آلسلآم عليكمَ ورحمة الله وبركاتة
موضوعنا اليوم عن modsecurity سنحل بعض المشاكل ونضع رولز ،
في البداية سنسترجع المود سكيورتي للاصدار القديم ، لانة الجديد لزم كل رولز له ايدي.
نفذ التآلي ،
[PHPCODE]yum -y install httpd-devel
yum -y install apr-devel
yum -y install apr-util-devel
yum -y install pcre-devel
[/PHPCODE]
ومن ثم ،
[PHPCODE]wget http://garr.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.6.8/modsecurity-apache_2.6.8.tar.gz
cd modsecurity-apache_2.6.8
./configure
cd apache2
make
make install
service httpd restart[/PHPCODE]
الان نروح ، للسي بانل من ثم plugins وندخل الى mod_security نضع هاذا الرولز..
[PHPCODE]SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"
#Master list of known malware script file names
#SecRule REQUEST_URI "(?
gg|gopher|zlib|(?:ht|f)tps?)\:/" \
#"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"
#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"
SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http)" \
"capture,chain,id:390144,rev:16,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command ****************l attack: Generic Attempt to remote include command ****************l',logdata:'%{TX.0}'"
SecRule ARGS|!ARGS:message "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|/trf/traf\.php)" \
#rootkit patterns
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?)" \
"capture,chain,id:390145,rev:6,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Generic Attempt to install rootkit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "=(?gg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \
"capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:390146,severity:'2',logdata:'%{TX.0}'"
#c99 root****************l
SecRule REQUEST_URI "(?:\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php|\.php\?(?hpinfo|mtnf|p0k3r)|/****************l[0-9]?\.php|/\.get\.php)" \
"capture,id:390146,rev:17,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command ****************l attack: PHP exploit ****************l attempting to run command',logdata:'%{TX.0}'"
# known PHP attack ****************ls
SecRule REQUEST_URI "(?:wiki_up/(??:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?hp(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c(?:99|100)|c(?:99|100)****************l)\.(txt|php)\?|iblis\.htm\?|/gif\.gif\?|/go\.php\.txt\?|sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?|iys\.(gif|jpe?g|txt|bmp|png)\?|****************l[0-9]\.(gif|jpe?g|txt|bmp|png)\?|zehir\.asp|aflast\.txt\?|sikat\.txt\?&cmd|/lukka\?&|btn_lists\.(gif|jpe?g|txt|bmp|png)\?|dsoul/tool\?|phpbb2?_patch\?&|anggands\.(gif|jpe?g|txt|bmp|png)\?|newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?|/vsf\.vsf\?&|\.k4ka\.txt\?|(?hp|test|sql)\.txt\?|/oops?&|/maint64/index.php|/fx29sh/|fx29id[0-9]|fx29sh_update|/cyberz\.txt|/pshyco\.txt)" \
"capture,id:390147,rev:9,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Known rootkit or remote ****************l',logdata:'%{TX.0}'"
#|temp)/(??:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?hp(3|4)?|tml|cgi|sh))
#URI sigs
SecRule REQUEST_URI "/(??:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|****************l|(?|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|****************l|/ipn|php(?:3|4|5)?****************l)\.(?hp?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?h(?(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|********************sx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|****************l.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)" \
"capture,id:390800,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "/(??:linuxdaybot|suntzu|****************l_vup|****************l|(?|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\.(?:txt|php))" \
"capture,id:390148,rev:12,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"
#Request Body patterns
#trick them with a 404
SecRule RESPONSE_BODY "(??:<title>[^<]*?(?:\b(??:c(?:ehennemden|gi-telnet)|gamma web ****************l)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57 ?****************l)|aventis klasvayv|zehir)\b|\.:?:news remote php ****************l injection::\.| rhtools\b)|ph(?(??: commander|-terminal)\b|remoteview)|vayv)|my****************l)|\b(???:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v[0-9]\.[0-9] - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| ?****************l)|(c99|c100|r57) ?****************l)\b|aventgrup\.<br>|drwxr| - n3t))|This is (an|a)? exploit from < ?a|php ?(4|5).+ safe_mode ?(\&|/|and)? ?open_basedir ?bypass|feelcomzfeelcomz|id: feelcomz|shirohigeshirohige|lusif3r_666|was here \.\..*uname.*uid.*gid.*free.*used|b\.o\.v sience 20[0-1][0-9]|emp3ror undetectable|(o|0)wned by hacker|feelcomz rfi scanner|by pshyco, Â. 2008 error|safemodeexecdir|sh-(inf|err): )" \
"phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:'390149',rev:11,severity:'2'"
#ASP sigs
SecRule REQUEST_URI "\.asp\?(?:.*theact=inject&thepath=|pagename=appfileexplorer|.*showupload&thepath=)" \
"capture,id:390150,rev:5,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: ASP rootkit attempt',logdata:'%{TX.0}'"
#generic payload
#if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd']));
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master |.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:hexDecode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:base64Decode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?erl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?hp|txt)|r57****************l\.(?hp|txt))" \
"capture,id:390802,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"
