D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
etc
/
apache2
/
conf.d
/
Filename :
modsec2.liquidweb.conf
back
Copy
### EA4 Modsec2 rules v0.7-12 ### #RRosson / Secteam 18 Feb 2022 ## DO NOT MAKE DIRECT MODIFICATIONS TO THIS FILE. # Changes to this file may be over-written by future upgrades to mod_security rules. # If you need to whitelist rules, please use /etc/apache2/conf.d/modsec2/whitelist.conf # Custom additional rules may be added to /etc/apache2/conf.d/modsec2/custom.conf # As of mod_security 2.7, all custom rules must include a numeric ID. # custom.conf and whitelist.conf will not be over-written by future updates to this ruleset. # Feel free to contact Liquidweb support for assistance with any necessary whitelisting. # PCRE can be set here, since nobody should have a version prior to modsec2.5 on EA4 SecPcreMatchLimit 150000 SecPcreMatchLimitRecursion 150000 SecUploadDir /tmp SecTmpDir /tmp SecDataDir /tmp SecRequestBodyAccess On ## Included configs ## Include "/etc/apache2/conf.d/modsec2/custom.conf" Include "/etc/apache2/conf.d/modsec2/rootkits.conf" #-------------------------------- # notes #-------------------------------- # Rules work with modsecurity 2.0 and above only #-------------------------------- #start rules #-------------------------------- ###BLACKLIST### SecRule REQBODY_PROCESSOR_ERROR_MSG "Generic blacklisted items." "t:lowercase,id:5000001" SecRule REQUEST_URI "/bin/sh" "id:2000002" SecRule REQUEST_URI "/bin/bash" "id:2000003" SecRule REQUEST_URI "/var/spool" "id:2000007" SecRule REQUEST_URI "/dev/shm" "id:2000008" SecRule REQUEST_URI "/var/tmp" "id:2000009" SecRule REQUEST_URI "/bin/ps" "id:2000010" SecRule REQUEST_URI "udp\.pl" "id:2000012" SecRule REQUEST_URI "pbsync" "id:2000014" SecRule REQUEST_URI "psybnc" "id:2000016" SecRule REQUEST_URI "myshell\.php" "id:2000018" SecRule REQUEST_URI "msshell\.php" "id:2000019" SecRule REQUEST_URI "phpshell" "id:2000020" SecRule REQUEST_URI "php-shell" "id:2000021" SecRule REQUEST_URI "r57shell" "id:2000022" SecRule REQUEST_URI "r57\.txt" "id:2000023" SecRule REQUEST_URI "c99shell" "id:2000024" SecRule REQUEST_URI "a\.out" "id:2000025" SecRule REQUEST_URI "dc\.pl" "id:2000026" SecRule REQUEST_URI "bdpl" "id:2000032" # Process this first due to frequency of hits. # xmlrpc with both no UA and no referrer. This can be whitelisted but it will remove some DoS protections. # It's Better to have the customer POST to xmlrpc with a referrer or user agent. # Even dummy characters in one of those HTTP headers will get them past this rule. SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000228,chain,msg:'xmlrpc DoS attempt'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule &HTTP_User-Agent "@eq 0" ### User-Agent Rules ## #Comment spam header line SecRule REQUEST_HEADERS "x-aaaaaa" "id:2000035" SecRule REQUEST_BODY "X-AAAAAA" "id:2000036" #check for bad meta characters in User-Agent field #SecRule HTTP_User-Agent ".*\'" #XSS in the UA field SecRule HTTP_User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" "id:2000037" #PHP code injection attack SecRule HTTP_User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" "id:2000038" #recursion attack in UA field SecRule HTTP_User-Agent "/\.\./" "id:2000040" #May cause false positives with some software, comment out if it does #SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" #SecRule "HTTP_User-Agent|HTTP_HOST|HTTP_Accept" "^$" #A friendly little exploit banner for a WP vuln SecRule HTTP_User-Agent "Wordpress Hash Grabber" "id:2000050" #Blocks scripts SecRule HTTP_User-Agent "lwp" "id:2000051" #Web leaches SecRule HTTP_User-Agent "Web Downloader" "id:2000052" SecRule HTTP_User-Agent "WebZIP" "id:2000053" SecRule HTTP_User-Agent "WebCopier" "id:2000054" SecRule HTTP_User-Agent "Webster" "id:2000055" SecRule HTTP_User-Agent "WebStripper" "id:2000057" SecRule HTTP_User-Agent "Black Hole" "id:2000060" SecRule HTTP_User-Agent "SiteSnagger" "id:2000061" SecRule HTTP_User-Agent "CheeseBot" "id:2000063" #Bogus Mozilla UA lines SecRule HTTP_User-Agent "Mozilla/(4|5)\.0$" "id:2000064" #Bogus IE UA line SecRule HTTP_User-Agent "Microsoft Internet Explorer/5\.0$" "id:2000066" #Nessus Vuln scanner UA SecRule HTTP_User-Agent "Mozilla.