1 # @(#) $Id: system_audit_rcl.txt,v 1.3 2008/04/14 18:30:07 dcid Exp $
3 # OSSEC Linux Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
5 # Released under the same license as OSSEC.
6 # More details at the LICENSE file included with OSSEC or online
7 # at: http://www.ossec.net/en/licensing.html
9 # [Application name] [any or all] [reference]
13 # - f (for file or directory)
14 # - p (process running)
15 # - d (any file inside the directory)
18 # For the registry , use "->" to look for a specific entry and another
19 # "->" to look for the value.
20 # For files, use "->" to look for a specific value in the file.
22 # Values can be preceeded by: =: (for equal) - default
23 # r: (for ossec regexes)
24 # >: (for strcmp greater)
25 # <: (for strcmp lower)
26 # Multiple patterns can be specified by using " && " between them.
27 # (All of them must match for it to return true).
30 $php.ini=/var/www/conf/php.ini,/etc/php5/apache2/php.ini;
31 $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
35 [PHP - Register globals are enabled] [any] [http://www.ossec.net/wiki]
36 f:$php.ini -> r:^register_globals = On;
40 [PHP - Expose PHP is enabled] [any] []
41 f:$php.ini -> r:^expose_php = On;
45 [PHP - Allow URL fopen is enabled] [any] []
46 f:$php.ini -> r:^allow_url_fopen = On;
50 [PHP - Safe mode disabled] [any] []
51 f:$php.ini -> r:^safe_mode = Off;
55 [PHP - Displaying of errors is enabled] [any] []
56 f:$php.ini -> r:^display_errors = On;
59 # PHP checks - consider open_basedir && disable_functions
62 ## Looking for common web exploits (might indicate that you are owned).
63 ## Using http://www.ossec.net/wiki/index.php/WebAttacks_links as a reference.
64 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
65 d:$web_dirs -> ^echo$ -> r:<?|^#!;
67 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
68 d:$web_dirs -> ^id.txt$ -> r:<?|^#!;
70 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
71 d:$web_dirs -> ^irc.txt$ -> r:<?|^#!;
73 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
74 d:$web_dirs -> ^stringa.txt -> r:<?|^#!;
76 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
77 d:$web_dirs -> ^cmd1.gif$ -> r:<?|^#!;
79 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
80 d:$web_dirs -> ^mambo1.txt$|^hai.txt$|^iyes.txt$ -> r:<?|^#!;
82 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
83 d:$web_dirs -> ^57.txt$ -> r:<?|^#!;
85 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
86 d:$web_dirs -> ^r57.txt -> r:<?|^#!;
88 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
89 d:$web_dirs -> ^evilx$ -> r:<?|^#!;
91 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
92 d:$web_dirs -> ^cmd$ -> r:<?|^#!;
94 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
95 d:$web_dirs -> ^root.gif -> r:<?|^#!;
97 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
98 d:$web_dirs -> ^bn.txt -> r:<?|^#!;
100 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
101 d:$web_dirs -> ^kk.txt -> r:<?|^#!;
103 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
104 d:$web_dirs -> ^graba.txt -> r:<?|^#!;
106 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
107 d:$web_dirs -> ^no.txt -> r:<?|^#!;
109 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
110 d:$web_dirs -> ^ddos.pl -> r:<?|^#!;
112 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
113 d:$web_dirs -> ^rox.txt -> r:<?|^#!;
115 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
116 d:$web_dirs -> ^lila.jpg -> r:<?|^#!;
118 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
119 d:$web_dirs -> ^safe.txt -> r:<?|^#!;
121 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
122 d:$web_dirs -> ^rootlab.jpg -> r:<?|^#!;
124 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
125 d:$web_dirs -> ^tool25.dat -> r:<?|^#!;
127 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
128 d:$web_dirs -> ^sela.txt -> r:<?|^#!;
130 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
131 d:$web_dirs -> ^zero.txt -> r:<?|^#!;
133 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
134 d:$web_dirs -> ^paged.gif -> r:<?|^#!;
136 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
137 d:$web_dirs -> ^hh.txt -> r:<?|^#!;
139 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
140 d:$web_dirs -> ^metodi.txt -> r:<?|^#!;
142 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
143 d:$web_dirs -> ^idpitbull.txt -> r:<?|^#!;
145 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
146 d:$web_dirs -> ^echo.txt -> r:<?|^#!;
148 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
149 d:$web_dirs -> ^ban.gif -> r:<?|^#!;
151 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
152 d:$web_dirs -> ^c.txt -> r:<?|^#!;
154 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
155 d:$web_dirs -> ^gay.txt -> r:<?|^#!;
157 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
158 d:$web_dirs -> ^genlog.txt$ -> r:<?|^#!;
160 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
161 d:$web_dirs -> ^safe$ -> r:<?|^#!;
163 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
164 d:$web_dirs -> ^safe3$ -> r:<?|^#!;
166 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
167 d:$web_dirs -> ^tool25.txt$ -> r:<?|^#!;
169 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
170 d:$web_dirs -> ^test.txt$ -> r:<?|^#!;
172 [Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
173 d:$web_dirs -> ^safeon.txt$ -> r:<?|^#!;
176 ## Looking for common web exploits files (might indicate that you are owned).
177 ## There are not specific, like the above.
178 ## Using http://www.ossec.net/wiki/index.php/WebAttacks_links as a reference.
179 [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
180 d:$web_dirs -> ^.yop$;
182 [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
185 [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
186 d:$web_dirs -> ^.ssh$;
188 [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
189 d:$web_dirs -> ^...$;
191 [Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
192 d:$web_dirs -> ^.shell$;