# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Known rootkits, remote toolkits, etc. signatures for modsec 2.x # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http)" \ "chain,id:390144,rev:16,severity:2,msg:'Command shell attack: Generic Attempt to remote include command shell'" SecRule REQUEST_URI|!ARGS:Redirect|!ARGS:ureferrer|!ARGS:url "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?" SecRule ARGS|!ARGS:message "\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=" \ "id:340033,rev:2,severity:2,msg:'Possible rootkit'" #rootkit patterns SecRule REQUEST_URI "!(/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?)" \ "chain,id:390145,rev:6,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?" #Body sigs SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \ "phase:2,t:none,t:lowercase,status:404,msg:'Backdoor access',id:390146,severity:'2'" #c99 rootshell SecRule REQUEST_URI "(\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php)" \ "id:390146,rev:15,severity:2,msg:'Command shell attack: PHP exploit shell attempting to run command'" # known PHP attack shells SecRule REQUEST_URI "((?:wiki_up|temp)/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\.txt\?|iblis\.htm\?|/gif\.gif\?|/go\.php\.txt\?|sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?|iys\.(gif|jpe?g|txt|bmp|png)\?|shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?|zehir\.asp|aflast\.txt\?|sikat\.txt\?&cmd|/lukka\?&|btn_lists\.(gif|jpe?g|txt|bmp|png)\?|dsoul/tool\?|phpbb2?_patch\?&|anggands\.(gif|jpe?g|txt|bmp|png)\?|newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?|/vsf\.vsf\?&|\.k4ka\.txt\?|(?:php|test|sql)\.txt\?|/oops?&|/maint64/index.php)" \ "id:390147,rev:7,severity:2,msg:'Rootkit attack: Known rootkit or remote shell'" #URI sigs #SecRule REQUEST_URI "(?:(?:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|shell|/ipn|php(?:3|4|5)?shell)\.(?:php?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?:ph(?:p(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|proxysx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|shell.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)" \ #SecRule REQUEST_URI "/(linuxdaybot|suntzu|(php(?:3|4|5)?)?shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2?|too20|php(?:3|4|5)?backdoor|dblib|cse|cmd|terminatorX-?exp)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)" # "id:390148,rev:8,severity:2,msg:'Possible Rootkit attack: Generic Attempt to run rootkit'" #Request Body patterns #trick them with a 404 SecRule RESPONSE_BODY "(?:[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr)|This is (an|a)? exploit from < ?a|PHP ?(4|5).+ safe_mode ?(\&|/|and)? ?open_basedir ?bypass)" \ "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Backdoor access',id:'390149',rev:4,severity:'2'" #ASP sigs SecRule REQUEST_URI "\.asp\?(?:.*theAct=inject&thePath=|pageName=AppFileExplorer|.*showUpload&thePath=)" \ "id:390150,rev:5,severity:2,msg:'Rootkit attack: ASP rootkit attempt'" #Frantastico worm SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )" #generic suntzu payload SecRule REQUEST_URI|ARGS "(?:HiMaster\!\<\?php system\(|error_reporting\(.*\)\;if\(isset\(.*\)\)\{system|help_text_vars\.php\?suntzu=)" #Generic remote perl execution with .pl extension SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkits SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;" SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c" SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)" #some broken attack program SecRule REQUEST_URI|REQUEST_BODY "_@@RNDSTR@@" SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm" SecRule REQUEST_URI "/r57en\.php" #wormsign sigs SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" #New SEL attack seen SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables" #New SQL attack seen SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)" SecRule RESPONSE_BODY "(?:Add (?:New EmailBases to Database|High prioritet emails))" \ "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Possible spamtool installed on system',id:'390150',severity:'2'" <LocationMatch homeCounter.php> SecRuleRemoveById 390144 SecRuleRemoveById 390145 </LocationMatch> <LocationMatch moderation.php> SecRuleRemoveById 390148 </LocationMatch> <LocationMatch /paadmin/file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /__utm.gif> SecRuleRemoveById 390144 </LocationMatch> <LocationMatch /administrator/index.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /ota/admin/file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /admin/shop_file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /admin/file_manager.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /modules/mod_oneononechat/chatfiles/*> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /fud/adm/admbrowse.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /wp-cron.php> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /admin/mods/easymod/easymod_install.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /e107_plugins/autogallery/autogallery.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /alfresco/scripts/onload.js> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /e107_plugins/autogallery/autogallery.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /assets/Files/who/> SecRuleRemoveById 390147 </LocationMatch> <LocationMatch /forum/viewtopic.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /setup/> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /administrator/index2.php> SecRuleRemoveById 390149 </LocationMatch> <LocationMatch /sales/soap.php> SecRuleRemoveById 390149 </LocationMatch>