FILE: C:\Program Files (x86)\Plesk\ModSecurity\rules\tortix\hg_rules.conf
--
##Date 7.29.2011
## Wordpress Rules
##Date 8.10.2011
## WP-FileManager / PHPFm
##Date 8.18.2011
#Images/Stories Block
##Date 8.24.2011
## Apache DDOS Rules
##Date 8.26.2011
## Apache DDOS Update
##Date 8.30.2011
## timThumb scanning
##Date 9.22.2011
## 1-flash-gallery Upload PHPext
##Date 10.12.2011
## 1-flash-gallery Upload PATH POST block
##Date 10.19.2011
## Updated osCommerce rule. Added configuration.php
## Added block for Mass malware sm3.php
##Date 10.20.2011
## OSC showimg&cookies backdoor rule
##Date 11.10.2011
## Zen-Cart Ajax File Manager Exploit
##Date 11.21.2011
#TimeThumb /cache/32 char php file block
##Date 12.6.2011
#Joomla No Refferer password reset block
##Date 1.10.2012
#Joomla Component OzioGallery WritetoFile block
##Date 2.6.2011
#Whitelist cpanel. for RFI Rule: 1234234
##Date 2.8.2012
## WP-Brute
##Date 2.15.2012
# Exploiting UA / No UA blocks.
##Date 2.21.2012
#osDate RFI :: Trackback spam injection
##Date 3.9.2012
##Two UA rules. SQL Comment block
##Date 3.15. FF 3.6.3 RU Post / No REF :: Brute Attempt :: Transaction cleanup
##Date 3.23. NoNumber Exploit Block
##Date 3.26. Chillkat UA block
##Date 4.11 Com_Fabrik / SQL Comment Update
##Date 5.4 PHP-CGI Exploit :: CVE-2012-1823
##DAte 5.16:20 Upload* No Referer POST (Logging Only) *UPDATE*
##Date 7.2 VB Info Disclosure
##Date 7.27 inc/upload
##Date 8.7 No UA Joomla Edit / JCE Bot UA
##Date 8.16 DDOS Script. Self Spawning
##Date 9.10 VB Template EDIT no UA/Ref
##Date 9.17 Joomla admin/index.php w/ bing ua
##Date 11.1 HTTP_CMD Header block
##Date 11.12 Wordpress WSO Request Attempt
##Date 11.16 PHP DDOS
##Date 11.26 PHP Execution w/ Comments + Eval|Base64_Decode
##Date 11.27 Automated Wordpress Exploit Attempt
##Date 12.03 PHP Automated Mailer attempt
##Date 12.4.12 Automated Exploitation Attempt
##Date 12.7.12 DDOS Args
##DAte 12.12 Disabled Ineffective Mozilla Block :: Akismet WSO Block :: Com_Ag_block
##Date 12.31 Fake Mozilla Agent
##Date 1.3 BROBOT UA DDOS BLOCK
##Date 1.3 UCP.php StopForumSPAM add
##Date 1.4 WHMCS 5.x Auth bypass http://packetstormsecurity.com/files/119234/whmcs5-bypass.txt
##Date 1.4 C_ID & Comment BASE64 Encoded data backdoor attempt
##Date 1.4 JCE Exploit attempts
##Date 1.11 K2 Modification :: IE6 Block on wplogin/joomla admin/k2 spam
##Date 1.15 Malicous Mailer 7c32 and Mispelled LICESNE.php block
##Date 1.22 mt-upgrade Behavior block
##Date 1.28 BBPRess SPAM Blocks
##Date 1.29 js/swfupload/js/upload.php BLOCK
##Date 1.31 Wordpress direct path 404 theme page POST
##Date 2.19 Wordpress BING wp-admin request during brute request
##Date 3.20 DVMessages bloc :: UA Block
##Date 3.22 Joomla/WP Brute and SPAM UA block and Double valid ua block
##Date 3.26 Whitelist SeoGears for Mozilla/5.0 && BroBOT Brute BLOCKS
##Date 4.2 Havij Block
##Date 4.3 Fake plugins mailer
##Date 4.4 Brute Joomla/UA blocks
##Date 4.19 XMLRPC No UA/Referrer block
##Date 4.23 WP-Brute rule :: 1.0 FF18/19 && Com_civicrm OpelFlashChart Unsecured Upload
###Date 5.13 Commented OUT :: Cloudflare PROXY forwards vis 1.0 http attack
##Date 5.17 Joomla JCE Exploit (new UA)
##Date 5.23 Wordpress Brute Moz18 w/ Close
##Date 6.6 Wordpress BAD UA ::
##Date 6.10 Wordpress EDITOR http:1.0
##Date 6.12 NGG Gallery 1.9.12 Upload exploit
##Date 6.14 Wordpress Brute Block
##Date 6.17 Script ser-Agent settings Broke
##DAte 6.21 WHMCS Paypal SQL Injection
##Date 7.3 BadBot block via EIG report
##Date 7.16 Com_JCE new UA block
##Date 7.17 XMLRPC Logging Rule for NO UA/REF Block
##Date 7.23 BroBOT UA Blocks
##Date 7.30 AhrefsBOt
##Date 7.31 BAD CHROME UA / Brutes
##Date 8.08 POST FakeGoogleBOT wp-login
##Date 8.09 OpenX Backdoor http://forum.openx.org/index.php?showtopic=503521628
##Date 8.12 WP-Brute/XML-RPC Abuse
##Date 8.13 PHP Shell Upload
##Date 8.16 Wordpress Brutes
##Date 8.20 Spam UA Attempts (Random names)
##Date 8.20 SQL Injection Attempt
##DATE 8.22 SPAM RULE TEMP
##Date 8.29 Collector :: Com_jce
##Date 9.25 Wordpress Brute :: MSIE 8.0 (Fake :: LWP Request)
##Date 9.26 OFC Unsecured Upload Vuln
##Date 9.27 XMLRPC Amp Attack
##Date 10.3 WHMCS SQLInjection
##Date 11.4 WP-Login No Accept w/ close block
##Date 12.1 Wordpress Theme Uploaders :: Comment Spam :: POST Upload blocks :: Fake UAs :: Spam Scripts
##Date 1.29 Joomla Brute 1.0 Header Order w/o Cooke
##Date 3.17 XMLRPC Brute
##Date 4.1 STeelrat block
##Date 4.4 OpenFlashChat UPLOAD Vlock
##Date 4.22 Fake ZH UA :: Spambot
##Date 6.24 TinyMCE RCE
##Date 7.17 Wordpress Brutes
##Date 7.23 WP-Plugins Readme.txt block (Metasploit checks for this to see if plugin exists in many modules)
##Date 8.5 SQL Google Ref Request
##DAte 10.1 Bad WP Brute Random UA Var
##DAte 10.16 Drupal SQL I (No UA or Ref w/POST)
##Date 10.26 Wordpress Brutes, Exploit Scanner, Joomla Com_contenthistory, Brute Force Backdoor
##Date 01.17 Wordpress 4.7+ API post vulnerability ID 900501 900502
##Date 03.01.2017 Removed id 900118 for Windows compatibility
#SecRule REMOTE_ADDR "@ipMatch 66.29.189.11,66.29.162.115,66.29.162.116" "id:900118,nolog,pass,phase:1,t:none,ctl:ruleEngine=off"
SecRule Request_Headers:User-Agent "PayPal IPN \( ?https:\/\/www\.paypal\.com\/ipn ?\)" "id:900191,phase:1,t:none,pass,nolog,ctl:ruleRemoveById=900177"
SecRule REQUEST_HEADERS "\(\) \{" "phase:1,deny,id:900261,t:urlDecode,status:406,log,msg:'CVE-2014-6271 - Bash Attack'"
# wordpress-groupdocs-assembly 2016-11-17 ASOSD-1248
SecRule REQUEST_URI "/wp-content/plugins/groupdocs-assembly/js/.*\.php" "id:9990031,rev:1,severity:2,log,deny,status:406,msg:'wordpress-groupdocs-assembly compromised'"
# Logging Joomla POSTS for UN-12236
SecRule REQUEST_URI "/administrator/(index\.php)?$" "id:900402,t:none,log,pass,phase:5,chain,msg:'Joomla administrator POST logging',logdata:%{RESPONSE_STATUS}"
SecRule REQUEST_METHOD "POST"
# Logging wp-comments-post POSTS for UN-12352
SecRule REQUEST_URI "/wp-comments-post.php$" "id:900404,t:none,log,pass,phase:5,chain,msg:'wp-comments-post POST logging',logdata:%{RESPONSE_STATUS}"
SecRule REQUEST_METHOD "POST"
# Logging xmlrpc POSTS for UN-12352
SecRule REQUEST_URI "/xmlrpc.php$" "id:900405,t:none,log,pass,phase:5,chain,msg:'xmlrpc POST logging',logdata:%{RESPONSE_STATUS}"
SecRule REQUEST_METHOD "POST"
# Logging wp-login POSTS for UN-12352
SecRule REQUEST_URI "/wp-login.php$" "id:900406,t:none,log,pass,phase:5,chain,msg:'wp-login POST logging',logdata:%{RESPONSE_STATUS}"
SecRule RESPONSE_STATUS "^(200|406|503)" chain
SecRule REQUEST_METHOD "POST"
# 4.1.2015 Spam Blocks / Wordpress Exploitation Attempts
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" "id:900290,phase:1,status:406,deny,log,chain,msg:'1.0 Post Request :: Spam Blocks'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule REQUEST_HEADERS:Content-Type "multipart\/form-data" chain
SecRule REQUEST_METHOD "POST"
## 5.24 WP RBL
SecRule REQUEST_URI "/(wp-login.php|wp-comments.php|xmlrpc.php|administrator)" "phase:1,deny,status:406,chain,log,id:900407,msg:'Wordpress and Joomla Brute RBL: wprbl.websitewelcome.com'"
SecRule REMOTE_ADDR "@rbl wprbl.websitewelcome.com"
## XMLRPC No Content Header 10/26
SecRule REQUEST_URI "/xmlrpc\.php" "id:900322,t:none,log,deny,status:406,chain,msg:'XMLRPC Header Request anomaly'
SecRule REQUEST_METHOD "POST" chain
SecRule &REQUEST_HEADERS:content-length "@eq 0" "t:none"
## Broke Exploit Scanner 10/26
SecRule ARGS_NAMES "abdullkarem" "id:900324,t:none,log,deny,status:406,msg:'abdullkarem argument name'"
## Joomla Com_Content History Sql Injection 10/26
SecRule REQUEST_FILENAME "/index.php" "id:900325,t:none,t:lowercase,log,chain,deny,status:406,msg:'Joomla ComContent SQLi'"
SecRule ARGS:option "com_contenthistory" chain
SecRule ARGS:view "history" chain
SecRule ARGS "select" "t:lowercase,chain"
SecRule ARGS "concat(_ws)?" "t:lowercase"
## Joomla Com_Content History SQL Injection 12/3
SecRule REQUEST_URI "/administrator/index.php" "id:900330,phase:1,deny,log,status:406,chain,msg:'Joomla Com_Content SQL Injection POST'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule REQUEST_HEADERS:Referer "http://search\.yahoo"
##
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.\d+;( WOW64;)? rv:\d+\.\d+\) Gecko\/20100101 Firefox\/\d+\.\d+" "id:900331,phase:1,deny,log,status:406,chain,msg:'Joomla Com_Content SQL Injection POST'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Accept-Language "@eq 0" "t:none"
# 10.7.2015
SecRule REQUEST_URI "/wp-(admin|login\.php)" "id:900309,log,deny,phase:1,status:406,chain,msg:'Mozilla Fake Connection :: Brute Force'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 (Windows NT 6\.0; rv:34\.0) Gecko\/20100101 Firefox\/34\.0" chain
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule REQUEST_HEADERS_NAMES "accept*" "t:lowercase,chain"
SecRule MATCHED_VAR "@strmatch accept" "t:lowercase"
# 10.14.2015 Block WP-Brutes / Exploit
SecRule REQUEST_COOKIES:D "base64_decode" "id:900323,t:none,log,deny,status:406,msg:'COOKIE Value - Base64'"
# 11.9.2015 Joomla POST SQL Injection
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\) Chrome\/44\.0\.2403\.125 Safari\/537\.36" "id:900326,phase:1,t:none,log,deny,status:406,chain,msg:'Joomla SQL POST Injection xYzZy: Nothing happens'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule REQUEST_HEADERS:Content-type "multipart\/form-data; boundary\=xYzZY"
SecRule REQUEST_URI "/index.php/admin" "id:900327,phase:1,t:none,log,deny,status:406,chain,msg:'Magento ADMIN Login Brute Attempt'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
SecRule Request_Headers:User-Agent "@pm base64_decode JDatabaseDriverMysqli" "id:900328,t:none,phase:1,status:406,deny,log,msg:'Joomla RCE'"
# 2015-03-27 RevSlider < 4.2 Content Injection - http://pastebin.com/eUUtgAtQ
SecRule REQUEST_URI "wp-admin/admin-ajax\.php" "id:900291,rev:2,severity:2,log,deny,status:406,msg:'RevSlider Exploit - get_captions_css Vector',chain"
SecRule ARGS:action|ARGS:client_action "^revslider_ajax_action$" chain
SecRule &ARGS:nonce ^0$
# 2015-04-01 jdownload Unsecured Upload :: http://1923turk.org/showthread.php?t=7&langid=1
SecRule REQUEST_URI "/images/jdownloads/screenshots/" "id:900292,phase:1,status:406,deny,log,chain,msg:'jDownload screenshot POST attempt'"
SecRule REQUEST_METHOD "POST"
# 2015-04-01 jdownload Unsecured Upload :: http://1923turk.org/showthread.php?t=7&langid=1
SecRule REQUEST_URI "/index\.php\?option\=com_jdownloads\&Itemid\=0\&view\=upload" "id:900293,phase:1,status:406,deny,log,chain,msg:'jDownload upload attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
# 2015-04-01 com_media exploiter upload attempt
SecRule REQUEST_URI "index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&" "id:900294,phase:1,status:406,deny,log,chain,msg:'Joomla com_media unsecured upload attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
# 2015-04-01 Neoloris Level 7 Mobile App DDOS tool UA Block - UN-3777
SecRule REQUEST_HEADERS:User-Agent "Neoloris" "id:900295,phase:1,status:406,deny,log,msg:'Neoloris DDOS Tool UA Block'"
# 2015-04-01 Gravity Forms unsecured upload vulnerability - CVE-2014-6446 - UN-3767
SecRule ARGS:gf_page "upload" "id:900296,phase:1,deny,log,status:406,chain,msg:'Gravity Forms Unsecured Upload Attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
# 2015-04-19 Magento RCE
SecRule REQUEST_URI "/cms_wysiwyg/" "id:900297,phase:1,status:406,deny,chain,t:lowercase,log,msg:'Magento RCE :: SUPEE-5344'"
SecRule ARGS:forwarded "1"
# 2015-04-22
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; rv:12\.0\) Gecko\/20130101 Firefox\/10\.0" "id:900298,phase:1,status:406,deny,log,msg:'Bad Useragent'"
SecRule REQUEST_URI "/admin/cms_wysiwyg/directive" "id:900299,phase:2,chain,status:406,deny,t:lowercase,log,msg:'Magento RCE :: SUPEE-5344'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_COOKIES_NAMES:adminhtml "@eq 0"
# 2015-5-8 Wordpress DOM XSS
SecRule REQUEST_URI "/genericons/example\.html" "id:900400,phase:1,status:406,deny,log,msg:'Wordpress example.html DOM XSS Block'"
# 2015-5-8 Simple Ads manager
SecRule REQUEST_URI "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" "id:900307,phase:1,deny,t:none,chain,status:406,msg:'Simple Ads Manager Exploit'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule REQUEST_HEADERS:x-requested-with "xmlhttprequest" "t:none"
SecRule REQUEST_URI "/lib/scripts/dl-skin.php" "id:900302,phase:1,deny,t:none,chain,status:406,msg:'Unsecured Downlaod Vuln'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
SecRule REQUEST_URI "/admin/scripts/FileUploader/php.php" "id:900304,phase:1,deny,t:none,chain,status:406,msg:'Unsecured Upload Vuln'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
