r57 Shell Version [0-9.]+

# Apache ModSecurity rules for SHELLS SecRuleEngine On SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@pmFromFile web-shells-php.data" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx (r57 Shell Version [0-9.]+|r57 shell)" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^.*? - WSO [0-9.]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx B4TM4N SH3LL.*" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx Mini Shell.*Developed By LameHacker" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx .:: .* ~ Ashiyane V [0-9.]+ ::." "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx Symlink_Sa [0-9.]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx CasuS [0-9.]+ by MafiABoY" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^rnrnGRP WebShell [0-9.]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx lama's'hell v. [0-9.]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^ *n[ ]+n[ ]+lostDC -" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^<title>PHP Web Shellrnrnrn " "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^nn

Input command :

" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^nnRu24PostWebShell -" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^rnrnrnPhpSpy Ver [0-9]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^ nnnng00nshell v[0-9.]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@contains <title>punkholicshell" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx ^n n azrail [0-9.]+ by C-W-M" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by n.*? ~ Shell Inn