*Nessus" "id:2000068" #Nikto vuln scanner UA SecRule HTTP_User-Agent "nikto" "id:2000069,t:lowercase" #BAd/Bogus UAs SecRule HTTP_User-Agent "Indy Library" "id:2000070" SecRule HTTP_User-Agent "Faxobot" "id:2000071" SecRule HTTP_User-Agent "SAFEXPLORER TL" "id:2000072" #Spam spinder UAs SecRule HTTP_User-Agent "fantomBrowser" "id:2000073" SecRule HTTP_User-Agent "fantomCrew Browser" "id:2000074" #e-mail collectors and spammers SecRule HTTP_User-Agent "WebEMailExtractor" "id:2000081" SecRule HTTP_User-Agent "Advanced Email Extractor" "id:2000084" SecRule HTTP_User-Agent "EmailSiphon" "id:2000085" SecRule HTTP_User-Agent "Extractorpro" "id:2000086" SecRule HTTP_User-Agent "webbandit" "id:2000087" SecRule HTTP_User-Agent "EmailCollector" "id:2000088" SecRule HTTP_User-Agent "EmailWolf" "id:2000090" #collectors SecRule HTTP_User-Agent "autoemailspider" "id:2000096" SecRule HTTP_User-Agent "grub crawler" "id:2000098" #spam bots SecRule HTTP_User-Agent "DTS Agent" "id:2000100" SecRule HTTP_User-Agent "POE-Component-Client" "id:2000101" SecRule HTTP_User-Agent "WISEbot" "id:2000102" SecRule HTTP_User-Agent "^Shockwave Flash" "id:1000001" #comment spam sign SecRule HTTP_User-Agent "compatible \; MSIE" "id:2000104" #Some regexps to catch silly bots SecRule REQUEST_URI "!/ps(zones\|comp).txt1" "chain,id:2000105" SecRule HTTP_User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" SecRule HTTP_User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" "id:2000269" SecRule HTTP_User-Agent "^Mozilla/.+[. ]+$" "id:2000270" #bogus amiga UA SecRule HTTP_User-Agent "Amiga-AWeb/3\.4" "id:2000109" #recently caught sending spam referrals, from their actual crawler IP SecRule HTTP_User-Agent "BecomeBot" "id:2000112" #WebvulnScan SecRule HTTP_User-Agent "WebVulnScan" "id:2000116" #broken spam tool SecRule HTTP_User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" "id:2000117" #fake UA SecRule HTTP_User-Agent "Windows-Update-Agent" "id:2000119" # Bad Spider SecRule HTTP_User-Agent "hl_ftien_spider" "id:2000121" # PMAFind SecRule HTTP_User-Agent "PMAFind" "id:2000122" # Web Scanners SecRule HTTP_User-Agent "Morfeus Fucking Scanner" "id:2000124" # Configure for your site # Transformatoins in default action are deprecated as of modsec 2.7.0. Lowercase is set by default according to modsec docs. # SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecDefaultAction "log,deny,phase:2,status:500" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecRule HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'" #deny TRACE method SecRule REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'" #XSS insertion into headers SecRule REQUEST_HEADERS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'" #Don't accept chunked encodings #modsecurity can not look at these, so this is a hole #that can bypass your rules, the rule before this one #should cover this, but hey paranoia is cheap SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'" #Code injection via content length SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'" ##generic recursion signatures SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'" SecRule REQUEST_URI "/\.\./" "t:urldecode" #Ban same path BS SecRule REQUEST_URI "/forum/\./" "id:1110001" #Generic remote include Injection. SecRule REQUEST_URI "\.php\?.*option=(http|https|ftp)\:\/" "id:2000129" SecRule REQUEST_URI "\.php\?.*ROOTDIR=(http|https|ftp)\:\/" "id:2000132" SecRule REQUEST_URI "\.php\?.*Config_absolute_path=(http|https|ftp)\:\/" "id:2000133" SecRule REQUEST_URI "\.php\?.*baseDir=(http|https|ftp)\:\/" "id:2000137" SecRule REQUEST_URI "\.php\?.*config\[root_dir\]=(http|https|ftp)\:\/" "id:2000139" #generic bogus path sigs SecRule REQUEST_URI "\.