# 2014-08-20 : Fake IE6 User Agent. multi-digit minor version for MSIE.
SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/4\.0 \(compatible; MSIE 6\.0\d+; Windows NT 5\.1; SV1\)$" "id:900254,phase:2,t:none,status:406,log,deny,msg:'Bad UA :: Fake IE6 Agent'"
SecRule REQUEST_URI "/plugins/custom-contact-forms/import/[^.]+\.sql(\.php)?" "id:900255,phase:1,status:406,deny,log,msg:'Contact Forms Import Exploit'"
SecRule REQUEST_URI "/wp-config\.php(?:\W[a-z]*|bak)" "id:900256,phase:1,status:406,deny,log,msg:'Wp-Config Backup/edit file request'"
SecRule REQUEST_URI "/uploadify/upload" "id:900257,phase:1,status:406,deny,log,chain,msg:'Uploadify Block for libwww-perl'"
SecRule REQUEST_HEADERS:User-Agent "libwww-perl"
SecRule REQUEST_URI "/wp-admin/admin-ajax\.php\?action\=(revslider|kbslider)_show_image\&img\=.*?\.php" "id:900258,t:urlDecode,status:406,phase:1,log,deny,msg:'Slider LFI Exploit'"
## 2014-10-1 Random UA for WP Brute
SecRule REQUEST_URI "/wp-login\.php" "id:900262,chain,phase:1,t:none,status:406,deny,msg:'Wordpress Brute Force :: Failed Random UA variable'"
SecRule Request_Headers:User-Agent "\[\% tools\.ua\.random\(\) \%\]"
SecRule REQUEST_URI "/wp-content/plugins/(revslider|showbiz)/temp/update_extract/" "id:900277,phase:1,deny,status:406,msg:'RevSlider Upload Exploit Attempt'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; en-US; rv:1\.8\.1\.\d+\) Gecko\/20\d+ Firefox\/" "id:900278,phase:1,status:406,deny,log,msg:'Old FireFOX UA Used in exploits'"
SecRule REQUEST_URI "/wp-admin/images/" "id:900279,phase:1,status:406,deny,log,chain,msg:'WP-Admin Images POST Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" "id:900281,log,deny,status:406,chain,phase:1,t:none,msg:'Possible Malicous HTTP 1.0 REQ :: Spam / Brutes'"
SecRule REQUEST_HEADERS:Accept-Encoding "^identity$" chain
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_HEADERS:Referer "\$stylevar\[\$\{\$\{" "id:900282,t:none,status:406,phase:1,log,deny,msg:'vbSEO referer php injection exploit CVE-2014-9463'"
#Steelrat spam block
SecRule &REQUEST_HEADERS:Referer "@eq 0" "id:900237,phase:1,deny,status:406,log,t:none,chain,msg:'Spam-Steelrat Block'"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none,chain"
SecRule REQUEST_HEADERS:Content-Type "application\/x-www-form-urlencoded" chain
SecRule REQUEST_URI "/(main|faq|xmlrpc|ssl|ticket|signout|return|login|list|getinfo|statistics|seo|news|banner|themes|signup|robots|cookie|abook|stat|info|install|config|rss|popup|index|guestbook|sitemap|wishlist|sitemap|poll|account|mobile|schedule|checkout|logoff)[A-Za-z0-9]+\.php"
#SecRule REQUEST_URI "[a-z]+[A-Z0-9]+[a-z0-9A-Z]+\.php"
#OFC Upload Block
SecRule REQUEST_URI "/openflashchart/tmp-upload-images/" "id:900239,phase:1,deny,status:406,log,chain,msg:'OpenFlashChart POST Block'"
SecRule REQUEST_METHOD "^POST$" "t:none"
## Pageline Register Settings :: No Referrer
SecRule REQUEST_URI "\/wp-admin\/admin-post\.php\?action\=pagelines_register_settings" "id:900310,phase:1,chain,log,deny,status:406,msg:'PageLines Register Settings'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
## Fancybox for wordpress vuln :: UN-4859
SecRule REQUEST_URI "/wp-admin/admin-post\.php\?page\=fancybox-for-wordpress" "id:900306,status:406,phase:1,t:none,log,chain,deny,msg:'Fancybox options exploit'"
SecRule REQUEST_METHOD "^POST$" "t:none"
##2.27.2015 WP Brutes :: No Cookie
SecRule REQUEST_URI "/wp-login\.php" "id:900285,phase:1,status:406,deny,log,chain,msg:'Wordpress Brute Attempts'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule REQUEST_HEADERS:Accept-Language "^ru-RU" chain
SecRule &REQUEST_COOKIES_NAMES:wordpress_test_cookie "@eq 0"
##3.1.15 OFC Upload Scan
SecRule REQUEST_URI "/ofc_upload_image.php" "id:900286,phase:1,status:406,deny,log,chain,msg:'Wordpress OFC Unsecured upload exploit attempt'"
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" chain
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
##3.5.15 WP Brute :: FF 32 Cookie issue
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 5\.1; rv:32\.0\) Gecko\/20100101 Firefox\/32\.0" "id:900287,phase:1,status:406,deny,log,chain,msg:'Wordpress Brute'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_URI "/wp-login\.php" chain
SecRule REQUEST_COOKIES_NAMES "@pm wordpress_test_cookie path" chain
SecRule &REQUEST_COOKIES_NAMES "@eq 2"
## WP Brute :: FF 32 Cookie Issue GET Request
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 5\.1; rv:32\.0\) Gecko\/20100101 Firefox\/32\.0" "id:900288,phase:1,status:406,deny,log,chain,msg:'Wordpress Brute'"
SecRule REQUEST_URI "/wp-login.php" chain
SecRule &REQUEST_COOKIES_NAMES "@eq 0"
##.SQL File request with Google Referrer
SecRule REQUEST_BASENAME "@rx .sql$" "id:900253,status:406,chain,phase:1,log,deny,msg:'SQL File Request'"
SecRule REQUEST_HEADERS:Referer "http:\/\/www.google.com\/"
##3.29
SecRule REQUEST_URI "/xmlrpc\.php" "id:900235,phase:1,log,chain,msg:'XMLRPC Brute Force/DDOS Attempts'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; WOW64; rv:25\.0\) Gecko\/20100101 Firefox/25\.0" chain
SecRule &Request_headers "@eq 5"
##4.22 Fake ZH Ua
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; zh-CN; rv:1.7\.6\)" "id:900240,phase:1,deny,status:406,log,msg:'Fake UA::Spambot'"
SecRule ARGS_GET:y "/home" "id:900248,phase:1,chain,log,t:none,t:lowercase,status:406,msg:'WSO Shell Block'"
SecRule ARGS_GET:x|ARGS_GET:edit|ARGS_GET:view "(edit|view|upload|mass|configs|php|symlink|sec|domains|mysql|boom)" "t:none,t:lowercase"
##10.16 Drupal SQL Injection
SecRule REQUEST_URI "node(\&|\?)destination=node" "id:900270,phase:1,deny,log,chain,msg:'Possible Drupal SQL Injection Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent|&REQUEST_HEADERS:Referer "@eq 0"
#Hostdata POST
SecRule REQUEST_URI "/hostdata.php" "id:900259,phase:1,deny,status:406,log,chain,msg:'Hostdata POST Block'"
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_URI "/plugin_googlemap2_proxy.php" "id:900269,phase:1,deny,status:406,msg:'Bad UA'"
##1.29
#SecRule REQUEST_URI "/wp-login\.php" "id:900222,t:none,chain,log,deny,phase:1,status:406,msg:'Wordpress Brute Force HTTP1.0 w/o Cookie and bad headers'"
#SecRule &REQUEST_HEADERS:Cookie "@eq 0" chain
#SecRule REQUEST_HEADERS:Referer "@endsWith wp-login.php" chain
#SecRule REQUEST_HEADERS_NAMES ".*" "chain,setvar:'tx.header_order=%{tx.header_order}, %{matched_var}'"
# SecRule TX:HEADER_ORDER ", Host, Keep-Alive, Connection, User-Agent, Content-Type, Content-Length, Referer"
##2.2 Emailer
SecRule REQUEST_URI "/extension/coreupdate" "id:900223,t:none,log,deny,phase:1,status:406,msg:'Joomla Mailer'"
#11.26 PHP Execution w/ Comments + Eval|Base64_Decode
SecRule REQUEST_URI "\?<\?\/\*[^\*]+\*\/(eval|base64_decode)\/\*" "id:900077,phase:1,t:none,t:lowercase,log,deny,msg:'PHP Execution w/ Comments in URI'"
SecRule REQUEST_URI "(?:(?:sk|get)?_licen(?:ce|sing)|(?:backlink-|test_|wishlistcast_)?api|background_(?:processes|post)|run\d|_async|bootstrap|blogroll|ajax_process_download|remote-click-track|(?:xcommenter_background_|au_)?post(?:_register)?|gallerysprout-webservice|umo_server_get_key_id)\.php|feed\d\.xml" "id:900186,phase:1,t:none,pass,nolog,ctl:ruleRemoveById=900183-900185"
SecRule REQUEST_URI "/(cache|css|components|images|includes|js|modules|plugins|templates|themes|wp-admin|wp-content|language|log|logs|libraries|media|wp-includes)/" "id:900183,chain,phase:1,t:none,status:406,deny,msg:'UA Spam POST http 1.1 :: Steelrat'"
SecRule &REQUEST_HEADERS "@eq 4" "chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none,chain"
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_URI "/(cache|css|components|images|includes|js|modules|plugins|templates|themes|wp-admin|wp-content|language|log|logs|libraries|media|wp-includes)/" "id:900185,chain,phase:1,t:none,status:406,deny,msg:'UA Spam POST http 1.1 :: Steelrat '"
SecRule &REQUEST_HEADERS "@eq 5" "chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none,chain"
SecRule REQUEST_HEADERS:Expect "100-continue" "t:none,chain"
SecRule REQUEST_METHOD "^POST$" "t:none"
##6.24 TimThumb WebShots RCE Vuln
SecRule REQUEST_URI "/(tim)?thumb.php" "id:900260,status:406,phase:1,chain,deny,log,msg:'TimThumb WebShots RCE vuln'"
SecRule ARGS_GET:webshot "1" chain
SecRule ARGS_GET:src "$" "t:urlDecode"
##2.5 SPam
SecRule REQUEST_HEADERS:Via "1\.0 tinyproxy \(tinyproxy\/1\.8\.2\)" "id:900224,chain,phase:1,status:406,deny,log,msg:'VIA form POST :: Spam inspired'"
SecRule REQUEST_HEADERS:Content-Type "application\/x-www-form-urlencoded" chain
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule REQUEST_HEADERS:Via "1.1 \d+.\d+.\d+.\d+ \(Mikrotik HttpProxy\)" "id:900225,chain,phase:1,status:406,deny,log,msg:'VIA form POST :: Spam inspired'"
SecRule REQUEST_HEADERS:Content-Type "application\/x-www-form-urlencoded" chain
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule REQUEST_URI "/(wp-login\.php|administrator/|wp-comments-post\.php)" "id:900228,chain,phase:1,t:none,status:406,deny,msg:'Wordpress Brute Force :: Firefox 8'"
