# http://www.gotroot.com/mod_security+rules # Known rootkits, remote toolkits, etc. signatures # # Download from: http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf # # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # modsecurity is a trademark of Thinking Stone, Ltd. # # Version: N-20061009-02 # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?" SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?" SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?" SecFilterSelective REQUEST_URI "/\.it/viewde" SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?" #Known rootkits SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkit Defacing Tool 2.0 SecFilterSelective REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)=" #other known tools SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php" #New kit SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)" #new kir SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)=" #suntzu SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?" #phpbackdoor SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" #new unknown kit SecFilterSelective REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" SecFilterSelective REQUEST_URI "/phpterm" #Frantastico worm SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" #new unknown kits SecFilterSelective REQUEST_URI "/iblis\.htm\?" SecFilterSelective REQUEST_URI "/gif\.gif\?" SecFilterSelective REQUEST_URI "/go\.php\.txt\?" SecFilterSelective REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/zehir\.asp" SecFilterSelective REQUEST_URI "/aflast\.txt\?" SecFilterSelective REQUEST_URI "/sikat\.txt\?&cmd" SecFilterSelective REQUEST_URI "/t\.gif\?" SecFilterSelective REQUEST_URI "/phpbb_patch\?&" SecFilterSelective REQUEST_URI "/phpbb2_patch\?&" SecFilterSelective REQUEST_URI "/lukka\?&" #new kit SecFilterSelective REQUEST_URI "/c99shell\.txt" SecFilterSelective REQUEST_URI "/c99\.txt\?" #remote bash shell SecFilterSelective REQUEST_URI "/shell\.php\&cmd=" SecFilterSelective ARGS "/shell\.php\&cmd=" #zencart exploit SecFilterSelective REQUEST_URI "/ipn\.php\?cmd=" #new pattern SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "dsoul/tool\?" #generic suntzu payload SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system\(" SecFilterSelective THE_REQUEST "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu=" #25dec new one SecFilterSelective REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?" #26dec new kit SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/vsf\.vsf\?&" #27dec SecFilterSelective REQUEST_URI "/scan1\.0/scan/" SecFilterSelective REQUEST_URI "test\.txt\?&" #30dec SecFilterSelective REQUEST_URI "\.k4ka\.txt\?" #31dec SecFilterSelective REQUEST_URI "/php\.txt\?" #1 jan SecFilterSelective REQUEST_URI "/sql\.txt\?" SecFilterSelective REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?" #22feb SecFilterSelective REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?" #24mar SecFilterSelective REQUEST_URI "/docLib/cmd\.asp" SecFilterSelective REQUEST_URI "\.asp\?pageName=AppFileExplorer" SecFilterSelective REQUEST_URI "\.asp\?.*showUpload&thePath=" SecFilterSelective REQUEST_URI "\.asp\?.*theAct=inject&thePath=" #some broken attack program SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@" SecFilterSelective THE_REQUEST "trojan\.htm" SecFilterSelective REQUEST_URI "/r57en\.php" #c99 rootshell SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" #generic shell SecFilterSelective REQUEST_URI "shell\.txt" #bad scanner SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" #wormsign SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" #New SEL attack seen SecFilterSelective THE_REQUEST "select.*from.*information_schema\.tables" #New SQL attack seen SecFilterSelective REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"