\.\./" "t:urldecode,id:300006,rev:1,severity:2,msg:'Bogus Path denied'" #Generic PHP exploit signatures SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #Generic PHP exploit signatures SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #slightly tighter rules with narrower focus SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #generic XSS PHP attack types SecRule REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'" SecRule REQUEST_BODY|REQUEST_URI "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body\.innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)" #Prevent SQL injection in cookies SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection in cookie'" #Prevent command injection through cookies SecRule REQUEST_COOKIES "\; cmd=" "id:2000143,t:lowercase" #Prevent SQL injection in UA SecRule HTTP_USER-AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|union select.*\'.*\'.*,[0-9].*into.*from)" "id:300012,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'" # Generic filter to prevent SQL injection attacks # Understand that all SQL filters are very limited and are very difficult # to prevent false postives and negatives. # Pplease report false positives/negatives to mike@gotroot.com SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection protection'" SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" #Generic SQL sigs SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,t:lowercase,rev:2,severity:2,msg:'Generic SQL injection protection'" SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" #Generic SQL sigs SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection protection'" #Generic SQL sigs SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection protection'" #Meta character SQL injection SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)" "id:380015,rev:1,t:lowercase,severity:2,msg:'Generic SQL metacharacter URI injection protection'" #Generic command line attack filter #Too Generic, Removed. #SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|" #Generic PHP bad functions protection #PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html SecRule ARGS compress\.zlib: "id:2000144" #Generic XSS filter #please report false positives SecRule REQUEST_URI "!/mt\.cgi" "chain,id:2000145,rev:1,severity:2,msg:'xss'" SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #Als test XSS rule SecRule REQUEST_URI "!/mt\.cgi" "chain,id:2000146,rev:1,severity:2,msg:'xss'" SecRule REQUEST_URI|REQUEST_BODY "<*(script|about|applet|activex|chrome)[[:space:]]*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #XSS in referrer and UA headers SecRule HTTP_REFERER|HTTP_USER-AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" "id:2000147" #Extra of the above with whitespace moved SecRule HTTP_REFERER|HTTP_USER-AGENT "<*(script|about|applet|activex|chrome)[[:space:]]*>.*(script|about|applet|activex|chrome)[[:space:]]*>" "id:2100147" #PHP Injection Attack generic signature SecRule REQUEST_URI "\.php" "chain,id:2000148" SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" #Generic PHP remote file inclusion attack signature SecRule REQUEST_URI "\.php\?" "chain,id:2000150" SecRule REQUEST_URI "(http|https|ftp)\:/" chain SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file inclusion attack signature with command SecRule REQUEST_URI "\.php\?" "chain,id:2000151" SecRule REQUEST_URI "(http|https|ftp)\:/" chain SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Genenric PHP body attack SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" "chain,id:2000152" SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file injection SecRule REQUEST_URI "!(/do_command)" "chain,id:2000153" SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)=" #script, perl, etc. code in HTTP_Referer string SecRule HTTP_Referer "\#\!.