SecRule Request_Headers:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; ru; rv:1\.9\.0\.2\) Gecko\/2008091620 Firefox\/3\.0\.2"
SecRule REQUEST_URI "/(wp-login\.php|administrator/|wp-comments-post\.php)" "id:900219,chain,phase:1,t:none,status:406,deny,msg:'Wordpress Brute Force :: Firefox 8'"
SecRule Request_Headers:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64; rv:8\.0\.1\) Gecko\/20100101 Firefox\/8\.0\.1"
SecRule REQUEST_URI "/(wp-login\.php|administrator/|wp-comments-post\.php)" "id:900220,chain,status:406,phase:1,t:none,log,deny,msg:'Request Cookie Ordering Alert: Potential Brute Tool'"
SecRule Request_Headers:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\) Chrome\/31\.0\.1623\.0 Safari\/537\.36" chain
SecRule REQUEST_HEADERS_NAMES ".*" "chain,setvar:'tx.header_order=%{tx.cookie_order}, %{matched_var}'"
SecRule TX:HEADER_ORDER ", User-Agent, Connection, Accept-Encoding, Content-Length, Host, Content-Type, Referer"
SecRule REQUEST_URI "/(wp-login\.php|administrator/|wp-comments-post\.php)" "id:900226,t:none,chain,log,deny,phase:1,status:406,msg:'Request Cookie Ordering Alert: Potential Brute Tool'"
SecRule &REQUEST_HEADERS:Cookie "@eq 0" chain
SecRule REQUEST_HEADERS:Referer "@endsWith wp-login.php" chain
SecRule REQUEST_HEADERS_NAMES ".*" "chain,setvar:'tx.header_order=%{tx.header_order}, %{matched_var}'"
SecRule TX:HEADER_ORDER ", X-Real-IP, X-Forwarded-For, Host, X-Http-Proto, Connection, User-Agent, Content-Type, Content-Length, Referer"
SecRule REQUEST_URI "/wp-login\.php" "id:900230,t:none,chain,log,deny,phase:1,status:406,msg:'Wordpress brute form-data block'"
SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data;"
SecRule Request_Headers:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; rv:12\.0\) Gecko\/20130101 Firefox\/10\.0" "id:900231,status:406,phase:1,chain,deny,log,msg:'ComExplorer Explot Attempt'"
SecRule REQUEST_URI "/administrator/components/com_extplorer/" "t:normalisePath"
SecRule Request_uri "/administrator/" "id:900232,status:406,deny,log,chain,phase:1,t:normalisePath,msg:'Joomle Brute :: 4 header / wget'"
SecRule &Request_headers "@eq 4" chain
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule Request_uri "/administrator/" "id:900233,status:406,deny,log,chain,phase:1,t:normalisePath,msg:'Joomle Brute :: 1 header'"
SecRule &Request_headers "@eq 1" chain
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
##11.4 WP No Accept w/ close
SecRule REQUEST_URI "/wp-login\.php" "id:900202,chain,phase:1,t:none,status:406,deny,msg:'Wordpress Brute Force :: 1.1 No Close w/o Accept'"
SecRule REQUEST_PROTOCOL "^HTTP/1\.1" chain
SecRule &REQUEST_HEADERS:Accept "@eq 0" chain
SecRule REQUEST_HEADERS:connection "close" "t:lowercase"
#SecRule REQUEST_URI "/wp-login\.php" "id:900203,chain,phase:1,t:none,status:406,deny,msg:'Wordpress Brute Force :: 1.1 No Close w/o Accept-Encoding'"
#SecRule REQUEST_PROTOCOL "^HTTP/1\.1" chain
#SecRule &REQUEST_HEADERS:Accept-Encoding "@eq 0" chain
#SecRule REQUEST_HEADERS:connection "close" "t:lowercase"
SecRule REQUEST_URI "/(wp-login\.php|administrator/|wp-comments-post\.php)" "id:900204,chain,phase:1,t:none,status:406,deny,msg:'Wordpress Brute Force :: MSIE 6.0 w/ Accept-Encoding Identify'"
SecRule Request_Headers:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)" chain
SecRule REQUEST_HEADERS:Accept-Encoding "identity"
#SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900205,log,deny,status:406,phase:1,t:none,chain,log,msg:'XMLRPC Request UA used in DDOS'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/4\.0 \(compatible:" "id:900205,log,deny,status:406,phase:1,t:none,log,msg:'XMLRPC Request UA used in DDOS'"
SecRule REQUEST_URI "/(wp-login\.php|wp-admin/|administrator/|wp-comments-post\.php)" "id:900206,chain,phase:1,t:none,status:406,deny,msg:'Wordpress Brute Force :: 1.0 Fake Opera'"
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" chain
SecRule REQUEST_HEADERS:User-Agent "Opera\/9\.80 \(Windows NT 6\.1; U; ru\) Presto\/2\.8\.131 Version\/11\.10"
##12.1 sys09725838 type mailer
SecRule REQUEST_URI "/sys\d+(-\d+)?\.php" "id:900207,phase:1,deny,status:406,chain,log,msg:'Sys[0-9]+ Mailer'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
##12.1 Spam Script/shells POST to Wordpress Uploads dir
SecRule REQUEST_URI "^/wp-content/uploads/20\d+/\d+/" "id:900208,deny,status:406,log,chain,msg:'POST to wp-content/uploads/YYYY/MM/ block'"
SecRule REQUEST_METHOD "^POST$" "t:none"
##12.1 Spam Scripts/shells Block POST /wp-content/themes/[^/]+/uploads/
SecRule REQUEST_URI "^/wp-content/themes/[^/]+/uploads/" "id:900209,deny,status:406,chain,log,msg:'POST to Wordpress THEME uploads dir'"
SecRule REQUEST_METHOD "^POST$" "t:none"
##12.1 Fake UA :: Unsecured Upload form exploits
SecRule REQUEST_HEADERS:User-Agent "^IE:Mozilla\/5\.0 \(compatible" "id:900210,deny,status:406,log,msg:'Fake UA :: Exploit Attempts'"
SecRule REQUEST_URI "/wp-content/uploads/optpress/[^\.]+\.php" "id:900211,deny,status:406,log,msg:'Optpress Upload PHP File Access Attempt'"
SecRule REQUEST_URI "/wp-content/uploads/optpress/[^\.]+\.phtml" "id:900241,deny,status:406,log,msg:'Optpress Upload PHP File Access Attempt'"
SecRule REQUEST_URI "/lib/admin/media-upload\.php" "id:900212,deny,status:406,chain,log,msg:'OptPress Unsecured Uploader Block'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
SecRule REQUEST_HEADERS:User-Agent "@beginsWith User-Agent: " "id:900242,status:406,phase:1,log,deny,msg:'Fake UA :: User-Agent at start of UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Macintosh; U; Intel Mac OS X 10\.6; fr; rv:1\.9\.2\.8\) Gecko\/20100722 Firefox\/3\.6\.8" "id:900243,status:406,phase:1,log,deny,chain,msg:'Wordpress Brute Force'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(X11; Ubuntu; Linux x86_64; rv:23\.0\) Gecko\/20100101 Firefox\/23\.0" "id:900244,status:406,phase:1,log,deny,chain,msg:'FF23 NoCookie'"
SecRule &REQUEST_COOKIES "@eq 0"
Secrule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 9\.0; Windows NT 6\.1; 125LA; \.NET CLR 2\.0\.50727; \.NET CLR 3\.0\.04506\.648; \.NET CLR 3\.5\.21022" "id:900245,status:406,phase:1,log,deny,chain,msg:'MSIE 9.0 No Cookie'"
SecRule &REQUEST_COOKIES "@eq 0"
SecRule REQUEST_URI "/wp-content/uploads/optpress/images_optbuttons/" "id:900246,phase:1,status:406,log,deny,chain,msg:'OptPress Image Upload POST'"
SecRule REQUEST_METHOD "^POST$" "t:none"
#UN-13015
#SecRule REQUEST_URI "/wp-content/plugins/[^/]+/readme\.txt" "id:900247,phase:1,chain,log,deny,msg:'Wordpress Plugin README.txt file access attempt'"
#SecRule REMOTE_ADDR "!@pmFromFile sitelock.txt"
SecRule REQUEST_URI "/wp-content/uploads/wp-backup-plus/" "id:900249,phase:1,status:406,log,deny,msg:'Wordpress Backup Plus Unsecured Backdir Access Attept'"
SecRule REQUEST_URI "/wp-admin/admin\.php\?page\=wysija_campaigns\&action\=themes\&reload\=1\&redirect\=1" "id:900250,phase:1,status:406,log,deny,chain,msg:'Wordpress MailPoet Upload attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule REQUEST_URI "/wp-content/uploads/wysija/themes/" "id:900251,phase:1,status:406,log,deny,chain,msg:'Wordpress MailPoet Upload File Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_URI "/wp-admin/admin\.php\?page\=wysija_campaigns\&action\=themes" "id:900252,phase:1,status:406,log,deny,chain,msg:'Wordpress MailPoet Newsletter Exploit Attempt'"
SecRule &REQUEST_COOKIES "@eq 0"
SecRule REQUEST_URI "/themify-ajax\.php\?upload\=1" "id:900213,deny,status:406,chain,log,msg:'Themify Unsecured Uploader Block'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
SecRule REQUEST_URI "/upload-handler\.php" "id:900214,deny,status:406,chain,log,msg:'Unsecured Wordpress Theme Uploader Block'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none"
SecRule REQUEST_URI "/upload-handler\.php" "id:900215,deny,status:406,chain,log,msg:'Unsecured Wordpress Theme Uploader Block'"
SecRule REQUEST_HEADERS:Referer "http:\/\/www\.google\.com" "t:none"
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php|wp-comments-post\.php)" "id:900216,phase:1,t:none,status:406,deny,chain,log,msg:'Wordpress Brute Force'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Macintosh; Intel Mac OS X 10\.8; rv:24\.0\) Gecko\/20100101 Firefox\/24\.0" chain
SecRule REQUEST_HEADERS:Cookie2 "\$Version=\"1\""
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php|wp-comments-post\.php)" "id:900217,phase:1,t:none,status:406,deny,chain,log,msg:'Wordpress Brute Force'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\)" chain
SecRule REQUEST_HEADERS:Cookie2 "\$Version=\"1\""
Secrule REQUEST_URI "/guestbook\.cgi" "id:900218,phase:1,t:none,deny,log,msg:'Guestbook CGI Block for PCI scans'"
