D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
proc
/
self
/
root
/
etc
/
apache2
/
conf.d
/
modsec2
/
Filename :
rootkits.conf
back
Copy
# Known rootkits, remote toolkits, etc. signatures for modsec 2.x SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?" SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'" SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?" SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" "t:lowercase,id:3000005" SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " "t:lowercase,id:3000006" SecRule REQUEST_URI "/cmd\?&(command|cmd)=" "t:lowercase,id:3000009" SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" "t:lowercase,id:3000010" SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" "t:lowercase,id:3000011" SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" "t:lowercase,id:3000012" SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" "t:lowercase,id:3000013" SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" "t:lowercase,id:3000015" #Known rootkits SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" "t:lowercase,id:3000017" #Generic remote perl execution with .pl extension SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" "t:lowercase,id:3000021" SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" "t:lowercase,id:3000022" #other known tools SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" "t:lowercase,id:3000027" SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" "t:lowercase,id:3000028" #New kit SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" "t:lowercase,id:3000029" SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)" "t:lowercase,id:3000030" #new kir SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" "t:lowercase,id:3000031" #suntzu SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" "t:lowercase,id:3000032" #phpbackdoor SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" "t:lowercase,id:3000034" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" "t:lowercase,id:3000037" SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" "t:lowercase,id:3000038" SecRule REQUEST_URI "/phpterm" "t:lowercase,id:3000039" #new unknown kits SecRule REQUEST_URI "/go\.php\.txt\?" "t:lowercase,id:3000043" SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" "t:lowercase,id:3000044" SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?" "t:lowercase,id:3000045" #new kit SecRule REQUEST_URI "/c99shell\.txt" "t:lowercase,id:3000054" SecRule REQUEST_URI "/c99\.txt\?" "t:lowercase,id:3000055" #remote bash shell SecRule REQUEST_URI "/shell\.php\&cmd=" "t:lowercase,id:3000056" SecRule ARGS "/shell\.php\&cmd=" "t:lowercase,id:3000057" #zencart exploit SecRule REQUEST_URI "/ipn\.php\?cmd=" "t:lowercase,id:3000058" #generic suntzu payload SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" "t:lowercase,id:3000062" #31dec SecRule REQUEST_URI "/php\.txt\?" "t:lowercase,id:3000070" #1 jan SecRule REQUEST_URI "/sql\.txt\?" "t:lowercase,id:3000071" SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?" "t:lowercase,id:3000072" #some broken attack program SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm" "t:lowercase,id:3000080" SecRule REQUEST_URI "/r57en\.php" "t:lowercase,id:3000081" #c99 rootshell SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" "t:lowercase,id:3000082" #generic shell SecRule REQUEST_URI "shell\.txt" "t:lowercase,id:3000083" #bad scanner SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" "t:lowercase,id:3000084" #wormsign SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" "t:lowercase,id:3000085" #New SEL attack seen SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables" "t:lowercase,id:3000086" #New SQL attack seen SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)" "t:lowercase,id:3000087"