*/" "id:2000154" #generic command line attack SecRule REQUEST_URI|ARGS "\|*id\;echo*\|" "id:2000155" #remote file inclusion generic attack signature SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" "chain,id:2000156" SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)" #remote file inclusion generic attack signature SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" "chain,id:2000157" SecRule ARGS "\?\&(cmd|inc|name)=" #remote file inclusion generic attack signature SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=" "id:2000158" #remote file inclusion generic attack signature SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" "id:2000159" #Bogus file extensions generic signature SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" "id:2000160" #PHP remote path attach generic signature SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" "id:2000161" SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/" "id:2000162" #generic attack sig SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" "id:2000163,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" # WEB-ATTACKS uname -a command attempt SecRule REQUEST_URI "uname" "chain,id:2000164,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "\x20-a" #generic php attack sigs SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)" "id:2000264,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" # WEB-ATTACKS /etc/shadow access SecRule REQUEST_URI "/etc/shadow" "id:2000166" # WEB-ATTACKS /bin/ps command attempt SecRule REQUEST_URI "/bin/ps" "id:2000167" # WEB-ATTACKS chmod command attempt SecRule REQUEST_URI "/bin/chmod" "chain,id:2000171,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "\x20" # WEB-ATTACKS gcc command attempt SecRule REQUEST_URI "gcc" "chain,id:2000173,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "x20-o" # WEB-ATTACKS bin/python access attempt SecRule REQUEST_URI "bin/python" "chain,id:2000178,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecRule REQUEST_URI "/usr/bin/perl" "id:2000183,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" # WEB-ATTACKS mail command attempt SecRule REQUEST_URI "/bin/mail" "chain,id:2000187,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "\x20" # WEB-ATTACKS /etc/inetd.conf access SecRule REQUEST_URI "/etc/inetd\.conf" "id:2000189" # WEB-ATTACKS /etc/motd access SecRule REQUEST_URI "/etc/motd" "id:2000190" # WEB-ATTACKS conf/httpd.conf attempt SecRule REQUEST_URI "conf/httpd\.conf" "id:2000191" # WEB-MISC .htpasswd access SecRule REQUEST_URI "\.htpasswd" "id:2000192" # WEB-MISC /etc/passwd access SecRule REQUEST_URI "/etc/passwd" "id:2000193" # WEB-MISC ls%20-l SecRule REQUEST_URI "ls" "chain,id:2000196,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "\x20-l" # WEB-MISC apache directory disclosure attempt SecRule REQUEST_URI "////////" "id:2000197" #musicat empower attempt SecRule REQUEST_URI "/empower\?DB=" "id:2000198" #PHPBB worm sigs SecRule REQUEST_URI "!(tiki-searchindex\.php)" "chain,id:2000200,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" #PHP defenses SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" "id:2000201" #PHP defenses SecRule ARGS "^(globals($|\[)|php:/)" "id:2000202" #PHP defenses SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$" "id:2000203" #PHP defenses SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$" "id:2000204" #These are VERY experiemental, please report false positives/negatives, etc. #very experimental generic remote download sig #foo IP or FQDN, or foo http/https/ftp://whatever SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "id:2000307,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" #Command inline detection SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "id:2000208" #very experimental connect command sig SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "id:2000209" #Commands, also need a major rework, these also have issues SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" "id:2000210,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" "id:2000215,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI "cd \.