r57 Shell Version [0-9.]+

# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 # Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved. # Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # For performance reasons, most of the shells are matched using this rule. # This rule is intended for PHP web shells. SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \ "id:955100,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Web shell detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # r57 web shell SecRule RESPONSE_BODY "@rx (r57 Shell Version [0-9.]+|r57 shell)" \ "id:955110,\ phase:4,\ block,\ capture,\ t:none,\ msg:'r57 web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # WSO web shell SecRule RESPONSE_BODY "@rx ^.*? - WSO [0-9.]+" \ "id:955120,\ phase:4,\ block,\ capture,\ t:none,\ msg:'WSO web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n) SecRule RESPONSE_BODY "@rx B4TM4N SH3LL.*" \ "id:955130,\ phase:4,\ block,\ capture,\ t:none,\ msg:'b4tm4n web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Mini Shell web shell SecRule RESPONSE_BODY "@rx Mini Shell.*Developed By LameHacker" \ "id:955140,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Mini Shell web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Ashiyane web shell SecRule RESPONSE_BODY "@rx \.:: .* ~ Ashiyane V [0-9.]+ ::\." \ "id:955150,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Ashiyane web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Symlink_Sa web shell SecRule RESPONSE_BODY "@rx Symlink_Sa [0-9.]+" \ "id:955160,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Symlink_Sa web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # CasuS web shell SecRule RESPONSE_BODY "@rx CasuS [0-9.]+ by MafiABoY" \ "id:955170,\ phase:4,\ block,\ capture,\ t:none,\ msg:'CasuS web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # GRP WebShell SecRule RESPONSE_BODY "@rx ^\r\n\r\nGRP WebShell [0-9.]+ " \ "id:955180,\ phase:4,\ block,\ capture,\ t:none,\ msg:'GRP WebShell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # NGHshell web shell SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \ "id:955190,\ phase:4,\ block,\ capture,\ t:none,\ msg:'NGHshell web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # SimAttacker web shell SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \ "id:955200,\ phase:4,\ block,\ capture,\ t:none,\ msg:'SimAttacker web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Unknown web shell SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell" \ "id:955210,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Unknown web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # lama's'hell web shell SecRule RESPONSE_BODY "@rx lama's'hell v. [0-9.]+" \ "id:955220,\ phase:4,\ block,\ capture,\ t:none,\ msg:'lama\'s\'hell web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # lostDC web shell SecRule RESPONSE_BODY "@rx ^ *\n[ ]+\n[ ]+lostDC - " \ "id:955230,\ phase:4,\ block,\ capture,\ t:none,\ msg:'lostDC web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Unknown web shell SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell\r\n\r\n\r\n " \ "id:955240,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Unknown web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Unknown web shell SecRule RESPONSE_BODY "@rx ^\n\n

Input command :

" \ "id:955250,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Unknown web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Ru24PostWebShell web shell SecRule RESPONSE_BODY "@rx ^\n\nRu24PostWebShell - " \ "id:955260,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Ru24PostWebShell web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # s72 Shell web shell SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King" \ "id:955270,\ phase:4,\ block,\ capture,\ t:none,\ msg:'s72 Shell web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # PhpSpy web shell SecRule RESPONSE_BODY "@rx ^\r\n\r\n\r\nPhpSpy Ver [0-9]+" \ "id:955280,\ phase:4,\ block,\ capture,\ t:none,\ msg:'PhpSpy web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # g00nshell web shell SecRule RESPONSE_BODY "@rx ^ \n\n\n\ng00nshell v[0-9.]+ " \ "id:955290,\ phase:4,\ block,\ capture,\ t:none,\ msg:'g00nshell web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # PuNkHoLic shell web shell # Various versions has this text written little differently so we need to do # t:removeWhitespace and t:lowercase. SecRule RESPONSE_BODY "@contains <title>punkholicshell" \ "id:955300,\ phase:4,\ block,\ capture,\ t:none,t:removeWhitespace,t:lowercase,\ msg:'PuNkHoLic shell web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # azrail web shell SecRule RESPONSE_BODY "@rx ^\n \n azrail [0-9.]+ by C-W-M" \ "id:955310,\ phase:4,\ block,\ capture,\ t:none,\ msg:'azrail web shell',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'language-php',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # SmEvK_PaThAn Shell web shell SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by \n.*? ~ Shell I\n\n