Current File : //06_Global_Backdoor.conf

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule REQUEST_HEADERS_NAMES "x_(?:file|key)\b" \
	"id:214100,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Backdoor'"

SecRule REQUEST_FILENAME "root\.exe" \
	"id:214110,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Backdoor'"

SecRule RESPONSE_BODY "(?:\b(?:aventgrup\.<br>|drwxr|(?:c99shell|php(?: shell|konsole)|(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:haxplor|www\.sanalteror\.org - indexer and read)er)\b)|<title>[^<]{0,}?(?:\b(?:imhabirligi phpftp|(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b)|\.::(?: rhtools\b|news remote php shell injection::\.)|myshell|ph(?:p(?:remoteview|(?: commander|-terminal)\b)|vayv)|(?:aventis klasvayv|r(?:57shell|emote explorer)|zehir)\b))" \
	"id:214120,msg:'COMODO WAF: Backdoor access||%{tx.domain}|%{tx.mode}|2',phase:4,capture,block,setvar:'tx.trojan_points=+1',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:2,severity:2,tag:'CWAF',tag:'Backdoor'"