#http://www.gotroot.com/mod_security+rules # # Created by The Prometheus Group (http://www.prometheus-group.com) # #Known rootkit, remote toolkit, etc. signature # #Download from: http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf #copyright 2005, all rights reserved # # Commercial redistribution prohibited. # #Version: N-20051120-01 # #http://www.gotroot.com #see website for more information SecFilterSelective THE_REQUEST "/cse\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php)\?" SecFilterSelective THE_REQUEST "/\.it/viewde" SecFilterSelective THE_REQUEST "/cmd\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.dat\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/sep\.txt\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/s\.txt\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/pro18\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/shell\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/bash\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\.(gif|jpg|txt|bmp)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/get\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/root\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/spy\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/nmap\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/asc\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/lila\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/new(cmd|command)\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/(cmd|command)\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/a\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12][05]\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12]\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12][0-9]\.js" SecFilterSelective THE_REQUEST "/tool25\.js" #Known rootkits SecFilterSelective THE_REQUEST "perl xpl\.pl" SecFilterSelective THE_REQUEST "perl kut" SecFilterSelective THE_REQUEST "perl viewde" SecFilterSelective THE_REQUEST "perl httpd\.txt" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)" #Known rootkit Defacing Tool 2.0 SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt)\?(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.jpg\?" SecFilterSelective THE_REQUEST "/tool25\.dat\?" #other known tools SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/ssh\.php" SecFilterSelective THE_REQUEST "/ssh2\.php" SecFilterSelective THE_REQUEST "/sfdg2\.php" #New kit SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)" #new kir SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)=" #suntzu SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd=" #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?" #phpbackdoor SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd=" SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd=" #new unknown kit SecFilterSelective REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecFilterSelective THE_REQUEST "wiki_up/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/ion\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/jpg\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/lala\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/.*\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/lala\.ph(p(3|4)?|tml)" SecFilterSelective REQUEST_URI "/phpterm" #new unknown kits SecFilterSelective THE_REQUEST "/iblis\.htm\?" SecFilterSelective THE_REQUEST "/gif\.gif\?" SecFilterSelective THE_REQUEST "/go\.php\.txt\?" SecFilterSelective THE_REQUEST "/sh[0-9]\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/iys\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/shell[0-9]\.(gif|jpg|txt|bmp)\?" SecFilterSelective THE_REQUEST "/zehir\.asp" SecFilterSelective THE_REQUEST "/aflast\.txt\?" SecFilterSelective THE_REQUEST "/sikat\.txt\?&cmd" SecFilterSelective THE_REQUEST "/t\.gif\?" SecFilterSelective THE_REQUEST "/phpbb_patch\?&" SecFilterSelective THE_REQUEST "/phpbb2_patch\?&" SecFilterSelective THE_REQUEST "/lukka\?&"