# Nginx WAF rules for SHELLS location / { set $attack_detected 0; if ($request_uri ~* "Symlink_Sa [0-9.]+") { set $attack_detected 1; } if ($request_uri ~* "^rnrnrnPhpSpy Ver [0-9]+") { set $attack_detected 1; } if ($request_uri ~* "(r57 Shell Version [0-9.]+|r57 shell)") { set $attack_detected 1; } if ($request_uri ~* "s72 Shell v[0-9.]+ Codinf by Cr@zy_King") { set $attack_detected 1; } if ($request_uri ~* "B4TM4N SH3LL.*") { set $attack_detected 1; } if ($request_uri ~* "^rnrnGRP WebShell [0-9.]+") { set $attack_detected 1; } if ($request_uri ~* "^<title>PHP Web Shellrnrnrn ") { set $attack_detected 1; } if ($request_uri ~* "@contains

webadmin.php

") { set $attack_detected 1; } if ($request_uri ~* "^nnRu24PostWebShell -") { set $attack_detected 1; } if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY") { set $attack_detected 1; } if ($request_uri ~* "^nn
Input command :
n
") { set $attack_detected 1; } if ($request_uri ~* "^n n azrail [0-9.]+ by C-W-M") { set $attack_detected 1; } if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by Mini Shell.*Developed By LameHacker") { set $attack_detected 1; } if ($request_uri ~* "^ :: b374k m1n1 [0-9.]+ ::") { set $attack_detected 1; } if ($request_uri ~* "NGHshell [0-9.]+ by Cr4shn$") { set $attack_detected 1; } if ($request_uri ~* "^n.*? ~ Shell Inn