\x20\40\x20\40 HEX
HEX
Server: Apache
System: Linux web1.jenscom.net 4.18.0-553.111.1.el8_10.x86_64 #1 SMP Sun Mar 8 20:06:07 EDT 2026 x86_64
User: sps (1059)
PHP: 8.3.30
Disabled: NONE
$ pwd: /etc/apache2/conf.d/modsec2/
Upload Files
File: //etc/apache2/conf.d/modsec2/rootkits.conf
# Known rootkits, remote toolkits, etc. signatures for modsec 2.x

SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" "t:lowercase,id:3000005"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " "t:lowercase,id:3000006"
SecRule REQUEST_URI "/cmd\?&(command|cmd)=" "t:lowercase,id:3000009"
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" "t:lowercase,id:3000010"
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" "t:lowercase,id:3000011"
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)=" "t:lowercase,id:3000012"
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" "t:lowercase,id:3000013"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" "t:lowercase,id:3000015"

#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" "t:lowercase,id:3000017"

#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;" "t:lowercase,id:3000021"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" "t:lowercase,id:3000022"

#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)=" "t:lowercase,id:3000027"
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php" "t:lowercase,id:3000028"

#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)" "t:lowercase,id:3000029"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)" "t:lowercase,id:3000030"

#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)=" "t:lowercase,id:3000031"

#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd=" "t:lowercase,id:3000032"

#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd=" "t:lowercase,id:3000034"

# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY   "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)" "t:lowercase,id:3000037"
SecRule REQUEST_URI|REQUEST_BODY   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" "t:lowercase,id:3000038"
SecRule REQUEST_URI   "/phpterm" "t:lowercase,id:3000039"

#new unknown kits
SecRule REQUEST_URI   "/go\.php\.txt\?" "t:lowercase,id:3000043"
SecRule REQUEST_URI   "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?" "t:lowercase,id:3000044"
SecRule REQUEST_URI   "/iys\.(gif|jpe?g|txt|bmp|png)\?" "t:lowercase,id:3000045"

#new kit
SecRule REQUEST_URI   "/c99shell\.txt" "t:lowercase,id:3000054"
SecRule REQUEST_URI   "/c99\.txt\?" "t:lowercase,id:3000055"

#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd=" "t:lowercase,id:3000056"
SecRule ARGS "/shell\.php\&cmd=" "t:lowercase,id:3000057"

#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd=" "t:lowercase,id:3000058"

#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" "t:lowercase,id:3000062"

#31dec
SecRule REQUEST_URI   "/php\.txt\?" "t:lowercase,id:3000070"

#1 jan
SecRule REQUEST_URI   "/sql\.txt\?" "t:lowercase,id:3000071"
SecRule REQUEST_URI   "bind\.(gif|jpe?g|txt|bmp|png)\?" "t:lowercase,id:3000072"

#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm" "t:lowercase,id:3000080"

SecRule REQUEST_URI "/r57en\.php" "t:lowercase,id:3000081"

#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)" "t:lowercase,id:3000082"

#generic shell
SecRule REQUEST_URI "shell\.txt" "t:lowercase,id:3000083"

#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" "t:lowercase,id:3000084"

#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()" "t:lowercase,id:3000085"

#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables" "t:lowercase,id:3000086"

#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)" "t:lowercase,id:3000087"
@ Telegram