\." "id:2000216" SecRule REQUEST_LINE "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" "id:2000217" #generic block for fwrite fopen uploads SecRule REQUEST_URI "fwrite" "chain,id:2000218" SecRule REQUEST_URI "fopen" #generic sig for more bad PHP functions SecRule REQUEST_URI "chr\(([0-9]{1,3})\)" "id:2000219" SecRule ARGS_NAMES "^php:/" "id:2000220" #Generic attack rules pcre format #cross site scripting attempt IMG onerror or onload SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=" "id:2000223" #cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" "id:2000233" #cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "window\.execScript[\s]*\(" "id:2000234" #cross site scripting attempt to execute Javascript code SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" "id:2000235" #cross site scripting stealth attempt to execute Javascript code #may false alarm for some language sets SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" "chain,id:2000236,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" #Apache /server-info accessible SecRule REQUEST_URI "/server-info" "chain,id:2000237" SecRule REMOTE_ADDR "!^127\.0\.0\.1$" #Apache /server-status accessible #Modified so apache-protect can run SecRule REQUEST_URI "^/server-status/$" "chain,id:2000238" SecRule REMOTE_ADDR "!^127\.0\.0\.1$" #generic Common HTTP vulnerability SecRule REQUEST_URI "/\?cwd=/" "id:2000239" #General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) SecRule REQUEST_URI "\.php\?" "chain,id:2000240" SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" #Experimental XML-RPC generic attack sigs SecRule REQUEST_BODY "\'\,\'\'\)\)\;" "id:2000241" SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;" "id:2000242" #generic remote file inclusion vulns SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" "id:2000246" SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" "id:2000247" SecRule REQUEST_URI "/index\.php\?libDir=http://" "id:2000248" #Generic PHP attack sig SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)" "id:2000252" #Generic PHP payload command injection and upload vulnerabilities SecRule REQUEST_BODY "<\?php" "chain,id:2000254" SecRule REQUEST_BODY "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" #HTTP header PHP code injection attacks SecRule HTTP_CLIENT_IP|HTTP_USER-AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" "id:2000256" #Generic PHP avatar upload exploits SecRule REQUEST_URI "\.php" "chain,id:2000260" SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain SecRule REQUEST_BODY "\<\?php" chain SecRule REQUEST_BODY "\?>" #Fake image file shell attack SecRule REQUEST_BODY "chr\(" "id:2000262" #bogus graphics file SecRule REQUEST_HEADERS:Content-Disposition "\.php" "chain,id:2000263" SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)" #Special account protection SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" "id:2000265" #Generic PHP fopen sig SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" "id:2000266" #flashchat vulnerability SecRule REQUEST_URI "\.php\?dir\[inc\]=http\:/" "id:5000204,msg:'flashchat vuln. patch'" #Joomla rules SecRule REQUEST_URI "controller=" "chain,id:5000205" SecRule REQUEST_URI "(/tmp|/proc|/dev)" #More Joomla rules, eval code in HTTP user agent or referring URL SecRule HTTP_REFERER "eval\(base64.*" "id:5000206,t:lowercase,msg:'eval(base64 code in HTTP Referer'" SecRule HTTP_User-Agent "eval\(base64.*" "id:5000207,t:lowercase,msg:'eval(base64 code in user agent field'" #Timthumb! SecRule REQUEST_URI "/(timthumb|thumb|_tbs)\.php\?src=.*(flickr|staticflickr|picasa|img\.youtube|upload\.wikimedia|photobucket|imgur|imageshack|tinypic)\.(com|org|us)\..*\.(com|ca|com\.au|org|net|jp|gov|info|us|co\.uk)/.*\.(txt|php|php3|php4|php5)" "id:5000200,t:lowercase,msg:'Timthumb Exlpoit Attempt Detected'" #Symlinks SecRule REQUEST_URI "/sym/(root|.