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&method\=form" "id:900187,status:406,phase:1,t:none,log,chain,deny,msg:'JCE Exploit Attempt'"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&version\=\d+\&cid\=\d+" "id:900188,status:406,phase:1,t:none,log,chain,deny,msg:'JCE Exploit Attempt CHECK'"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
##Date 8.29
SecRule REQUEST_FILENAME "/collector\.php" "id:900189,status:406,phase:1,t:none,log,chain,deny,msg:'PHP Mailer :: Collector'"
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900161,log,deny,status:406,phase:1,t:none,chain,log,msg:'XMLRPC Request with no UA/Ref'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
##9.27 XMLRPC Wordpress Amp Attack
SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900195,log,deny,status:406,phase:1,t:none,chain,log,msg:'XMLRPC Request UA used in BF'"
SecRule REQUEST_HEADERS:User-Agent "Internal Wordpress RPC connection"
#Ahrefsbot 7/31
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; AhrefsBot\/\d\.\d; \+http:\/\/ahrefs\.com\/robot\/\)" "id:900165,log,deny,status:406,phase:1,t:none,log,msg:'AhrefsBot BOT Request'"
#Bad Chrome
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 5\.\d\) AppleWebKit\/537\.36 \(KHTML, like Gecko\) Chrome\/28\.0\.1500\.7[12] Safari\/537\.36" "id:900166,chain,log,deny,status:406,phase:1,t:none,log,msg:'Fake CHROME Browser request :: Botnet / Brute Force'"
SecRule &REQUEST_HEADERS:Origin "@eq 0" "t:none,chain"
SecRule REQUEST_METHOD "^POST$" "t:none"
#SecRule REQUEST_HEADERS:Accept-Encoding "!gzip,deflate,sdch\." "t:none"
##MJ12 Block
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MJ12bot\/v\d+.\d+\.\d+; http:\/\/www\.majestic12\.co\.uk\/bot\.php\?\+\)" "id:900167,phase:1,deny,t:none,status:406,log,msg:'MJ12Bot Crawler'"
##8.8 FakeGooglebot Brute
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)" "id:900168,phase:1,chain,status:406,deny,log,msg:'Brute Force Attempt :: POST wp-login Googlebot'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; Googlebot\/2\.1; \+http:\/\/www\.google\.com\/bot\.html\)" "t:none"
##8.9 OpenX Backdoor
SecRule REQUEST_URI "\/fc\.php\?script\=deliveryLog:vastServeVideoPlayer:player\&file_to_serve\=flowplayer\/3\.1\.1\/flowplayer-3\.1\.1\.min\.js" "id:900169,phase:1,status:406,deny,log,msg:'Backdoor Attempt Openx Source 2.8.11'"
##8.12 WP-Brute
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(X11; U; Linux i686; pt-BR; rv:1\.9\.0\.15\) Gecko\/2009102815 Ubuntu\/9\.04 \(jaunty\) Firefox\/3\.0\.15$" "id:900170,chain,phase:1,deny,t:none,status:406,log,msg:'WP-Brute-Force :: UA'"
SecRule REQUEST_URI "/(wp-login\.php|administrator|wp-admin/)"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Parsley NT 1\.0; rv:1\.0\) Parsley\/1\.0\.0\.\d" "id:900171,chain,phase:1,deny,t:none,status:406,log,msg:'WP-Brute-Force :: UA'"
SecRule REQUEST_URI "/(wp-login\.php|administrator|wp-admin/)"
##Date 8.13 PHP WebShell Upload
SecRule REQUEST_URI "php\?y\=\/home[^\&]+\&x\=upload" "id:900174,phase:1,t:none,t:urlDecode,status:406,deny,msg:'PHP WebShell Upload Attempt'"
SecRule REQUEST_URI "php\?x\=f\&f\=[^\&]+\&ft\=" "id:900175,phase:1,t:none,t:urlDecode,status:406,deny,msg:'PHP WebShell Edit Attempt'"
##8.12 Fake Googlebot XMLRPC
SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900172,log,deny,status:406,phase:1,t:none,chain,log,msg:'XMLRPC Request fake Googlebot'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule REQUEST_HEADERS:User-Agent "GoogleBot\/1\.0$"
##8.20 Spam UA HTTP 1.0 w/ connection close + base64 encoding
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" "id:900178,chain,phase:1,t:none,status:406,deny,msg:'UA Spam POST http 1.0 w/ close '"
SecRule REQUEST_HEADERS:Content-Transfer-Encoding "base64" chain
SecRule REQUEST_HEADERS:connection "close" "t:lowercase,chain"
SecRule REQUEST_METHOD "^POST$" "t:none"
##8.20 SQL
secrule args "\)\)[<=>]\d+ and [\'\"]x[\'\"]=[\'\"]x" "id:900182,phase:1,t:none,t:urlDecodeUni,t:lowercase,status:406,deny,msg:'SQL Information Disclosure Attempt'"
SecRule REQUEST_URI "from[ \`\'\"]+information_schema" "id:900179,phase:1,t:none,t:lowercase,t:urlDecodeUni,status:406,deny,msg:'SQL Injection Attempt'"
secrule args "(?:con(?:vert|cat)|select) ?\(\b(case|char|int)\b" "id:900181,phase:1,t:none,t:lowercase,t:urlDecodeUni,status:406,deny,msg:'SQL Information Disclosure Attempt'"
SecRule REQUEST_URI "(?:/mod_topic/|/akicmet/|/rus-to-lat/)collector\.php" "id:900180,phase:1,t:none,status:406,deny,msg:'Malicous PHP Mailer'"
SecRule REQUEST_FILENAME "/xmlrpc\.php" "id:900162,log,phase:1,status:406,t:none,chain,deny,log,msg:'XMLRPC Request with no UA/Ref'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule REQUEST_HEADERS:User-Agent "PHP\/5\.2\.10" "t:none"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; rv:21\.0\) Gecko\/20100101 Firefox\/21\.0 \[xUSAx\]" "id:900163,log,phase:1,status:406,t:none,deny,log,msg:'Known BAD Ua :: Brute Force'"
#SecRule REQUEST_URI "/modules/gateways/callback/paypal\.php" "id:900158,chain,deny,status:403,log,msg:'PayPAL WHMCS Access Attemp for IP other than Paypal notify.paypal.com'"
#SecRule REMOTE_ADDR "!(173\.0\.81\.1|173\.0\.81\.33|66\.211\.170\.66)"
##7.23 Brobot UA Blocks
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 6\.0; en-US; rv:1\.9\.0\.3\) Gecko\/2008092417 Firefox\/3\.0\.3$" "id:900164,log,phase:1,status:406,t:none,chain,deny,log,msg:'BroBOT UA Block :: Wordpress/Joomla Exploitation Attempt'"
SecRule REQUEST_URI "/(wp-login\.php|administrator|wp-admin/)"
SecRule REQUEST_FILENAME "/\.qidb/" "id:900150,status:406,deny,msg:'QIDB Request'"
##7.3 Badbot Block
#SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; SemrushBot\/\d\.\d+\.\d+; \+http:\/\/www\.semrush\.com\/bot\.html\)" "id:900159,deny,status:406,log,msg:'SemrushBOT Block :: Bad Behavior'"
SecRule REQUEST_HEADERS:User-Agent "@pm SemrushBot" "id:900159,deny,status:406,log,msg:'SemrushBOT Block :: Bad Behavior'"
##10.7 Blexbot
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; BLEXBot\/\d\.\d+; \+http:\/\/webmeup-crawler\.com\/\)" "id:900197,deny,status:406,log,msg:'Blexbot Block :: Bad Behavior'"
##6.10 Wordpress EDITOR Access w/ HTTP Version1.0
#SecRule REQUEST_URI "/wp-admin/[^-]+-editor\.php" "id:900151,chain,deny,status:406,t:none,msg:'HTTP 1.0 Wordpress EDITOR Access'"
#SecRule REQUEST_PROTOCOL "^HTTP/1\.0"
##6.11 PHPBB Forum Block for Bots w/ HTTP Version1.0
#SecRule REQUEST_URI "/(posting|ucp|viewtopic|guestbook)\.php" "id:900152,chain,deny,status:406,t:none,msg:'HTTP 1.0 PHPBB Access'"
#SecRule REQUEST_PROTOCOL "^HTTP/1\.0"
##6.13
secrule ARGS_NAMES "nggupload" "id:900153,status:406,chain,deny,msg:'NGG GALERY 1.9.12 or lower exploit attempt - CVE-2013-3684'"
secrule REQUEST_FILENAME "!/wp-admin/"
##6.13
SecRule REQUEST_URI "/wp-(admin|login\.php)" "id:900154,deny,status:406,chain,phase:1,log,msg:'WP Brute UA block'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 8\.0; Windows NT 6\.0; Trident\/4\.0; Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1; SV1\); \.NET CLR 3\.5\.30729\)"
SecRule REQUEST_URI "/wp-(admin|login\.php|wp-comments-post\.php)" "id:900155,deny,status:406,phase:1,chain,log,msg:'WP Brute UA block'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MSIE 10\.0; Windows NT 6\.1; Trident\/6\.0\)" chain
SecRule &REQUEST_HEADERS:Accept "@eq 0"
##6.17
SecRule REQUEST_HEADERS:User-Agent "User-Agent: Mozilla\/\d\.0 \(compatible;" "id:900156,deny,status:406,log,msg:'Script Error for User-Agent Setting :: Spam/Malware Abuse'"
##7.16 Com_JCE GTB 7.1
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; ru; rv:1\.9\.2\.3\) Gecko\/20100401 Firefox\/3\.6\.3 GTB7\.1$" "id:900160,phase:1,t:none,status:406,chain,log,deny,msg:'Bad UA :: Known for Brute Forcing and Spam'"
SecRule REQUEST_URI "(\/administrator\/|wp-login\.php|wp-comments-post\.php|submit\.php|index\.php\?option\=com_jce)"
# Drupal fckeditor Exploit
#SecRule REQUEST_URI "/index\.php\?q\=fckeditor\/xss" "id:900138,phase:1,t:none,deny,status:406,msg:'FCKEditor Exploit Attempt'"
# Joomla Brute
SecRule REQUEST_FILENAME "\/administrator\/" "id:900139,t:none,chain,log,deny,phase:1,status:406,msg:'Wordpress Brute Force HTTP1.0 w/ HOST'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; (WOW64; )?rv:1[89]\.0\) Gecko\/20100101 Firefox\/1[89]\.0" chain
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" chain
SecRule &REQUEST_HEADERS:Host "@eq 1"
#
## Cloudflare PASSTHRU Brutes
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1;(WOW64;)? rv:1[89]\.0\) Gecko\/20100101 Firefox\/1[89]\.0" "id:900176,phase:1,t:none,chain,status:406,deny,msg:'Cloudflare WP-Brute block'"
SecRule &REQUEST_HEADERS:CF-Connecting-IP "@eq 1"
SecRule REQUEST_URI "\/wp-content\/plugins\/hello\.php" "id:900140,t:none,phase:1,,chain,log,deny,status:406,msg:'Wordpress hello.php POST attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
#
SecRule REQUEST_HEADERS:User-Agent "; MRSPUTNIK 2, 4," "id:900141,phase:1,t:none,chain,log,deny,status:406,msg:'Wordpress / Joomla Brute Attempt :: UA contains MRSPUTNIK'"
SecRule REQUEST_URI "/(wp-login\.php|administrator/?)"
