External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/nginx/shells.conf
github-actions[bot] 1e4bb70b5d Update: [Sun Dec 22 00:28:28 UTC 2024]
2024-12-22 00:28:28 +00:00

145 lines
3.8 KiB
Plaintext
Raw Blame History

# Nginx WAF rules for SHELLS
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile web-shells-php.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>Mini Shell</title>.*Developed By LameHacker") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>Symlink_Sa [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<head>n<div align=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>rn<head>rn<meta http-equiv=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <title>punkholicshell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style=") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}
Reference in New Issue View Git Blame Copy Permalink