*txt)" "id:5000201,msg:'Symlink Exlpoit Attempt Detected'" SecRule REQUEST_URI "/sym/.*/home/" "id:5000202,msg:'Symlink Exlpoit Attempt Detected'" #zencart SecRule REQUEST_URI "/admin/record_company.php/password_forgotten.php\?action=insert.*" "id:5000203,msg:'Zencart Exlpoit Attempt Detected'" # Fix duo sec WP logins SecRule REQUEST_BODY "duo_wordpress|sig_response" "t:lowercase,id:5100214,pass,phase:2,skip:2" # Fix onelogin.com WP logins SecRule REQUEST_HEADERS:Referer "onelogin.com" "t:lowercase,id:5200214,pass,phase:2,skip:1" # Reject WP logins when wp-submit and action are both null. SecRule REQUEST_FILENAME "wp-login\.php" "phase:2,deny,log,status:402,t:lowercase,chain,id:5000214" SecRule REQUEST_METHOD "^post$" chain,t:lowercase SecRule &ARGS:wp-submit "@eq 0" chain,t:urlDecodeUni,t:lowercase SecRule &ARGS:action "@eq 0" t:urlDecodeUni,t:lowercase #Block WP logins with no referring URL <Locationmatch "/wp-login.php"> SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" </Locationmatch> <IfModule !ruid2_module> <IfModule !mpm_itk_module> # Put DBM rules here (ones that use initcol/collections and setvar/counter functions). # Wordpress Brute Force detection SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 <Locationmatch "/wp-login.php"> # Setup brute force detection. # React if block flag has been set. SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule REQUEST_METHOD "POST" "chain" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0" </locationmatch> </IfModule> </IfModule> # End DBM rules #Block WP theme edits with no referring URL <Locationmatch "/theme-editor.php"> SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000140,chain,msg:'No UA, No referer'" SecRule &HTTP_User-Agent "@eq 0" </Locationmatch> <Locationmatch "/plugin-editor.php"> SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000141,chain,msg:'No UA, No referer'" SecRule &HTTP_User-Agent "@eq 0" </Locationmatch> #Joomla malicous code execution. Dvmessages should not have a c_id parameter. <Locationmatch "/dvmessages.php"> SecRule QUERY_STRING "c_id" "deny,status:500,id:5000217,msg:'dvmessages code exec'" </Locationmatch> #Joomla com_jce exploit SecRule HTTP_User-Agent "BOT for JCE" "deny,status:500,id:5000218,msg:'Joomla com_jce code exec'" #Joomla com_jce exploit SecRule REQUEST_URI "/images/stories/.+\.php" "deny,status:500,id:5000219,msg:'Joomla com_jce code exec'" #http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html SecRule REQUEST_URI "/images_(comingsoon|lncthumbs|optbuttons)/.+\.php" "deny,status:500,id:5000220,msg:'optimizepress vuln'" #Fix for Joomla com_jnews, http://www.securityfocus.com/bid/37314/exploit SecRule REQUEST_URI "ofc_upload_image.php" "id:5000221,chain" SecRule QUERY_STRING "name=.*\.php" "t:lowercase" #Deny POST to / with no referrer, safe for cust use. OK to whitelist if needed, but whitelisting this will remove certain DoS protections. #Revised to allow PayPal IPN user agent. SecRule REQUEST_URI "^\/$" "deny,status:401,id:5000222,chain,msg:'/ POST blocked, no referer'" SecRule REQUEST_METHOD "POST" "chain" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule HTTP_User-Agent "!paypal ipn" "t:lowercase" # Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,chain,msg:'Joomla admin access blocked due to No UA and No referer'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule &HTTP_User-Agent "@eq 0" # Block Joomla logins with no referring URL SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,chain,msg:'Joomla login request blocked, no referer'" SecRule REQUEST_METHOD "POST" "chain" SecRule &HTTP_REFERER "@eq 0" # Fake Joomla Plugin, stop scans / DoS attacks SecRule REQUEST_URI "mod_araticlhess" "deny,id:5000225,t:lowercase,msg:'Access to fake plugin, if this plugin actually exists the site is hacked.'" # JOOMLA Virtual patch for: # trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/ SecRule QUERY_STRING "com_contenthistory" "t:lowercase,t:urldecode,deny,status:406,id:5001225,chain" SecRule QUERY_STRING "(select.