#
SecRule REQUEST_URI "/wp-content/.*/mod_system\.php" "id:900144,t:none,log,deny,status:406,msg:'Wordpress WRO Shell Attempt'"
##Date 5.23 Mozilla 18 w/ Close
SecRule REQUEST_URI "/wp-(admin|login\.php)" "id:900148,log,deny,phase:1,status:406,chain,msg:'Mozilla Header w/ Connection Close'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64; rv:18\.0\) Gecko\/20100101 Firefox\/18" chain
SecRule REQUEST_HEADERS:connection "close" "t:lowercase"
#SecRule REQUEST_URI "\/(?:themes|plugins|wp-admin|includes|admin|images)\/.*/a\w{2,4}\.html$" "id:900142,t:none,log,deny,status:406,msg:'Exploited HTML File '"
#SecRule REQUEST_FILENAME "\/wp-login\.php$" "id:900146,t:none,chain,log,deny,status:406,msg:'Wordpress Brute Force Cloudflare Proxyed'"
#SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; (WOW64; )?rv:1[89]\.0\) Gecko\/20100101 Firefox\/1[89]\.0" chain
#SecRule REQUEST_HEADERS_NAMES "^X-Forwarded-For"
############3
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Macintosh; Intel Mac OS X 10_8_2\) AppleWebKit\/537\.17 \(KHTML, like Gecko\) Chrome\/24\.0\.1309\.0 Safari\/537\.17" "id:900131,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; Win64; x64; rv:16\.0\.1\) Gecko\/20121011 Firefox\/16\.0\.1" "id:900132,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; WOW64\) AppleWebKit\/537\.14 \(KHTML, like Gecko\) Chrome\/24\.0\.1292\.0 Safari\/537\.14" "id:900134,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
##########################
##4.23
SecRule REQUEST_FILENAME "\/wp-login\.php$" "id:900135,t:none,chain,log,deny,phase:1,status:406,msg:'Wordpress Brute Force HTTP1.0 w/ HOST'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; (WOW64; )?rv:1[89]\.0\) Gecko\/20100101 Firefox\/1[89]\.0" chain
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" chain
SecRule &REQUEST_HEADERS:Host "@eq 1"
##4.23 Civicrm milworm:20676
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64; rv:15\.0\) Gecko\/20100101 Firefox\/15\.0\.1" "id:900136,t:none,chain,log,deny,status:406,msg:'Com_Civicrm Unsecured Upload attempt'"
SecRule REQUEST_URI "administrator\/components\/com_civicrm\/civicrm\/packages\/OpenFlashChart"
##Date 8.16 Wordpress BRUTE HTTP 1.0 w/o Accept header
SecRule REQUEST_URI "/(wp-login\.php|administrator|wp-admin/)" "id:900177,chain,phase:1,t:none,status:406,deny,msg:'Brute Force Attempt HTTP 1.0 w/o Accept Header'"
SecRule REQUEST_PROTOCOL "^HTTP/1\.0" chain
SecRule &REQUEST_HEADERS:Accept "@eq 0"
##10.7 WP FF25 1.0
SecRule REQUEST_FILENAME "/wp-login\.php" "id:900199,t:none,chain,log,deny,phase:1,status:406,msg:'Wordpress Brute Force HTTP1.0 w/ HOST'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5.0 \(Windows NT 6.1; Win64; x64; rv:25.0\) Gecko\/20100101 Firefox\/25\.0" chain
SecRule REQUEST_PROTOCOL "HTTP/1\.0" chain
SecRule &REQUEST_HEADERS:Host "@eq 1"
##Date 9.25
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php|wp-comments-post\.php)" "id:900192,phase:1,t:none,status:406,deny,chain,log,msg:'Wordpress Brute Force'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 8\.0; Windows NT 6\.0; Trident\/4\.0\)" chain
SecRule REQUEST_HEADERS:Cookie2 "\$Version=\"1\""
##10.7 Cookie Order Brute
SecRule REQUEST_URI "/administrator/" "id:900200,chain,status:406,phase:1,t:none,log,deny,msg:'Request Cookie Ordering Alert: Potential Brute Tool'"
SecRule REQUEST_COOKIES_NAMES ".*" "chain,setvar:'tx.cookie_order=%{tx.cookie_order}, %{matched_var}'"
SecRule TX:COOKIE_ORDER ", CHECK, humans, beget"
##4.19 XMLRPC
#SecRule REQUEST_FILENAME "\/xmlrpc\.php$" "id:900134,t:none,chain,log,status:406,deny,msg:'Wordpress XMLRPC Request with no ua/refferer'"
#SecRule REQUEST_METHOD "^POST$" "t:none,chain"
#SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
#SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
##11.27 Automated Wordpress Exploit Attempt
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/3\.0 \(compatible; Indy Library\)" "id:900078,t:none,chain,phase:1,log,status:406,deny,msg:'Automated Exploit Attempt INDY'"
SecRule REQUEST_METHOD "^POST$" "t:none"
#SecRule REQUEST_URI "/wp-login\.php"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/3\.0 \(compatible; Indy Library\)" "id:900079,t:none,chain,log,status:406,deny,msg:'Automated Wordpress Exploit Attempt INDY'"
SecRule REQUEST_URI "/wp-admin/"
##11.30 Automated WP-Login Bad UA
Secrule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(X11; U; Linux i686; pt-BR; rv:1\.9\.0\.15\) Gecko\/2009102815 Ubuntu\/9\.04 \(jaunty\) Firefox\/3\.0\.15" "id:900085,phase:2,t:none,status:406,log,drop,chain,msg:'Bad UA :: Brute Force Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
#SecRule REQUEST_HEADERS:Referer "^$"
##3.20 Bad UA for Joomla Brute/WP Brute and dvmessages install
SecRule REQUEST_URI "(\/administrator\/|wp-login\.php)" "id:900113,phase:1,t:none,status:406,chain,log,deny,msg:'Bad UA :: Known for Brute Forcing'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 6\.0; en-US; rv:1\.9\.0\.3\) Gecko\/2008092417 Firefox\/3\.0\.3$"
##3.22 Joomla/WP Brute and SPAM UA block
SecRule REQUEST_URI "(\/administrator\/|wp-login\.php|wp-comments-post\.php|submit\.php|index\.php\?option\=com_jce)" "id:900115,phase:1,t:none,status:406,chain,log,deny,msg:'Bad UA :: Known for Brute Forcing and Spam'"
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; en-US; rv:1\.9\.1\.3\) Gecko\/20090824 Firefox\/3\.5\.3 GTB5$"
##3.26 BroBOT Brute UA
SecRule REQUEST_URI "(\/administrator\/|wp-login\.php|wp-comments-post\.php|submit\.php)" "id:900117,phase:1,t:none,status:406,chain,log,deny,msg:'Bad UA :: Known for Brute Forcing and Spam'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 6\.0; en-US; rv:1\.9\.0\.3\) Gecko\/2008092417 Firefox\/3\.0\.3"
##4.2
SecRule REQUEST_Headers:User-Agent "@endsWith Havij" "id:900119,deny,t:none,phase:1,status:406,msg:'Havik SQL Injection rool'"
##4.4
SecRule REQUEST_URI "/modules/mod_gogle/" "id:900143,phase:1,deny,status:406,msg:'Malicous Joomla Component :: Hacked :: Spam'"
Secrule REQUEST_URI "/modules/mod_dbrestore/" "id:900198,deny,status:406,log,msg:'Malicous Joomla Component :: Hacked :: Spam'"
#SecRule REQUEST_HEADERS "Mozilla\/\d\.\d \(compatible; MSIE \d\.\d; Windows NT \d\.\d; [^\(]+Mozilla\/\d\.\d \(compatible;" "id:900116,phase:2,t:none,status:406,log,deny,msg:'Bad UA :: Two valid UAs combined'"
##Date 11.30 Joomla
##jform[groups][]=7
##index.php?option=com_users&view=registration
SecRule REQUEST_URI "index\.php" "chain,id:392664,log,deny,rev:1,severity:1,msg:'Joomla Privilige Escalation Vulnerability',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:option "com_users" chain
SecRule ARGS:view "registration" chain
SecRule ARGS:/^jform\[groups\]\[\]$/ "^7$"
#12.3 PHP Mailer attempt "POST /.6e49.php HTTP/1.1" 200 - "-" "-"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "id:900080,chain,deny,phase:1,log,t:none,msg:'PHP Mailer Access Attempt'"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "chain"
SecRule REQUEST_URI "/\.[a-z0-9]{4}\.php"
#12.3 WHMCS GoogleCheckout SQL Injection attempt
SecRule REQUEST_URI "/modules/gateways/callback/googlecheckout\.php" "id:900081,log,chain,deny,phase:1,msg:'WHMCS Google Checkout SQL Injection Attempt'"
SecRule REQUEST_HEADERS:User-Agent "!(Google Checkout Notification Agent \d\.\d)"
##Date 12.4.12 Automated Exploitation Attempt
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; Synapse\)" "id:900082,log,deny,chain,status:406,phase:2,msg:'Automated Exploitation Tool'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule REQUEST_URI "/(templates|administrator|wp-login\.php)"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/3\.0 \(compatible; Indy Library\)" "id:900083,t:none,chain,log,status:406,deny,msg:'Automated Joomla Exploit Attempt INDY'"
SecRule REQUEST_URI "/(templates|administrator)/"
##Date 12.7 PHP DDOS
SecRule REQUEST_URI "\.php(?:\?|\&)act\=phptools(?:\?|\&)host\=" "id:900112,log,deny,phase:1,deny,msg:'PHP Tools DDOS Attempt'"
#12.5 Wordpress BING UA
SecRule REQUEST_URI "/wp-(login\.php|admin/)" "id:900084,phase:1,t:none,t:lowercase,chain,status:406,log,deny,chain,msg:'Wordpress BRUTE w/ Bing UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; bingbot\/2\.0; \+http:\/\/www\.bing\.com\/bingbot\.htm\)" "t:none"
##Date 12.11
SecRule ARGS:pass "FgYuD@37" "id:900086,phase:1,drop,log,msg:'Brobot w/ known password'"
SecRule ARGS:cms "jjoplmh" "id:900145,phase:2,drop,log,msg:'Backdoor Hacked Wordpress Plugin'"
##Date 12.12
#/components/com_ag_google_analytics2/
SecRule REQUEST_URI "/components/com_ag_google_analytics2/" "id:900087,phase:2,chain,deny,log,msg:'Exploited Joomla Shell Access Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
##Date 12.12 Akismet WSO Shell
SecRule REQUEST_URI "/wp-content/plugins/akismet/" "id:900088,phase:2,chain,deny,status:406,chain,log,msg:'Wordpress COMP Akismet Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; ICS\)" "id:900121,phase:1,t:none,deny,status:406,msg:'Fake UA :: Used in mailers/brute'"
##Date 4.2
SecRule REQUEST_URI "/wp-content/plugins/mod_gogle/" "id:900120,phase:2,t:none,deny,status:406,msg:'Fake Plugins MAILER attempt'"
#date 12.12 Fake UA USed in Exploits EX: 1xx.1xx.2xx.1xx - - [xx/Dec/2012:13:10:14 -0600] "POST /components/com_ag_google_analytics2/pollQ7P2.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"
##SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/[345]$" "id:900089,phase:1,deny,status:406,log,msg:'Fake Mozzila UA'"
#
SecRule REQUEST_URI "component/users/\?(?:task|view)=registration" "chain,id:392665,rev:1,severity:1,msg:'Joomla Privilige Escalation Vulnerability',t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase"
SecRule ARGS:/^jform\[groups\]\[\]$/ "^7$"
##DAte 12.14
SecRule REQUEST_URI "/monetize/general/upload(-file)?\.php" "id:900090,phase:1,deny,status:406,log,msg:'Exploited THEME Upload attempt'"
SecRule REQUEST_URI "/monetize/upload/upload(-file)?\.php" "id:900157,phase:1,deny,status:406,log,msg:'Exploited THEME Upload attempt'"
SecRule REQUEST_URI "/themes/mantra/admin/upload(-file)?\.php" "id:900091,phase:1,deny,status:406,log,msg:'Exploited THEME Upload attempt'"
