# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Search Engine Recon/Google Hacks Security Rules for modsec 2.x # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # # Note: For modsecurity 2.x and above only SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" SecRule REQUEST_HEADERS:Referer "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "filetype:sql \x28\x22passwd values.*password values.*pass values" "id:350009,rev:1,severity:2,msg:'passwd values Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "filetype.*blt.*buddylist" "id:350010,rev:1,severity:2,msg:'buddy list Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "File Upload Manager v1\.3.*rename to" "id:350011,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser" "id:350012,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*passlist\.txt" "id:350013,rev:1,severity:2,msg:'Password list Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" "id:350014,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Enter ip.*inurl\x3A\x22php-ping\.php\x22" "id:350015,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" "id:350016,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl\.*install.*install\.php" "id:350017,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered by PHPFM.*filetype\.php -username" "id:350018,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl\.*phpSysInfo.*created by phpsysinfo" "id:350019,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" "id:350020,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl\.*webutil\.pl" "id:350021,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered by 6rbScript" "id:350022,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" #sumthin variant #OSSEC 404 stuff does this better SecRule REQUEST_URI "thisdoesnotexistahaha\.php" "id:350022,rev:1,severity:2,msg:'Non-Existant File Google Recon attempt'"