1 files changed, 184 insertions, 0 deletions
diff --git a/config/apache_mod_security/rules/rootkits.conf b/config/apache_mod_security/rules/rootkits.conf
new file mode 100644
index 00000000..6c460c7c
--- /dev/null
+++ b/config/apache_mod_security/rules/rootkits.conf
@@ -0,0 +1,184 @@
+# http://www.gotroot.com/mod_security+rules
+# Known rootkits, remote toolkits, etc. signatures for modsec 2.x
+# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
+# Visit http://www.gotroot.com to download supported rules
+#
+# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rootkits.conf
+#
+# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
+# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
+# Redistribution is strictly prohibited in any form, including whole or in part.
+#
+# modsecurity is a trademark of Thinking Stone, Ltd.
+#
+# Version: N-20061022-01
+#
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+# THE POSSIBILITY OF SUCH DAMAGE.
+
+SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
+SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
+SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
+SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
+
+SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
+SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
+SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
+SecRule REQUEST_URI "/\.it/viewde"
+SecRule REQUEST_URI "/cmd\?&(command|cmd)="
+SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
+SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
+SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
+SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
+SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
+SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
+SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
+
+#Known rootkits
+SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
+SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
+SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
+SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
+
+#Generic remote perl execution with .pl extension
+SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
+SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
+
+#Known rootkit Defacing Tool 2.0
+SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
+SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
+SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
+SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
+
+#other known tools
+SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
+SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
+
+#New kit
+SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
+SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
+
+#new kir
+SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
+
+#suntzu
+SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
+
+#proxysx.gif?
+SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
+
+#phpbackdoor
+SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
+
+#new unknown kit
+SecRule REQUEST_URI "/oops?&"
+
+# known PHP attack shells
+#value of these sigs, pretty low, but here to catch
+# any lose threads, honeypoting, etc.
+SecRule REQUEST_URI|REQUEST_BODY   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
+SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
+SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
+SecRule REQUEST_URI   "/phpterm"
+
+#Frantastico worm
+SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
+
+#new unknown kits
+SecRule REQUEST_URI   "/iblis\.htm\?" 
+SecRule REQUEST_URI   "/gif\.gif\?" 
+SecRule REQUEST_URI   "/go\.php\.txt\?" 
+SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
+SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" 
+SecRule REQUEST_URI   "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?" 
+SecRule REQUEST_URI   "/zehir\.asp"
+SecRule REQUEST_URI   "/aflast\.txt\?"
+SecRule REQUEST_URI   "/sikat\.txt\?&cmd" 
+SecRule REQUEST_URI   "/t\.gif\?" 
+SecRule REQUEST_URI   "/phpbb_patch\?&"
+SecRule REQUEST_URI   "/phpbb2_patch\?&"
+SecRule REQUEST_URI   "/lukka\?&"
+
+#new kit
+SecRule REQUEST_URI   "/c99shell\.txt"
+SecRule REQUEST_URI   "/c99\.txt\?"
+
+#remote bash shell
+SecRule REQUEST_URI "/shell\.php\&cmd="
+SecRule ARGS "/shell\.php\&cmd="
+
+#zencart exploit
+SecRule REQUEST_URI "/ipn\.php\?cmd="
+
+#new pattern
+SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
+SecRule REQUEST_URI "dsoul/tool\?"
+
+#generic suntzu payload
+SecRule REQUEST_URI|REQUEST_BODY   "HiMaster\!\<\?php system\("
+SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
+SecRule REQUEST_URI   "help_text_vars\.php\?suntzu="
+
+#25dec new one
+SecRule REQUEST_URI   "anggands\.(gif|jpe?g|txt|bmp|png)\?"
+
+#26dec new kit
+SecRule REQUEST_URI   "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
+SecRule REQUEST_URI   "/vsf\.vsf\?&"
+
+#27dec
+SecRule REQUEST_URI   "/scan1\.0/scan/"
+SecRule REQUEST_URI   "test\.txt\?&"
+
+#30dec
+SecRule REQUEST_URI   "\.k4ka\.txt\?"
+#31dec
+SecRule REQUEST_URI   "/php\.txt\?"
+
+#1 jan
+SecRule REQUEST_URI   "/sql\.txt\?"
+SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?"
+
+#22feb
+SecRule REQUEST_URI   "/juax\.(gif|jpe?g|txt|bmp|png)\?"
+SecRule REQUEST_URI   "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
+
+#24mar
+SecRule REQUEST_URI   "/docLib/cmd\.asp"
+SecRule REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
+SecRule REQUEST_URI   "\.asp\?.*showUpload&thePath="
+SecRule REQUEST_URI   "\.asp\?.*theAct=inject&thePath="
+
+#some broken attack program
+SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
+SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
+
+SecRule REQUEST_URI "/r57en\.php"
+
+#c99 rootshell
+SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
+
+#generic shell
+SecRule REQUEST_URI "shell\.txt"
+
+#bad scanner
+SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
+
+#wormsign
+SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
+
+#New SEL attack seen
+SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
+
+#New SQL attack seen
+SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"