#9.17 Joomla BF w/ Bing UA
SecRule REQUEST_URI "\/administrator\/" "id:900072,phase:1,t:none,t:lowercase,chain,log,status:406,deny,chain,msg:'Joomla Admin BRUTE w/ Bing UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; bingbot\/2\.0; \+http:\/\/www\.bing\.com\/bingbot\.htm\)" "t:none"
##12.26 Wordpress GSM :: 1.2.13 update eval mod
SecRule REQUEST_URI "wp-content/plugins/[^/]+/gsm.php" "id:900092,deny,phase:2,log,status:406,msg:'GSM.PHP Shell access attempt'"
SecRule ARGS:act "^eval$" "id:900093,deny,log,phase:2,status:406,msg:'PHP Shell eval action attempt'"
##12.31 BroBOT blocks/Brute blocks :: WL Seogears IP 3.26
Secrule REQUEST_HEADERS:User-Agent "Mozilla\/[456]\.0$" "id:900095,phase:2,t:none,status:406,log,chain,deny,msg:'Bad UA :: Fake Mozilla Agent'"
SecRule REQUEST_FILENAME "!(cron\.php)" chain
SecRule Request_URI "!@beginsWith /?automatorsecretkey"
##1.3 168.167.249.98 - - [03/Jan/2013:16:55:57 -0600] "POST /plugins/system/dvmessages.php HTTP/1.1" 200 10 "-" "Mozilla/5.0 Firefox/3.6.12"
Secrule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 Firefox\/\d\.\d\.\d+$" "id:900096,phase:2,t:none,status:406,log,deny,msg:'Bad UA :: Fake Mozilla Agent'"
##6.6 Explots
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows\)$" "id:900149,phase:2,t:none,status:406,log,deny,msg:'Bad UA :: Fake Mozilla Agent'"
##1.4 WHMCS 5.x Auth bypass http://packetstormsecurity.com/files/119234/whmcs5-bypass.txt
SecRule REQUEST_URI "login\.php\?correct\&cache\=1\?login\=getpost\{\}" "id:900097,phase:2,t:none,log,deny,msg:'WHMCS 5.x Admin Bypass via Cache exploit'"
##1.4 c_id and comment ARGS backdoor attempt (Brobot)
SecRule args:c_id|args:comment "@beginsWith JGJhc2UgPSBkaXJuYW1lKF9fRklMRV9fKS4iLyI7DQp1bmxp" "id:900098,phase:2,t:none,log,deny,msg:'BroBOT DDOS c_id arg backdoor attempt'"
SecRule args:c_id|args:comment "@beginsWith ZWNo" "id:900099,phase:2,t:none,log,deny,msg:'BroBOT DDOS comment arg backdoor attempt'"
##1.4 JCE exploit attempts
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&method\=form" "id:900100,phase:2,t:none,log,chain,deny,msg:'JCE Exploit Attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&method\=form" "id:900147,phase:2,t:none,log,chain,deny,msg:'JCE Exploit Attempt'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)" "t:none"
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager\&version\=\d+\&cid\=\d+" "id:900101,phase:2,t:none,log,chain,deny,msg:'JCE Exploit Attempt CHECK'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
##1.11 IE6 Block for brute force/spam prevention
SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1; SV1;?\)$" "id:900102,chain,status:406,deny,t:none,msg:'IE6 UA Block to prevent brute force and comment spam'"
SecRule REQUEST_URI "/(wp-(login|comments-post)\.php|administrator/|components/k2/|index\.php\?option\=com_(?:k2|user)|index\.php\?action\=|index\.php\?title\=Special:UserLogin|user/|posting\.php|ucp\.php|signup|login|upload-handler\.php)"
##1.15 Mailer / Fake LICESNE.php access attempt
SecRule REQUEST_URI "/7c32\.php" "id:900103,status:406,deny,t:none,msg:'Malicous Mailer Access Attempt'"
SecRule REQUEST_URI "/LICESNE\.php" "id:900104,status:406,deny,t:none,msg:'Misspelled Licesne access attempt. WSO Shell'"
##1.22 mt-upgrade Behavior block
SecRule REQUEST_FILENAME "/mt-upgrade\.cgi$" "id:900105,status:406,chain,deny,phase:2,msg:'MovableType MT-Upgrade Remote Command Exe Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
##1.23 mt-upgrade update
SecRule REQUEST_URI "/mt-upgrade\.cgi\?__mode\=run_actions\&installing\=1" "id:900107,status:406,deny,phase:2,t:none,t:lowercase,t:urlDecode,msg:'MovableType MT-Upgrade Remote Command Exe Attempt'"
##1.28 BB-Press SPAM with invalid UA
SecRule REQUEST_URI "/(bb-post|bb-login|register)\.php" "id:900108,chain,phase:2,deny,status:406,msg:'BB-Press SPAM Block with bad UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 5\.1; rv:17\.0\) Gecko\/20100101 Firefox\/17\.0$"
SecRule REQUEST_URI "/(bb-post|bb-login|register)\.php" "id:900109,chain,phase:2,deny,status:406,msg:'BB-Press SPAM Block Fake UA'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(Windows; U; Windows NT 5\.1; zh-TW; rv:1\.9\.0\.11\)$"
##1.29 SWFupload/js/upload.php BLOCK
SecRule REQUEST_URI "/js/swfupload/js/upload\.php" "id:900110,chain,phase:2,deny,status:406,msg:'SWFupload UPLOAD block'"
SecRule REQUEST_HEADERS:User-Agent "!(^Shockwave Flash$|^Adobe Flash Player \d+$|^Java/\d+\.\d+\.\d+_\d+$)" "t:none"
##1.31 Wordpress direct path 404 theme page POST
SecRule REQUEST_URI "/wp-content/themes/[^/]+/404\.php" "id:900111,chain,phase:2,deny,status:406,msg:'Wordpress THEME 404 page POST attempt :: Possible Injection Attempt'"
SecRule REQUEST_METHOD "POST" "t:none"
# wordpres db cache
SecRule Request_URI "/wp-content/w3tc/dbcache/" "id:900094,phase:1,t:none,status:406,deny,msg:'WP DB Cache Block'"
#WP WSO Attempt
SecRule REQUEST_URI "/wp-[a-z]+[0-9]\.php" "id:900076,t:none,chain,log,deny,msg:'Wordpress WSO Request'"
SecRule REQUEST_METHOD "POST" "t:none"
## HTTP_CMD Attempt Blocked :: Used in passthru like
Secrule REQUEST_HEADERS_NAMES "^cmd$" "id:900073,t:lowercase,log,deny,msg:'HTTP_CMD Header attempted'"
Secrule REQUEST_HEADERS_NAMES "^nessus_cmd$" "id:900074,t:lowercase,log,deny,msg:'NESSUS_CMD Header from nessus cmdline tool'"
##Upload rule 900061
#SecRule SCRIPT_BASENAME "^upload[^.]*\.php" "id:900054,phase:2,t:none,t:lowercase,log,pass,chain,msg:'Upload Attempt w/o Referer'"
SecRule REQUEST_URI "/uploadify\.php" "id:900054,phase:2,t:none,t:lowercase,log,deny,chain,msg:'Upload Attempt w/o Referer'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule REQUEST_HEADERS:User-Agent "!(^Shockwave Flash$|^Adobe Flash Player \d+$|^Java/\d+\.\d+\.\d+_\d+$)" "t:none"
SecRule REQUEST_URI "/uploadify\.php" "id:900061,phase:2,t:none,t:lowercase,log,deny,chain,msg:'Upload Attempt w/o Referer'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
##DDOS Script. startphp variant
SecRule REQUEST_URI "@endsWith \?action\=status" "id:900065,phase:1,t:none,deny,chain,capture,msg:'DDOS Status Report'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
SecRule Request_URI "\?action\=start\&time_s\=\d*\&time_e\=\d+" "id:900070,phase:1,t:none,deny,capture,msg:'DDOS Self Spawn'"
SecRule Request_URI "\?action\=start\&protocol\=(?:tcp|udp)\&time_s\=\d*\&time_e\=\d+" "id:900066,phase:1,t:none,deny,capture,msg:'DDOS Self Spawn'"
SecRule REQUEST_URI "php\?mode\=(?:htt|ud)p\&address\=(?:http:\/\/|\d+)" "id:900173,phase:1,t:none,status:406,deny,msg:'Mua DDOS Script'"
SecRule SCRIPT_BASENAME "indx\.php" "id:900068,phase:1,t:none,deny,chain,capture,msg:'DDOS indx.php request::No UA/Ref'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
SecRule SCRIPT_BASENAME "stc?ph?\.php" "id:900069,phase:1,t:none,deny,chain,capture,msg:'DDOS stcp.php request::No UA/Ref'"
SecRule REQUEST_METHOD "POST" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
SecRule SCRIPT_BASENAME "stmdu\.php" "id:900071,phase:1,t:none,deny,chain,capture,msg:'DDOS stcp.php request::No UA/Ref'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
##DDos Script
SecRule REQUEST_URI "port\=\d+\&ipbc\=\d+\.\d+\.\d+\.\d+\&mod\=(?:udp|tcp)\&time\=\d+" "id:900075,t:none,log,deny,msg:'PHP DDOS Attempt'"
##No UA/REF VB template edit
SecRule REQUEST_URI "\/admincp\/template\.php\?do\=updatetemplate" "id:900067,phase:1,t:none,t:lowercase,log,deny,chain,msg:'VB Template Update :: No UA/Ref'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
#Joomla no UA/Referer Block
SecRule REQUEST_URI "\/index\.php\?option\=com_templates\&layout\=edit" "id:900063,phase:1,t:none,deny,chain,capture,msg:'No UA/Referer with Joomla theme edit'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
#Joomla JCE Exploit bot UA
SecRule REQUEST_HEADERS:User-Agent "BOT\/0\.1 \(BOT for JCE\)" "id:900064,phase:1,t:none,deny,capture,msg:'JCE Exploit bot'"
# /inc/upload no REFERER
SecRule Request_URI "\/inc\/upload\.php" "id:9000049,phase:2,t:none,t:lowercase,log,pass,chain,msg:'Inc Upload Exploit NO Referrer'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
#
##VB 3.xx Info Disclosure
SecRule Request_URI "(search|profile|subscription)\.php\?do\[[^\]]*\]\=" "id:900060,log,t:none,t:lowercase,log,msg:'VB 3.3 full path disclosure bulnerability'"
##PHP-CGI
SecRule REQUEST_URI "\.php\?(-|%2d)[a-zA-Z][^\=\?]+$" "id:9000047,phase:2,t:none,deny,capture,msg:'PHP-CGI Exploit Attempt::CVE-2012-1823'"
##Joomla NoNumber Framework Block
SecRule REQUEST_URI "/index\.php\?nn_qp\=\d\&url\=" "id:9000050,phase:2,t:none,t:urlDecodeUni,t:lowercase,log,deny,chain,msg:'Joomla NoNumber Framework Exploit'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
#DBConnect Direct Access Reuqest
#SecRule REQUEST_URI "dbconnect\.php" "id:9000048,phase:2,t:none,deny,msg:'dbconnect.php direct access attempt'"
#WooTheme Block
SecRule REQUEST_URI "preview-shortcode-external\.php\?shortcode\=(%5B|\[)php(%5D|\])" "id:900050,phase:2,t:none,log,status:406,deny,msg:'WooTheme Exploit'"
#WP 404 Login attempt w/ comped password
SecRule REQUEST_URI "wp-login\.php\?redirect_to\=http(%3A|:)(%2F|/)(%2F|/)[^(%2F|/)]+(%2F|/)wp-admin(%2F|/)theme-editor(\.php)?(\?|%3F)file(\=|%3D)(%252F|\%2F|\/)themes(%252F|\%2F|\/)[^(%252F|\%2F|\/)]+(%252F|\%2F|\/)404\.php" "id:900051,phase:1,t:none,t:urlDecode,log,status:406,deny,msg:'Exploited WP-Login attempt :: 404'"
#Wordpress Functions.php
SecRule REQUEST_URI "\?cperpage\=1" "id:900053,phase:2,t:none,t:lowercase,log,status:406,deny,msg:'Wordpress functions.php Admin Bypass'"
SecRule REQUEST_URI "wank\.php" "id:900052,phase:2,t:none,t:lowercase,chain,log,deny,msg:'Wank DDOS Access'"
SecRule REQUEST_METHOD "POST" "t:none"
##Joomla Com_Fabrik CSV Exploit
SecRule REQUEST_URI "index\.php\?option\=com_fabrik\&c\=import\&view\=import\&filetype\=csv\&table(?:id)?\=1" "id:9000046,phase:1,status:406,t:none,t:urlDecodeUni,t:lowercase,log,deny,chain,msg:'Joomla ComFabrik CSV Exploit'"
SecRule REQUEST_METHOD "^POST$" "t:none"
## Bad UA Brute
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; Windows NT 5\.1; ru; rv:1\.9\.2\.3\) Gecko\/20100401 Firefox\/3\.6\.3" "id:9000044,phase:2,t:none,log,drop,status:406,chain,msg:'Bad UA :: Brute Force Attempt'"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
