External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Wed Jan 8 00:26:52 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-08 00:26:52 +00:00
parent fe5f92f6ed
commit ed5a5bc855
40 changed files with 2586 additions and 2586 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
waf_patterns/nginx/shells.conf
View File

@@ -6,11 +6,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") {
set $attack_detected 1;
}
@@ -18,23 +14,11 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
if ($request_uri ~* "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
set $attack_detected 1;
}
if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
if ($request_uri ~* "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1;
}
@@ -42,47 +26,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
if ($request_uri ~* "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
set $attack_detected 1;
}
@@ -90,11 +34,15 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Symlink_Sa [0-9.]+</title>") {
if ($request_uri ~* "^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") {
set $attack_detected 1;
}
@@ -102,6 +50,58 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Symlink_Sa [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
set $attack_detected 1;
}
if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}