#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:[email protected]@[email protected]@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
"capture,id:390803,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known Wormsign',logdata:'%{TX.0}'"
#wormsign sigs
#New SEL attack seen
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user.+char\(.*\))" \
"capture,id:390804,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known rootkit SQL payload',logdata:'%{TX.0}'"
SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails))" \
"phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible spamtool installed on system',id:'390150',severity:'2'"
#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|You are not allowed to leech from|alt=\"rapidleech plugmod|<center>.*<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \
"phase:4,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390900',rev:8,severity:'2'"
SecRule RESPONSE_HEADERS:WWW-Authenticate "basic realm.*rapidleech" \
"capture,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"
SecRule ARGS_POST "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
"capture,id:390902,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Unauthorized Download Client',logdata:'%{TX.0}'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
#"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"
#WWW-Authenticate: Basic realm=\"RAPIDLEECH PLUGMOD
SecRule ARGS:cmd "(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route))" \
"capture,id:390904,rev:4,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP ****************l Command Attempt',logdata:'%{TX.0}'"
SecRule ARGS:ev "^print [0-9];" \
"capture,id:390905,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP ****************l Command Attempt',logdata:'%{TX.0}'"
<LocationMatch homeCounter.php>
SecRuleRemoveById 390144
SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch moderation.php>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /paadmin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /__utm.gif>
SecRuleRemoveById 390144
</LocationMatch>
<LocationMatch /administrator/index.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /ota/admin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/shop_file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /modules/mod_oneononechat/chatfiles/*>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /fud/adm/admbrowse.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /wp-cron.php>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /admin/mods/easymod/easymod_install.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /alfresco/scripts/onload.js>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /assets/Files/who/>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /forum/viewtopic.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /setup/>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /administrator/index2.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /sales/soap.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /twg177/admin/>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /images/smilies/>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /admin/dogen_display.php>
SecRuleRemoveById 390801
</LocationMatch>
<LocationMatch /horde/themes/graphics/>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /whois/quick.php>
SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /ubbthreads.php>
SecRuleRemoveById 390902
</LocationMatch>[/PHPCODE]
انتهآء ،
اخوكم في الله
ابو خالد
موضوعنا اليوم عن modsecurity سنحل بعض المشاكل ونضع رولز ،
في البداية سنسترجع المود سكيورتي للاصدار القديم ، لانة الجديد لزم كل رولز له ايدي.
نفذ التآلي ،
[PHPCODE]yum -y install httpd-devel
yum -y install apr-devel
yum -y install apr-util-devel
yum -y install pcre-devel
[/PHPCODE]
ومن ثم ،
[PHPCODE]wget http://garr.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.6.8/modsecurity-apache_2.6.8.tar.gz
cd modsecurity-apache_2.6.8
./configure
cd apache2
make
make install
service httpd restart[/PHPCODE]
الان نروح ، للسي بانل من ثم plugins وندخل الى mod_security نضع هاذا الرولز..
[PHPCODE]SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"
#Master list of known malware script file names
#SecRule REQUEST_URI "(?
gg|gopher|zlib|(?:ht|f)tps?)\:/" \#"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"
#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"
SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http)" \
"capture,chain,id:390144,rev:16,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command ****************l attack: Generic Attempt to remote include command ****************l',logdata:'%{TX.0}'"
SecRule ARGS|!ARGS:message "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|/trf/traf\.php)" \
#rootkit patterns
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?)" \
"capture,chain,id:390145,rev:6,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Generic Attempt to install rootkit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "=(?
gg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \
"capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:390146,severity:'2',logdata:'%{TX.0}'"
#c99 root****************l
SecRule REQUEST_URI "(?:\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php|\.php\?(?
hpinfo|mtnf|p0k3r)|/****************l[0-9]?\.php|/\.get\.php)" \"capture,id:390146,rev:17,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command ****************l attack: PHP exploit ****************l attempting to run command',logdata:'%{TX.0}'"
# known PHP attack ****************ls
SecRule REQUEST_URI "(?:wiki_up/(?
