# both.conf # Mitigation for a timthumb exploit described at http://seclists.org/fulldisclosure/2014/Jun/117 # Trac 7313 SecRule ARGS:src "(:?\$\(|`).*(:?\)|`)" \ "chain,deny,log,auditlog,status:406,\ msg:'ARGS:src contains shell special characters',id:'13055',\ tag:'WEB_ATTACK/SHELL ACCESS',severity:'4',\ t:none,t:htmlEntityDecode,t:urlDecode" SecRule &ARGS:webshot "@gt 0" # Stop requests to known hack scripts SecRule REQUEST_URI "/plugins/system/infophp.php" \ "log,deny,status:406,auditlog,id:13923,rev:1,severity:3,\ msg:'Access to known hack script',\ tag:'WEB_ATTACK/SHELL ACCESS'" # Stop requests to a known DoS script SecRule ARGS:action "(udp|tcp|syn|http)" "t:lowercase,log,deny,auditlog,\ id:13924,deny,status:406,severity:3,msg:'Access to known hack script',\ tag:'WEB_ATTACK/SHELL ACCESS',chain" SecRule ARGS_NAMES "host" "t:lowercase,chain" SecRule REQUEST_URI "online\.php" "t:lowercase" # Stop requests to known shells SecRule REQUEST_URI "/w[0-9][0-9]+w*\.php" \ "log,deny,status:406,auditlog,id:13929,rev:1,severity:3,\ msg:'known php shell',\ tag:'WEB_ATTACK/SHELL ACCESS'" SecRule REQUEST_URI "/sm[0-9]+rk[0-9]+\.php" \ "log,deny,status:406,auditlog,id:13930,rev:1,severity:3,\ msg:'known php shell',\ tag:'WEB_ATTACK/SHELL ACCESS'" # Blocks request to hacks in the bluestork admin template folder, a common Joomla hack payload SecRule REQUEST_URI "administrator/templates/bluestork/((indx|stph|stcp|start|startphp)\.php|(run|f1)\.pl)" \ "deny,log,auditlog,status:406,id:'13999',\ t:none,t:lowercase,t:htmlEntityDecode,t:removeWhitespace,\ msg:'Joomla Admin bluestork theme exploits',\ tag:'WEB_ATTACK/SHELL EXPLOIT',severity:'4'" # Stop requests to l_backuptoster.php SecRule REQUEST_URI "/l_backuptoster.*\.php" \ "log,deny,status:406,auditlog,id:13582,rev:1,severity:3,\ msg:'l_backuptoster.php spam script',\ tag:'WEB_ATTACK/SPAMBOT'" # No posts to dvmessages\.php SecRule REQUEST_METHOD "POST" \ "chain,deny,log,auditlog,status:406,\ msg:'POST to dvmessages.php',id:'13068',\ tag:'WEB_ATTACK/SHELL ACCESS',severity:'4'" SecRule REQUEST_URI "dvmessages\.php" # No posts to known hack/mailer URIs SecRule REQUEST_METHOD "POST" \ "chain,deny,log,auditlog,status:406,id:'13069',severity:'4',\ msg:'POST request to hack/mailer script',\ tag:'WEB_ATTACK/SHELL ACCESS'" SecRule REQUEST_URI "/(?:(?:components/com_content/(?:statistics[0-9A-Za-z_-]{4}|com_it|faccount)).*\.php)|(?:wp-content/mod_gogle/)" # Block known behavior for interacting with a PHP shell SecRule REQUEST_URI "/stph\.php\?.*(page|action\=(start|status))"\ "deny,log,auditlog,status:406,id:'13998',severity:'4',\ t:none,t:lowercase,t:htmlEntityDecode,t:removeWhitespace,\ msg:'stph.php shell',\ tag:'WEB_ATTACK/SHELL EXPLOIT'" # Block POSTs to mod_frosty hacks SecRule REQUEST_METHOD "POST" \ "chain,deny,log,auditlog,status:406,id:'13996',severity:'4',\ msg:'POST request to known hack',\ tag:'WEB_ATTACK/SHELL ACCESS'" SecRule REQUEST_URI "/mod_frosty/.*\.php" "t:lowercase,t:removeWhitespace" # Block POSTs to xcloner shells. PHP scripts matching [a-z0-9]{6}\.php do not exist in the plugin SecRule REQUEST_METHOD "POST" \ "chain,deny,log,auditlog,status:406,\ msg:'POST request to known hack',id:'13997',tag:'WEB_ATTACK/SHELL ACCESS',\ severity:'4'" SecRule REQUEST_URI "/(?:com_)?xcloner-backup-?and-?restore.*/[a-z0-9]{6}\.php$" # Block xmlrpc calls with specific User-Agent SecRule REQUEST_METHOD "POST" \ "chain,deny,log,auditlog,status:406,\ msg:'POST request to xmlrpc from bad User-Agent',id:'13995',tag:'WEB_ATTACK/XMLRPC',\ severity:'4'" SecRule REQUEST_URI "xmlrpc\.php" "chain" SecRule HTTP_User-Agent "Mozilla\/4\.0 \(compatible; Win32; WinHttp\.WinHttpRequest\.5\)" # Block requests to php hidden files SecRule REQUEST_URI "\/\.[a-zA-Z0-9].+\.php" \ "log,deny,status:406,auditlog,id:14203,rev:1,severity:3,\ msg:'Blocking access to hidden php files'" # Block requests to potential cryptolocker hacks SecRule REQUEST_METHOD "POST" \ "chain,log,deny,status:406,auditlog,id:14208,rev:1,severity:3,\ msg:'Blocking acccess to potential cryptolocker activation'" SecRule REQUEST_URI "\/skin\/error\.php" # Block access to known botnet scripts SecRule REQUEST_METHOD "POST" \ "chain,log,deny,status:406,auditlog,id:14209,rev:1,severity:3,\ msg:'Blocking acccess to known botnet scripts'" SecRule REQUEST_URI "\/plugins\/index\.php\?cookie=1" "chain" SecRule HTTP_USER-Agent "Mozilla\/5\.0 \(compatible\; Googlebot\/2\.1\; \+http://www.google\.com\/bot\.html\)" # ded.conf # Block access to known Fox* botnet scripts SecRule REQUEST_URI "\/[a-z]{8}\.php\?Fox\=" \ "log,deny,status:406,auditlog,id:14210,rev:1,severity:3,\ msg:'Block access to known Fox botnet scripts'"