARGS:form_id "^user_login_block$" "chain"
SecRule ARGS_NAMES "^name\["

#SecRule REQUEST_URI "node" \
#"chain,id:391234,deny,status:403,phase:2,t:none,t:urlDecodeUni,t:lowercase,t:removecomments,t:compressWhiteSpace,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Drupal pre-auth SQL injection attack',rev:4,severity:1"
#SecRule ARGS_NAMES "(?:update {?users}? set|insert into {?users}?|concat ?\(|trucate)"


SecRule REQUEST_HEADERS:Referer "@pm semalt.com savetubevideo.com srecorder.com kambasoft.com fbdownloader.com musicas-gratis.com for-website.com best-seo-solution.com social-buttons.com" \
        "id:337876,phase:2,t:none,pass,nolog,skip:1"
                SecAction phase:2,id:319931,t:none,pass,nolog,skipAfter:END_SEMALT

SecRule REQUEST_HEADERS:Referer "(?:\.(?:s(?:emalt|avetubevideo|recorder)|kambasoft|fbdownloader)|-musicas-gratis|best-seo-solution|buttons?-for-websites?|social-buttons)\.com" \
"id:393766,phase:2,t:none,t:lowercase,deny,status:403,auditlog,log,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: semalt.com bot attempt',rev:8,severity:3,tag:'no_ar'"

SecMarker END_SEMALT

#WP brute force DOS attack
#/?3162504=9747583
SecRule REQUEST_URI "/\?[0-9]{7}=[0-9]{7}" \
"phase:2,log,deny,auditlog,status:403,id:393669,rev:1,severity:1,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Possible DOS attack',t:none"

#Joomla zero day
SecRule ARGS:option "@streq com_media" \
"id:384545,severity:2,rev:1,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: Joomla Media Manager File Upload Bypass Attack',tag:http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads,chain"
SecRule FILES_NAMES "@endsWith ."

#PHP code injection
#