External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/apache/shells.conf
github-actions[bot] dd47e4b328 Update: [Mon Jan 6 00:28:11 UTC 2025]
2025-01-06 00:28:11 +00:00

38 lines
4.7 KiB
Plaintext
Raw Blame History

# Apache ModSecurity rules for SHELLS
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1231,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1232,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@pmFromFile web-shells-php.data" "id:1233,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" "id:1234,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" "id:1235,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" "id:1236,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>Mini Shell</title>.*Developed By LameHacker" "id:1237,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>" "id:1238,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>Symlink_Sa [0-9.]+</title>" "id:1239,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" "id:1240,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+" "id:1241,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" "id:1242,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" "id:1243,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>" "id:1244,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>lama's'hell v. [0-9.]+</title>" "id:1245,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" "id:1246,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->" "id:1247,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">" "id:1248,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<title>Ru24PostWebShell -" "id:1249,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" "id:1250,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>" "id:1251,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+" "id:1252,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains <title>punkholicshell</title>" "id:1253,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>" "id:1254,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" "id:1255,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>" "id:1256,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" "id:1257,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1258,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1259,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains <h1 style="margin-bottom: 0">webadmin.php</h1>" "id:1260,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1261,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1262,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1263,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1264,phase:1,deny,status:403,log,msg:'shells attack detected'"
Reference in New Issue View Git Blame Copy Permalink