External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Tue Jan 7 18:00:52 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-07 18:00:52 +00:00
parent 565b0c59a6
commit 4c0631f8ff
41 changed files with 3230 additions and 6327 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
waf_patterns/apache/shells.conf
View File

@@ -1,37 +1,28 @@
# Apache ModSecurity rules for SHELLS
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1476,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1477,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@pmFromFile web-shells-php.data" "id:1478,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" "id:1479,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" "id:1480,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" "id:1481,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>Mini Shell</title>.*Developed By LameHacker" "id:1482,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>" "id:1483,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>Symlink_Sa [0-9.]+</title>" "id:1484,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" "id:1485,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+" "id:1486,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" "id:1487,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" "id:1488,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>" "id:1489,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>lama's'hell v. [0-9.]+</title>" "id:1490,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" "id:1491,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->" "id:1492,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">" "id:1493,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<title>Ru24PostWebShell -" "id:1494,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" "id:1495,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>" "id:1496,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+" "id:1497,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains <title>punkholicshell</title>" "id:1498,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>" "id:1499,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" "id:1500,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>" "id:1501,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" "id:1502,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1503,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1504,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains <h1 style="margin-bottom: 0">webadmin.php</h1>" "id:1505,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1506,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1507,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1508,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1509,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1298,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1302,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1309,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1295,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1311,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1294,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1297,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1305,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1310,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1315,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1307,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1291,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1293,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1312,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1299,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1292,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1300,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1296,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1308,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1313,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1304,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1303,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1301,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1306,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1314,phase:1,deny,status:403,log,msg:'shells attack detected'"