+from|list.select)" "t:lowercase,t:urldecode" # Additional Joomla patch based on https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html SecRule REQUEST_BODY "com_contenthistory" "chain,t:lowercase,deny,status:406,id:5001226" SecRule REQUEST_BODY "(select.+from|list.select)" "t:lowercase" # CGI-BIN PHP code exec scans SecRule QUERY_STRING "safe_mode=off" "deny,id:5000226,t:urldecode,msg:'blocked generic PHP code exec scans'" # Bogus UA for xmlrpc SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000227,chain,msg:'xmlrpc DoS attempt'" SecRule HTTP_User-Agent "WinHttp.WinHttpRequest.5" # Fix for wysija newsletters (Mail Poet). # Please inform akwiecinski immediately and verbosely if there are any false positives with this rule. SecRule REQUEST_URI "wp-admin/admin-post\.php\?page=wysija_campaigns&action=themes" "deny,id:5000229" # Stop-gap Fix for custom-contact-forms hacks # Please inform akwiecinski immediately and verbosely if there are any false positives with this rule. SecRule REQUEST_URI "custom-contact-forms/import/.*\.sql\.php" "deny,t:lowercase,t:normalisePath,id:5000230" # Fix for revslider http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html SecRule QUERY_STRING "revslider_show_image.*&img=.*(\.php|\.my.cnf|\.bash|wp-config)" "deny,t:lowercase,id:5000231" SecRule REQUEST_URI "noid-mailpolet\.php" "deny,id:5001000" SecRule REQUEST_URI "resvlide.php" "deny,id:5001001" # RevSlider rules for new shell upload vuln. This will still allow the inital malware uploads into # wp-content/plugins/revslider/temp/update_extract/revslider/ but will deny access to the malicious files # this should stop actual compromise of the site, rendering the uploaded malware useless to code inject the site # Please inform secteam if this stops any legitimate updates, as it should not inhibit them. SecRule REQUEST_URI "/temp/update_extract/revslider/.+\.php" "deny,t:lowercase,id:5000232,msg:'RevSlider shell upload attempt'" SecRule REQUEST_URI "/revslider/temp/update_extract/.+\.php" "deny,t:lowercase,id:5001232,msg:'RevSlider shell upload attempt'" # Fix for Gravity Forms shell upload. SecRule REQUEST_URI "wp-content" "chain,deny,id:5001002,msg:'gravity forms shell upload attempt'" SecRule REQUEST_URI "_input_.*p(hp|html)" "t:lowercase" # Fix for https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html SecRule REQUEST_URI "genericons/example.html" "deny,id:5001003" # Fix for https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html SecRule ARGS:action "grunion-contact-form" "t:urldecode,t:lowercase,id:5001004,deny,status:411,chain" SecRule ARGS "\/\*\*\/|\&\#" "t:urldecode" # Fixes for script kiddy Drupal injections # Please inform secteam of any false positives. SecRule REQUEST_URI "/user/login/" "deny,t:lowercase,id:5000233,chain,msg:'drupal exploit attempt'" SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode" SecRule QUERY_STRING "q=node" "deny,t:lowercase,t:urldecode,id:5000234,chain,msg:'drupal exploit attempt'" SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode" # Block malicious CN user agent SecRule HTTP_User-Agent "Mozilla/5\.0 \(Windows; U; Windows NT 5\.1; zh-CN; rv:1\.7\.6\)" "deny,id:5000235" # Block HEAD requests from Typhoeus SecRule REQUEST_METHOD "HEAD" "id:5000236,chain,msg:'Blocking bad Typhoeus UA'" SecRule HTTP_User-Agent "Typhoeus" # Ongoing fixes for bash issue, CVE-2014-6271. Please inform akwiecinski of any suspected false positives. # Request Header values: SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:5000300,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'" # SERVER_PROTOCOL values: SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:5000301,status:400,log,msg:'CVE-2014-6271 - Bash Attack'" # GET/POST values: SecRule ARGS "^\(\) {" "phase:2,deny,id:5000303,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'" # Botnet