##4.9 -WPBrute
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows; U; MSIE 9\.0; WIndows NT 9\.0; en-US\)\)" "id:900122,phase:1,t:none,deny,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MSIE 9\.0; Windows NT 6\.1; WOW64; Trident\/5\.0; SLCC2; Media Center PC 6\.0; InfoPath\.3; MS-RTC LM 8; Zune 4\.7\)" "id:900123,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.1; rv:15\.0\) Gecko\/20120716 Firefox\/15\.0a2" "id:900124,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(Windows NT 6\.2; WOW64\) AppleWebKit\/537\.15 \(KHTML, like Gecko\) Chrome\/24\.0\.1295\.0 Safari\/537\.15" "id:900125,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/5\.0 \(compatible; MSIE 9\.0; Windows NT 7\.1; Trident\/5\.0\)" "id:900126,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/(5|6)\.0 \(Windows NT 6\.2; WOW64; rv:16\.0\.1\) Gecko\/20121011 Firefox\/16\.0\.1" "id:900127,phase:1,t:none,deny,chain,status:406,msg:'Fake UA :: Used in Wordpress bruteforce'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php)"
#osDate RFI
SecRule REQUEST_URI "config(%5B|\[)\S+(%5D|\])=http" "id:9000040,phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'RFI via osDate Forum module'"
#WP-Trackback Spam injection ::Temp
SecRule REQUEST_URI "wp-trackback\.php" "id:9000041,phase:1,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,chain,status:406,drop,log,msg:'WP-Trackback Injection Rule'"
SecRule REQUEST_HEADERS:Referer "^http://google.com/$"
#Sql COMMENT block
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(\/\*\!? ?(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe|union|concat|group_concat))" "phase:2,rev:'2.2.2',id:9000042,t:none,t:urlDecodeUni,t:lowercase,deny,msg:'SQL Comment Sequence Detected.',capture,logdata:'%{tx.0}'"
#Known bad UA
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.76 \[en\] \(Win98; U\)" "id:9000038,phase:1,t:none,deny,status:406,log,msg:'Known Exploiting User-Agent :: Not Valid'"
SecRule REQUEST_HEADERS:User-Agent "Chilkat\/1\.\d\.\d \(\+http:\/\/www\.chilkatsoft\.com\/ChilkatHttpUA\.asp\)" "id:9000045,phase:1,t:none,deny,log,msg:'Know BAD User-Agent'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla\/4\.0 \(compatible; Win32; WinHttp\.WinHttpRequest\.5\)" "id:9000043,t:none,status:406,chain,deny,msg:'Bad UA :: Brute Force Attempt'"
SecRule REQUEST_URI "/(wp-login\.php|administrator/index\.php|xmlrpc\.php)"
#SecRule REQUEST_URI "/wp-login\.php"
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; MSIE 8\.0; Windows NT 6\.1; WOW64; Trident/4\.0; SLCC2; \.NET CLR 2\.0\.5.727; \.NET CLR 3\.5.30729; \.NET CLR 3\.0\.30729; Media Center PC 6\.0; MAAR; \.NET4\.0C; \.NET4\.0E; AskTbPTV2/5\.9\.1\.14019\)" "id:9000039,phase:1,t:none,deny,status:406,log,msg:'Known Exploiting User-Agent :: Not Valid'"
# Wordpress Exploit Comped Pass:: Referer/UA Present
SecRule REQUEST_URI "/(wp-login\.php|toolspack\.php|wp-admin/plugin-install\.php|wp-admin/update\.php|startphp\.php|static\/ajax\.php\?do\=\/ad\/complete\/$)" "id:900036,phase:2,t:none,t:lowercase,log,drop,status:406,chain,msg:'Wordpress BOT exploit :: No UA/Referer'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
# Wordpress Exploit Comped Pass :: Referer/UA Empty
SecRule REQUEST_URI "/(wp-login\.php|toolspack\.php|wp-admin/plugin-install\.php|wp-admin/update\.php|startphp\.php|static\/ajax\.php\?do\=\/ad\/complete\/$)" "id:9000037,phase:2,t:none,t:lowercase,log,drop,chain,status:406,msg:'Wordpress BOT exploit :: Empty UA/Referer'"
SecRule REQUEST_HEADERS:Referer "^$" chain
SecRule REQUEST_HEADERS:User-Agent "^$"
##Brobot dvmessages block ::3.20
Secrule REQUEST_URI "\/dvmessages\.php" "id:900114,phase:2,t:none,status:404,log,deny,msg:'BroBOT dvmessages request'"
## Wordpress BruteForce
#Joomla Component OzioGallery WritetoFile block
SecRule REQUEST_URI "/components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile\.php" "id:900034,rev:1,t:lowercase,severity:2,log,deny,chain,msg:'Joomla Oziogallery2 Block'"
SecRule REQUEST_METHOD "^POST$" "t:none"
#OFC Upload Vulnerability 9.25
SecRule REQUEST_URI "/ofc_upload_image\.php\?name\=.*?(\.|%2E)php" "id:900193,phase:1,t:none,t:lowercase,status:406,deny,log,msg:'OFC Upload Exploit :: PHP File Upload Attempt'"
#vB Upgrade ADMIN Injection
SecRule REQUEST_URI "/install/upgrade\.php" "id:900194,phase:1,t:none,chain,status:406,deny,log,msg:'vB Upgrade Admin Injection'"
SecRule REQUEST_METHOD "POST" chain
SecRule &REQUEST_HEADERS:Referer "@eq 0" chain
SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
#Joomla Token Reset Request
SecRule REQUEST_URI "\?option\=com_user\&view\=reset\&layout\=confirm" "id:900032,rev:1,t:lowercase,severity:2,log,deny,chain,msg:'Joomla RESET request without refferer'"
SecRule &REQUEST_HEADERS:REFERER "@eq 0" chain
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_URI "\?option\=com_user\&task\=(complete|confirm)reset" "id:900033,rev:1,t:lowercase,severity:2,log,deny,chain,msg:'Joomla RESET request without refferer'"
SecRule &REQUEST_HEADERS:REFERER "@eq 0" chain
SecRule REQUEST_METHOD "^POST$" "t:none"
#TimThumb /cache/ 32 md5sum.php block.
SecRule REQUEST_URI "/cache/(?:external_)?[0-9a-z]{32}\.php" "id:900031,rev:1,t:lowercase,severity:2,log,status:406,deny,msg:'TimThumb Upload CACHE attempt'"
## Spam Blocking via text file from StopForumSpam
# Prepare custom REMOTE_ADDR variable
#SecAction "id:900995,phase:1,nolog,pass,setvar:tx.REMOTE_ADDR1=%{REMOTE_ADDR}"
#SecRule REQUEST_URI "/(wp-comments-post|register|posting|add_comment|ucp|bb-post|bb-login|tiki-register|tiki-login_scr)\.php" "phase:1,deny,status:406,chain,log,id:'999022',msg:'Blacklisted IP Address for POST data StopForumSpam List'"
#SecRule TX:REMOTE_ADDR1 "@pmFromFile listed_ip_1.txt"
#SecRule REQUEST_URI "/(component/k2/|index\.php\?option\=com_k2|index\.php\?action\=|index\.php\?title\=Special:UserLogin|user/)" "phase:1,deny,status:406,chain,log,id:999023,msg:'Blacklisted IP Address for POST data StopForumSpam List'"
#SecRule TX:REMOTE_ADDR1 "@pmFromFile listed_ip_1.txt"
#SecRule REQUEST_URI "/(wp-login.php|administrator)" "phase:1,deny,status:406,chain,log,id:900403,msg:'Blacklisted IP Address for POST data Glog Joomla List'"
#SecRule TX:REMOTE_ADDR1 "@pmFromFile joomla.txt"
## Zen-Photo Ajax File Manager Exploit
SecRule Request_URI "/plugins/ajaxfilemanager/ajax_create_folder.php" "log,phase:2,deny,id:9990028,chain,msg:'Ajax File Manager Exploit'"
SecRule &ARGS ^0$
SecRule Request_URI "/class.images.php\?truecss\=1" "log,phase:2,deny,id:9990029,msg:'Ajax File Manager Exploit 2'"
SecRule Request_URI "/date.php\?truecss\=1" "log,phase:2,deny,id:9990030,msg:'Ajax File Manager Exploit 3'"
##sm3 mailer
SecRule REQUEST_URI "/sm\d\S\S\d\.php" "log,phase:1,deny,id:9990025,msg:'SM3 Mailer'"
SecRule REQUEST_URI "/tmp_\d{16}\.php" "log,phase:1,deny,id:9990027,msg:'OSC Backdoor TMP_number'"
SecRule REQUEST_URI "(?:cookies|showimg|truecss)\=\d&(?:showimg|cookies|truecss)\=\d" "log,phase:1,deny,id:'9990026',msg:'OSCommerce Backdoor Exploit'"
##TimThumb Scanning
SecRule REQUEST_URI "/timthumb\.php\?src\=/g0\.\./0d1\.gif" "log,drop,phase:1,t:none,id:999010,msg:'TimThumb Scanning'"
##Wordpress 1-flash-gallery Uploadify
SecRule REQUEST_URI "/wp-content/plugins/1-flash-gallery/upload\.php\?action\=uploadify&fileext\=php" \
"id:900020,rev:1,severity:2,status:406,log,deny,msg:'Wordpress 1-Flash-Gallery Uploadify PHP upload'"
SecRule REQUEST_URI "/wp-content/uploads/fgallery/" \
"id:900021,rev:1,severity:2,log,deny,status:406,chain,msg:'Wordpress 1-Flash-Gallery Upload Dir POST attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
# Rule 310019: WEB-MISC mod_gzip_status access
SecRule REQUEST_URI "/mod_gzip_status" log,pass,id:900994
# Rule 310019: TorrentTrader SQL Injection
SecRule REQUEST_URI "/download\.php" \
"id:310491,rev:1,severity:2,deny,msg:'JITP: TorrentTrader SQL Injection',chain"
SECRULE ARGS:id "\'"
#Grumlar GIFIMG simple block. DavidN 4/1
SecRule REQUEST_URI "gifimg\.php" \
"id:900009,rev:1,severity:2,deny,msg:'Gumblar GIFIMG '"
# Rule 1234888: Rapidleech. JustinM 5/6
#SecRequestBodyAccess On
#SecRule REQUEST_BODY "(megaupload|rapidshare|rapidupload|2shared|4shared|depositfiles|hotfile|mediafire|megaporn|megashare|megashares|savefile|sendspace|speedyshare)\.com" \
# "id:1234888,phase:2,log,deny,msg:'Rapidleech'"
#
#SecRule REQUEST_BODY "rapidshare.de" \
# "id:1234888,phase:2,log,deny,msg:'Rapidleech'"
#SecRequestBodyAccess Off
#SecRule ARGS:task "confirmreset" "chain,id:1234889,phase:2,log,deny,msg:'Rapidleech1'"
#SecRule REQUEST_BODY "!token=([a-z0-9]{32})"
#block proc/self/environ requests
#SecRule REQUEST_URI "proc/self/environ" "id:999997,phase:1,log,drop,msg:'proc environ'"
SecRule REQUEST_URI "proc/self/environ" "id:999997,phase:1,t:none,t:lowercase,t:normalisePath,t:urlDecode,log,drop,msg:'proc environ'"
# block r57 and c99shell
SecRule REQUEST_URI "c99\.php|r57shell\.php|r57\.php|c99\.txt" \
"id:900010,rev:1,phase:1,severity:2,drop,msg:'c99 variant '"
SecRule REQUEST_URI "concat\(username,0x3a,activation" \
"id:900011,rev:1,severity:2,deny,msg:'attempted sql injection '"
SecRule REQUEST_URI "tmp/x-shell" \
"id:900012,rev:1,severity:2,deny,msg:'attempted tmp/x-shell '"
SecRule REQUEST_URI "fwriteq\.php\?ipaddr=" \
"id:900014,rev:1,severity:2,deny,msg:'attempted UDP flood 2'"
#SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.76 \[ru] \(X11; U; SunOS 5\.7 sun4u\)" \
# "log,deny,phase:1,status:403,t:-lowercase,t:-replaceNulls,t:-compressWhitespace,id:000014,rev:1,severity:2,msg:'attempoted e107 exploit '"
#SecRule REQUEST_HEADERS:User-Agent "Mozila/4\.0\s+\(compatible;\s+MSIE\s+6\.0;\s+Windows\s+NT\s+5\.1;\s+SV1;\s+MyIE2;" \
# "id:900016,log,drop,rev:1,severity:2,msg:'JITP: 900016 improper Mozilla useragent with MyIE2 osCommerce exploit attempt '"
#SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.76 \[ru] \(X11; U; SunOS 5\.7 sun4u\)" \
# "log,drop,id:000014,rev:1,severity:2,msg:'attempoted e107 exploit '"
#SecRule REQUEST_HEADERS:User-Agent "Mozila/4\.0\s+\(compatible;\s+MSIE 6\.0;\s+Windows\s+NT\s+5\.1;\s+SV1;\s+MyIE2;" \
