# Nginx WAF rules for SHELLS
location / {
set $attack_detected 0;
if ($request_uri ~* "^PHP Web Shellrnrnrn ") {
set $attack_detected 1;
}
if ($request_uri ~* "^n n azrail [0-9.]+ by C-W-M") {
set $attack_detected 1;
}
if ($request_uri ~* "^ *n[ ]+n[ ]+lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+|r57 shell)") {
set $attack_detected 1;
}
if ($request_uri ~* "B4TM4N SH3LL.*") {
set $attack_detected 1;
}
if ($request_uri ~* "^rnrnrnPhpSpy Ver [0-9]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^rnrnGRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <title>punkholicshell") {
set $attack_detected 1;
}
if ($request_uri ~* "CasuS [0-9.]+ by MafiABoY") {
set $attack_detected 1;
}
if ($request_uri ~* "^n.*? ~ Shell Inn