posing as Googlebot Nov 18 2015 SecRule QUERY_STRING "cookie=1" "deny,t:lowercase,id:5000305,chain,msg:'base64 encoded eval statement from fake googlebot'" SecRule HTTP_User-Agent "googlebot" "t:lowercase,chain" SecRule ARGS "eval\(" "t:none,t:base64Decode" # Joomla 0day Dec 14 https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html SecRule HTTP_User-Agent "jdatabasedrivermysql" "t:lowercase,t:urldecode,id:5000306" SecRule HTTP_User-Agent "{s:" "t:urldecode,id:5000307" # New LFI WP protection SecRule REQUEST_BODY "mysite_download_skin" "t:lowercase,id:5000308,chain" SecRule REQUEST_BODY "wp-config\.php" # Protections for JOOMLA CVE-2016-8870 and CVE-2016-8869 SecRule ARGS:name "\.pht$" "deny,id:5000309,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.'" SecRule ARGS:filename "\.pht$" "deny,id:5000310,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.'" SecRule FILES "\.pht$" "deny,id:5000311,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.'" # Protections for wp-mobile-detector # See https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html SecRule REQUEST_URI "wp-mobile-detector/cache/.+\.php" "deny,id:5000312,t:lowercase" SecRule REQUEST_URI "wp-mobile-detector/resize.php" "deny,chain,id:5000313" SecRule REQUEST_BODY "src=.+\.php" "t:urldecode,t:lowercase" # Protections for 'realstatistics' hack # See https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromising-joomla-sites.html SecRule QUERY_STRING "option=com_tags" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000314" SecRule REQUEST_BODY "(JDatabaseDriverMysql|base64_decode)" SecRule REQUEST_URI "/modules/cache\.uniq.+\.php" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000315" SecRule REQUEST_METHOD "POST" # Detection for https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html SecRule REQUEST_URI "wp-content/uploads/ultimatemember/temp/.+\.php" "deny,id:5000316,msg:'ultimatemember plugin attack',t:lowercase" # Mitigate vBulletin 5.x command injection. See: # SOS-1344 # https://seclists.org/fulldisclosure/2019/Sep/31 # https://securityaffairs.co/wordpress/91689/hacking/unpatched-critical-0-day-vbulletin.html SecRule ARGS:routestring "ajax/render/widget_php" "phase:2,id:4044036,t:none,auditlog,deny,chain" SecRule ARGS_NAMES "widgetConfig\[code\]" # Low risk of false positive SecRule REQUEST_URI "/ajax/render/widget_tabbedcontainer_tab_panel" "t:lowercase,chain,deny,id:5000320" SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|file_get_contents|file_put_contents)" "t:lowercase" # Some possibility of false positive; whitelist if needed. SecRule REQUEST_URI "/ajax/render/widget_tabbedcontainer_tab_panel" "t:lowercase,chain,deny,id:5000321" SecRule ARGS:/subwidgets[\d+][template]/ "widget_php" "t:lowercase,chain" SecRule ARGS_NAMES "subwidgets\[\d+]\[config\]\[code\]" "t:lowercase" # POC 2 - low risk of false positive https://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html SecRule QUERY_STRING "routestring=ajax/render/widget_php" "t:lowercase,chain,deny,id:5000322" SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|file_get_contents|file_put_contents)" "t:lowercase" # Some possibility of false positive; whitelist if needed. SecRule QUERY_STRING "routestring=ajax/render/widget_php" "t:lowercase,chain,deny,id:5000323" SecRule ARGS_NAMES "widgetconfig\[code\]" "t:lowercase" # Mitigate CVE-2020-12720 via stricter SQLi threshold SecRule REQUEST_URI "ajax/api/content_infraction/getIndexableContent" "phase:2,id:'4044043',auditlog,t:none,t:urlDecode,deny,chain" SecRule ARGS_NAMES "nodeId\[nodeid\]" # Block probable backdoor attempts in vBulletin backend SecRule REQUEST_URI "ajax/api/widget/saveAdminConfig" "phase:2,id:'4044044',t:none,auditlog,deny,chain" SecRule ARGS:data[code] "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" ## whitelist ## Include "/etc/apache2/conf.d/modsec2/exclude.conf" Include "/etc/apache2/conf.d/modsec2/whitelist.conf"