# Apache ModSecurity rules for SHELLS
SecRuleEngine On

SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1331,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1326,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1327,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1316,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1335,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1338,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1325,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1315,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1321,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1318,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1330,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1329,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1324,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1333,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1319,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1332,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1317,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1328,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1314,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1334,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1323,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1337,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1322,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1320,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1336,phase:1,deny,status:403,log,msg:'shells attack detected'"