patterns/waf_patterns/apache/shells.conf

# Apache ModSecurity rules for SHELLS
SecRuleEngine On

SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1336,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1344,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1340,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1346,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1322,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1327,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1329,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1339,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1333,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1323,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1343,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1342,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1326,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1331,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1334,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1345,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1325,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1328,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1341,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1338,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1335,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1330,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1337,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1332,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1324,phase:1,deny,status:403,log,msg:'shells attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for SHELLS`
			`SecRuleEngine On`

Update: [Sat Feb 8 00:25:04 UTC 2025] 2025-02-08 00:25:04 +00:00			`SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1336,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Thu Feb 6 00:25:50 UTC 2025] 2025-02-06 00:25:50 +00:00			`SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1344,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Fri Feb 7 00:25:52 UTC 2025] 2025-02-07 00:25:52 +00:00			`SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1340,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Sat Feb 8 00:25:04 UTC 2025] 2025-02-08 00:25:04 +00:00			`SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1346,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\\|<title>r57\ shell</title>\)" "id:1322,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Thu Feb 6 00:25:50 UTC 2025] 2025-02-06 00:25:50 +00:00			`SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1327,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Fri Feb 7 00:25:52 UTC 2025] 2025-02-07 00:25:52 +00:00			`SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1329,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Thu Feb 6 00:25:50 UTC 2025] 2025-02-06 00:25:50 +00:00			`SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1339,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Sat Feb 8 00:25:04 UTC 2025] 2025-02-08 00:25:04 +00:00			`SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1333,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1323,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1343,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1342,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Thu Feb 6 00:25:50 UTC 2025] 2025-02-06 00:25:50 +00:00			`SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1326,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Sat Feb 8 00:25:04 UTC 2025] 2025-02-08 00:25:04 +00:00			`SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1331,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1334,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1345,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1325,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Fri Feb 7 00:25:52 UTC 2025] 2025-02-07 00:25:52 +00:00			`SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1328,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Sat Feb 8 00:25:04 UTC 2025] 2025-02-08 00:25:04 +00:00			`SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1341,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1338,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1335,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1330,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1337,phase:1,deny,status:403,log,msg:'shells attack detected'"`
			`SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1332,phase:1,deny,status:403,log,msg:'shells attack detected'"`
Update: [Fri Feb 7 00:25:52 UTC 2025] 2025-02-07 00:25:52 +00:00			`SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1324,phase:1,deny,status:403,log,msg:'shells attack detected'"`