?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?hp(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c(?:99|100)|c(?:99|100)****************l)\.(txt|php)\?|iblis\.htm\?|/gif\.gif\?|/go\.php\.txt\?|sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?|iys\.(gif|jpe?g|txt|bmp|png)\?|****************l[0-9]\.(gif|jpe?g|txt|bmp|png)\?|zehir\.asp|aflast\.txt\?|sikat\.txt\?&cmd|/lukka\?&|btn_lists\.(gif|jpe?g|txt|bmp|png)\?|dsoul/tool\?|phpbb2?_patch\?&|anggands\.(gif|jpe?g|txt|bmp|png)\?|newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?|/vsf\.vsf\?&|\.k4ka\.txt\?|(?hp|test|sql)\.txt\?|/oops?&|/maint64/index.php|/fx29sh/|fx29id[0-9]|fx29sh_update|/cyberz\.txt|/pshyco\.txt)" \"capture,id:390147,rev:9,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Known rootkit or remote ****************l',logdata:'%{TX.0}'"
#|temp)/(?
?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?hp(3|4)?|tml|cgi|sh))#URI sigs
SecRule REQUEST_URI "/(?
?:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|****************l|(?|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|****************l|/ipn|php(?:3|4|5)?****************l)\.(?hp?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?h(?(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|********************sx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|****************l.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)" \"capture,id:390800,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "/(?
?:linuxdaybot|suntzu|****************l_vup|****************l|(?|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\.(?:txt|php))" \"capture,id:390148,rev:12,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"
#Request Body patterns
#trick them with a 404
SecRule RESPONSE_BODY "(?
?:<title>[^<]*?(?:\b(??:c(?:ehennemden|gi-telnet)|gamma web ****************l)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57 ?****************l)|aventis klasvayv|zehir)\b|\.:?:news remote php ****************l injection::\.| rhtools\b)|ph(?(??: commander|-terminal)\b|remoteview)|vayv)|my****************l)|\b(???:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v[0-9]\.[0-9] - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| ?****************l)|(c99|c100|r57) ?****************l)\b|aventgrup\.<br>|drwxr| - n3t))|This is (an|a)? exploit from < ?a|php ?(4|5).+ safe_mode ?(\&|/|and)? ?open_basedir ?bypass|feelcomzfeelcomz|id: feelcomz|shirohigeshirohige|lusif3r_666|was here \.\..*uname.*uid.*gid.*free.*used|b\.o\.v sience 20[0-1][0-9]|emp3ror undetectable|(o|0)wned by hacker|feelcomz rfi scanner|by pshyco, Â. 2008 error|safemodeexecdir|sh-(inf|err): )" \"phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:'390149',rev:11,severity:'2'"
#ASP sigs
SecRule REQUEST_URI "\.asp\?(?:.*theact=inject&thepath=|pagename=appfileexplorer|.*showupload&thepath=)" \
"capture,id:390150,rev:5,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: ASP rootkit attempt',logdata:'%{TX.0}'"
#generic payload
#if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd']));
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master |.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:hexDecode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:base64Decode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?
erl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?hp|txt)|r57****************l\.(?hp|txt))" \"capture,id:390802,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"
#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:[email protected]@[email protected]@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
"capture,id:390803,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known Wormsign',logdata:'%{TX.0}'"
#wormsign sigs
#New SEL attack seen
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user.+char\(.*\))" \
"capture,id:390804,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known rootkit SQL payload',logdata:'%{TX.0}'"
SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails))" \
"phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible spamtool installed on system',id:'390150',severity:'2'"
#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|You are not allowed to leech from|alt=\"rapidleech plugmod|<center>.*<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \
"phase:4,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390900',rev:8,severity:'2'"
SecRule RESPONSE_HEADERS:WWW-Authenticate "basic realm.*rapidleech" \
"capture,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"
SecRule ARGS_POST "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
"capture,id:390902,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Unauthorized Download Client',logdata:'%{TX.0}'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
#"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"
#WWW-Authenticate: Basic realm=\"RAPIDLEECH PLUGMOD
SecRule ARGS:cmd "(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route))" \
"capture,id:390904,rev:4,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP ****************l Command Attempt',logdata:'%{TX.0}'"
SecRule ARGS:ev "^print [0-9];" \
"capture,id:390905,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP ****************l Command Attempt',logdata:'%{TX.0}'"
<LocationMatch homeCounter.php>
SecRuleRemoveById 390144
SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch moderation.php>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /paadmin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /__utm.gif>
SecRuleRemoveById 390144
</LocationMatch>
<LocationMatch /administrator/index.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /ota/admin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/shop_file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /modules/mod_oneononechat/chatfiles/*>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /fud/adm/admbrowse.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /wp-cron.php>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /admin/mods/easymod/easymod_install.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /alfresco/scripts/onload.js>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /assets/Files/who/>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /forum/viewtopic.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /setup/>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /administrator/index2.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /sales/soap.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /twg177/admin/>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /images/smilies/>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /admin/dogen_display.php>
SecRuleRemoveById 390801
</LocationMatch>
<LocationMatch /horde/themes/graphics/>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /whois/quick.php>
SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /ubbthreads.php>
SecRuleRemoveById 390902
</LocationMatch>[/PHPCODE]
انتهآء ،
اخوكم في الله
ابو خالد