# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Known rootkits, remote toolkits, etc. signatures for modsec 2.x # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # SecRule REQUEST_URI "!(?:horde/services/go\.php|tiki-view_cache\.php|/event\.ng/Type=click.*Redirect|^/\?out=http://.*/.*\?ref=.*)" \ "chain,id:390144,rev:6,severity:2,msg:'Command shell attack: Generic Attempt to remote include command shell'" SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?" SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://)" \ "chain,id:390145,rev:2,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?" SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?" SecRule REQUEST_URI "/\.it/viewde" SecRule REQUEST_URI "/cmd\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" #SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" #Known rootkits SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;" SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c" SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkit Defacing Tool 2.0 SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" #other known tools SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" #New kit SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)" #new kir SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" #suntzu SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS:Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" #proxysx.gif? SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?" #phpbackdoor SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" #new unknown kit SecRule REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" SecRule REQUEST_URI "/phpterm" #Frantastico worm SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" #new unknown kits SecRule REQUEST_URI "/iblis\.htm\?" SecRule REQUEST_URI "/gif\.gif\?" SecRule REQUEST_URI "/go\.php\.txt\?" SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/zehir\.asp" SecRule REQUEST_URI "/aflast\.txt\?" SecRule REQUEST_URI "/sikat\.txt\?&cmd" SecRule REQUEST_URI "/t\.gif\?" SecRule REQUEST_URI "/phpbb_patch\?&" SecRule REQUEST_URI "/phpbb2_patch\?&" SecRule REQUEST_URI "/lukka\?&" #new kit SecRule REQUEST_URI "/c99shell\.txt" SecRule REQUEST_URI "/c99\.txt\?" #remote bash shell SecRule REQUEST_URI "/shell\.php\&cmd=" SecRule ARGS "/shell\.php\&cmd=" #zencart exploit SecRule REQUEST_URI "/ipn\.php\?cmd=" #new pattern SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "dsoul/tool\?" #generic suntzu payload SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\(" SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" SecRule REQUEST_URI "help_text_vars\.php\?suntzu=" #25dec new one SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?" #26dec new kit SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/vsf\.vsf\?&" #27dec SecRule REQUEST_URI "/scan1\.0/scan/" SecRule REQUEST_URI "test\.txt\?&" #30dec SecRule REQUEST_URI "\.k4ka\.txt\?" #31dec SecRule REQUEST_URI "/php\.txt\?" #1 jan SecRule REQUEST_URI "/sql\.txt\?" SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?" #22feb SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?" SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?" #24mar SecRule REQUEST_URI "/docLib/cmd\.asp" SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer" SecRule REQUEST_URI "\.asp\?.*showUpload&thePath=" SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath=" #some broken attack program SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@" SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm" SecRule REQUEST_URI "/r57en\.php" #c99 rootshell SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" #generic shell SecRule REQUEST_URI "shell\.txt" #bad scanner SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" #wormsign SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" #New SEL attack seen SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables" #New SQL attack seen SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"