# "id:900016,phase:1,log,drop,severity:2,msg:'JITP: 900016 improper Mozilla useragent with MyIE2 osCommerce exploit attempt '"
### ZEN
SecRule REQUEST_URI "/(admin|banner_manager|product|sqlpatch|define_pages_editor|orders|record_company)\.php/password_forgotten\.php" \
"log,deny,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,id:320757,rev:4,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Patch: ZenCart Sql Injection Exploit',logdata:'%{TX.0}'"
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.76 \[ru] \(X11; U; SunOS 5\.7 sun4u\)" \
"log,drop,id:000014,rev:1,status:406,severity:2,msg:'attempoted e107 exploit '"
SecRule REQUEST_HEADERS:User-Agent "Mozila/4\.0 \(compatible;\s+MSIE 6\.0;\s+Windows NT 5\.1;\s+SV1; MyIE2;" \
"id:900016,log,deny,phase:2,rev:1,status:406,severity:2,msg:'JITP: 900016 improper Mozilla useragent with MyIE2 osCommerce exploit attempt '"
SecRule REQUEST_HEADERS:User-Agent "@beginsWith ZWNobyAiSXQgV29ya3MiO" \
"id:900017,log,deny,phase:1,rev:1,severity:2,msg:'JITP: 900017 Base64 Useragent TEST'"
SecRule REQUEST_HEADERS:User-Agent "@contains file_get_contents" \
"id:900018,log,deny,phase:1,rev:1,t:base64Decode,severity:2,msg:'JITP: 900018 Base64 Useragent TEST'"
#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bad_robots.txt" \
# "phase:1,rev:'2.2.0',t:none,deny,msg:'Rogue web site crawler',id:'900019',tag:'AUTOMATION/MALICIOUS',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
#SecRule REQUEST_HEADERS:User-Agent "@pm User-Agent" \
# "id:900019,log,deny,phase:1,rev:1,severity:2,msg:'Fake User-Agent String'"
#SecRule REQUEST_URI "/wp-admin" "nolog,phase:1,allow"
#SecRule REQUEST_URI "/wp-login.php" "nolog,phase:1,allow"
SecRule REQUEST_URI "redirect/cl2.php" "nolog,phase:1,allow,id:900993"
#SecRule REQUEST_URI "timthumb.php" "nolog,phase:1,allow"
#SecRule ARGS "(?:ht|f)tps?://(([a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|asia|jobs|museum))/?.*" \
# "chain,phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'Remote File Inclusion Attack'"
# SecRule REQUEST_HEADERS:Host "!@streq %{tx.1}"
SecRule REQUEST_URI "tiny_?mce/plugins/tinybrowser/upload(_file)?\.php\?(\S+?\=\S+?)?(\&|\?type\=\S+?&)?folder" "id:999991, phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'JITP:TinyMCE Upload'"
SecRule REQUEST_URI "index\.php\?/component/option,com_jdownloads/Itemid,[0-9]*/task,view.upload/" "id:999992, phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'JITP:jDownloads RFI Vuln'"
SecRule REQUEST_URI "arotoss.php.orion" "id:999993, phase:2,t:none,deny,log,msg:'JIT:WebOrb Shell'"
# UDP Flood Script Prevent
#SecRule Request_URI "php\?(host|ip)=([0-9]{1,3}\.){3}[0-9]{1,3}(&port=[0-9]+)?(&time=[0-9]+)" "id:gatorattack1,rev:1,severity:2,msg:'JITP:gatorattack1'"
SecRule Request_URI "(?:\?|&)(?:host|ip|target)=(?:[0-9]{1,3}\.){3}[0-9]{1,3}(?:&port=[0-9]+|&time(?:out)?=[0-9]+){2}" "id:900056,rev:1,severity:2,drop,msg:'JITP:gatorattack1'"
SecRule Request_URI "(?:\?|&)(?:port|time|exit)\=\d+(?:\?|\&)(?:port|time)\=\d+(?:\?|\&)(?:host|ip|target|http)=(?:[0-9]{1,3}\.){3}[0-9]{1,3}" "id:900062,rev:1,severity:2,drop,msg:'JITP:gatorattack2'"
#SecRule Request_URI "(?:\?|&)(?:(?:host|ip|target|port|time)=[0-9\.]+(?:\?|\&)?)+" "id:900056,rev:1,severity:2,drop,msg:'JITP:gatorattack1'"
#####
# 1235235 New OS Commerce (file_manager\.php|categories\.php|administrators\.php|banner_manager\.php|define_language\.php) exploit prevention
SecRule Request_URI "admin\/(?:file_manager|categories|orders|admin_members|administrators|banner_manager|define_language|manufacturers|backup|configuration|modules|orders)\.php\/login(_admin)?\.php" "id:1235235,phase:1,deny,t:none,t:htmlEntityDecode,t:lowercase,capture,deny,log,msg:'JITP:1235235 OS Commerce Protection'"
#SecRule USERID "!^[a-zA-Z0-9_]+$"
# 1235236 block password_forgotten.php exploit
SecRule Request_URI "(password_forgotten|cookie_usage)\.php\?((cookies|showimg)\=1)+(language\=[a-z]{1,7})?(?:&(cookies|showimg)\=1)*" "id:1235236,log,deny,phase:1,status:403,t:-lowercase,t:-replaceNulls,t:-compressWhitespace,rev:1,severity:2,msg:'JITP: 1235236 osCommerce password_forgotten exploit attempt '"
# 9993339 sql.php SQL Hacking Tool
SecRule REQUEST_URI "/sql.php\?action\=(logon|listdb)" "id:999333,deny,t:none,t:lowercase,phase:2,rev:1,severity:2,msg:'SQL.php Exploit'"
# 1236236 New OS Commerce (file_manager\.php|categories\.php|administrators\.php|banner_manager\.php|define_language\.php) ?action=processuploads exploit prevention
#SecRule Request_URI "admin\/(?:file_manager\.php|categories\.php|administrators\.php|banner_manager\.php|define_language\.php)\/login\.php\?action=processuploads" "id:1236236,phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,setuid:%{REMOTE_USER},deny,log,msg:'JITP:1236236',chain"
#SecRule USERID "!^[a-zA-Z0-9_]+$"
# 1236245 OS Commerce define_language.php exploit prevention
#SecRule Request_URI "admin\/define_language\.php\/login\.php\?filename=cookie_usage\.php&action=save" "id:1236245,phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,setuid:%{REMOTE_USER},deny,log,msg:'JITP:1236245',chain"
#SecRule USERID "!^[a-zA-Z0-9_]+$"
SecRule REQUEST_URI "(?:showimg\=1)?(?:language\=([a-z]{1,7})&lang\=\1&lng\=\1)(?:&(cookies|showimg)\=1)+" "id:999811,phase:2,t:none,t:lowercase,capture,rev:1,severity:4,msg:'OSCommerce Language Sessions Exploit attempt'"
SecRule REQUEST_URI "/mass.php" "id:999110,deny,phase:2,rev:1,severity:2,msg:'Possible Mass Defacer Request'"
#SecRule REQUEST_URI "/xmlrpc\.php" "id:900238,chain,phase:1,deny,status:406,log,msg:'JetPack XMLRPC Attempt for NonAutomatic Host'"
#SecRule ARGS:for "jetpack" "t:none,t:lowercase,chain"
#SecRule REMOTE_ADDR "!@rx (?:66\.135\.48\.(?:12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])|76\.74\.248\.(?:12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])|76\.74\.25[45]\.(?:12[0-8]|1[0-1][0-9]|0?[0-9]?[0-9])|216\.151\.209\.(?:12[0-7]|1[01][0-9]|0?[7-9][0-9]|0?6[4-9])|216\.151\.210\.(?:12[0-8]|1[0-1][0-9]|0?[0-9]?[0-9])|207\.198\.101\.(?:12[0-8]|1[0-1][0-9]|[0-9]?[0-9])|209\.15\.21\.\d+|66\.135\.58\.(?:[6][0-3]|[45][0-9]|3[0-9])|216\.152\.133\.1(?:[3-8][0-9]|2[89]|9[01])|69\.174\.248\.(?:12[0-8]|1[0-1][0-9]|[0-9]?[0-9])|192\.0\.(?:6[4-9]|7[01])\.\d+|66\.155\.(?:1[01]|[89])\.\d+|192\.0\.(?:9[0-5]|8[0-9])\.\d+|192\.185\.1\.20)"
SecRule Request_URI "/fckeditor/editor/filemanager/connectors/test\.html" "id:999009,deny,phase:2,rev:1,severity:2,msg:'Fckeditor exploit'"
SecRule REQUEST_URI "/uploadify/uploadify\.php\?fileext=(?:php|cl|cgi)" "id:999050,deny,phase:2,rev:1,severity:2,msg:'Uploadify Exploit'"
#TESTING RULE ... uncomment and go to domain.com/fordtest.php
#while tailing /usr/local/apache/logs/error_log to ensure mod_sec is working
#SecRule REQUEST_URI "fordtest\.php" \
#"id:900015,rev:1,severity:2,msg:'attempted path traversal'"
SecRule REQUEST_URI "/password_forgotten\.php" \
"log,deny,auditlog,t:urlDecodeUni,t:lowercase,chain,id:390637,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Patch: Zencart PHP code injection attack'"
SecRule ARGS:action "^insert$" chain
SecRule ARGS|REQUEST_BODY "(php|;+|shell_exec|wget|system\()"
#/index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert
SecRule REQUEST_URI "/password_forgotten\.php" \
"log,deny,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,t:lowercase,chain,id:390638,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Patch: Zencart PHP code injection attack'"
SecRule ARGS:admin_email "(union select|php|;+|shell_exec|wget|system\()"
#SecRule REQUEST_URI "/_?#?(?:(?:p(?:ma_?(?:bd)?)?(?:hp)?)?\d?)?(?:mya?d?)?(?:sql)?\d?_?-?(?:php(?:as)?)?(?:db)?(?:(database)?ad?mm??i?n?s?(?:istrator)?(?:\.old)?)?-?_?(?:(?:(?:\d\.?){1,5})?-?(?:pl\d?|rc\d?|beta\d?)?)/scripts/setup\.php"
SecRule REQUEST_URI "/_?#?(?:(?:p(?:ma_?(?:bd)?)?(?:hp)?)?\d?)?-?(?:mya?d?)?(?:sql)?\d?_?-?(?:php(?:as)?)?(?:db)?(?:(database)?ad?mm??i?n?s?(?:istrator)?(?:\.old)?)?-?_?(?:(?:(?:\d\.?){1,5})?-?(?:pl\d?|rc\d?|beta\d?)?)/(scripts/setup|config/config\.inc)\.php" \
"id:999995,log,drop,auditlog,t:lowercase,phase:1,rev:2,severity:4,msg:'PHPMyadmin Script Attack'"
SecRule REQUEST_URI "/connectors/php/(?:config|connector)\.php\?Command=FileUpload&CurrentFolder=" "id:998001,deny,phase:2,rev:1,severity:2,msg:'TinyMCE Upload Vuln'"
### Tell a Friend ###
SecRule REQUEST_URI "/index.php\?act=taf" "id:999111,deny,phase:2,rev:1,msg:'CubeCart TAF Block'"
SecRule REQUEST_URI "/(?:tell|email)(?:-|a)?friend\.php" "id:999112,deny,phase:2,rev:1,msg:'Generic TAF Block'"
SecRule REQUEST_URI "/do.taf.php" "id:999113,deny,phase:2,rev:1,msg:'Generic TAF Block'"
##Logging Com_JCE
SecRule request_uri "index\.php\?option\=com_jce\&task\=plugin\&plugin\=imgmanager\&file\=imgmanager" "id:900190,phase:1,t:none,t:urlDecode,t:lowercase,pass,log,chain,msg:'JCE Access Attempt'"
SecRule REQUEST_METHOD "^POST$" "t:none"
SecRule REQUEST_FILENAME "\.php[456]?_?\d?\.(asf|asx|avi|bmp|gif|ico|jpe|jpeg|jpg|png|tif|tiff|wax|wmv|wmx)$" "id:900055,deny,status:412,log,msg:'Fake Image Extension'"
## Wordpress File-Manager / PHPFM Exploit 8.10.2011
SecRule REQUEST_URI "/incl/upload\.inc\.php\?allowupload\=1&upload\=1" "id:998002,deny,phase:1,t:none,t:lowercase,rev:1,severity:2,msg:'WP-FileManager - PHPFM Upload Exploit'"
#8.18.2011 Joomla 1.5.14 or less images/stories/ block
SecRule Request_URI "/images/stories/\S+?\.php(\d*?\.\S*)?" "id:'999250',phase:2,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,log,chain,drop,msg:'Joomla Images/Stories Exploit'"
SecRule Request_URI "!^/index.php/"
# WP Cherry Plugin Exploit - Unrestricted File Upload
# https://github.com/CherryFramework/cherry-plugin/issues/6
# 20170203
SecRule REQUEST_URI "/wp-content/plugins/cherry-plugin/admin/import-export/upload.php" "id:900503,phase:1,deny,chain,status:406,msg:'WP Cherry Plugin Exploit'"
SecRule REQUEST_METHOD "POST" "t:none"
# XM1RPC SEO Spam Campaign
# https://blog.sucuri.net/2016/11/xm1rpc-spam-backdoor.html
# 20170203
SecRule REQUEST_URI "/xm1rpc.php" "id:900504,t:none,phase:1,chain,log,deny,status:406,msg:'Block Backdoor Access FAKE WP File'"
SecRule REQUEST_METHOD "POST" "t:none"
--