rules/base_rules/modsecurity_crs_45_trojans.conf

   1 # ---------------------------------------------------------------
   2 # Core ModSecurity Rule Set ver.2.0.3
   3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
   4 #
   5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
   6 # Please see the enclosed LICENCE file for full details.
   7 # ---------------------------------------------------------------
   8
   9
  10 # The trojan access detection rules detects access to known Trojans already
  11 # installed on a server. Uploading of Trojans is part of the Anti-Virus rules
  12 # and uses external Anti Virus program when uploading files.
  13 #
  14 # Detection of Trojans access is especially important in a hosting environment
  15 # where the actual Trojan upload may be done through valid methods and not
  16 # through hacking.
  17 # --
  18 #
  19 # NOTE Trojans detection is based on checking elements controlled by the client.
  20 #      A determined attacked can bypass those checks. We are working on
  21 #      enchaining the checks so it would require a major change in the Trojan
  22 #      to overcome.
  23 #
  24 # NOTE We found out that Trojan horses are not detected easily by Anti-Virus
  25 #      software when uploading as the signature set of AV software is not tuned
  26 #      for this purpose. We are working on adding signature tuned to detect
  27 #      Trojans upload to file uploading inspection.
  28 #
  29
  30 SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
  31 SecRule REQUEST_FILENAME "root\.exe" \
  32         "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
  33 SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
  34         "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"