File: //opt/bitninja-waf3/coreruleset/BitNinja/409-ANTIMALWARE-PROTECTION-BN.conf
SecRule REQUEST_COOKIES "@contains perngr_shapgvba" \
"id:409001,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
logdata:'Rule against PHP RCE malware (63bd2f7a8302fd1dfe373344)',\
msg:'Rule against PHP RCE malware (63bd2f7a8302fd1dfe373344)'"
SecRule REQUEST_COOKIES "@contains str_r" "chain,t:none"
SecRule REQUEST_COOKIES "@contains ot13" "chain,t:none"
SecRule REQUEST_COOKIES "@rx array[\d]" "t:none,setvar:'tx.bn_inbound_found=+1'"
### init ###
SecAction "id:300000, phase:1,\
nolog,\
pass,\
severity:info,\
t:none,\
setvar:tx.bn_str_rot13=0,\
setvar:tx.bn_base64_decode=0,\
setvar:tx.bn_base64_decode_b64=0,\
setvar:tx.bn_create_function_r13=0,\
setvar:tx.bn_base64_decode_r13=0"
### tx.bn_str_rot13 ###
SecRule REQUEST_COOKIES "^s$" "id:301001,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^tr_rot13$" "t:none,setvar:'tx.bn_str_rot13=+1'"
SecRule REQUEST_COOKIES "^st$" "id:301002,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^r_rot13$" "t:none,setvar:'tx.bn_str_rot13=+2'"
SecRule REQUEST_COOKIES "^str$" "id:301003,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^_rot13$" "t:none,setvar:'tx.bn_str_rot13=+4'"
SecRule REQUEST_COOKIES "^str_$" "id:301004,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^rot13$" "t:none,setvar:'tx.bn_str_rot13=+8'"
SecRule REQUEST_COOKIES "^str_r$" "id:301005,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^ot13$" "t:none,setvar:'tx.bn_str_rot13=+16'"
SecRule REQUEST_COOKIES "^str_ro$" "id:301006,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^t13$" "t:none,setvar:'tx.bn_str_rot13=+32'"
SecRule REQUEST_COOKIES "^str_rot$" "id:301007,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^13$" "t:none,setvar:'tx.bn_str_rot13=+64'"
SecRule REQUEST_COOKIES "^str_rot1$" "id:301008,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^3$" "t:none,setvar:'tx.bn_str_rot13=+128'"
### tx.bn_create_function_r13 ###
SecRule REQUEST_COOKIES "^p$" "id:301101,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^erngr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+1'"
SecRule REQUEST_COOKIES "^pe$" "id:301102,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^rngr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+2'"
SecRule REQUEST_COOKIES "^per$" "id:301103,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^ngr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+4'"
SecRule REQUEST_COOKIES "^pern$" "id:301104,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^gr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+8'"
SecRule REQUEST_COOKIES "^perng$" "id:301105,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^r_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+16'"
SecRule REQUEST_COOKIES "^perngr$" "id:301106,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+32'"
SecRule REQUEST_COOKIES "^perngr_$" "id:301107,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+64'"
SecRule REQUEST_COOKIES "^perngr_s$" "id:301108,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^hapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+128'"
SecRule REQUEST_COOKIES "^perngr_sh$" "id:301109,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^apgvba$" "t:none,setvar:'tx.bn_create_function_r13=+256'"
SecRule REQUEST_COOKIES "^perngr_sha$" "id:301110,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^pgvba$" "t:none,setvar:'tx.bn_create_function_r13=+512'"
SecRule REQUEST_COOKIES "^perngr_shap$" "id:301111,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^gvba$" "t:none,setvar:'tx.bn_create_function_r13=+1024'"
SecRule REQUEST_COOKIES "^perngr_shapg$" "id:301112,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^vba$" "t:none,setvar:'tx.bn_create_function_r13=+2048'"
SecRule REQUEST_COOKIES "^perngr_shapgv$" "id:301113,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^ba$" "t:none,setvar:'tx.bn_create_function_r13=+4096'"
SecRule REQUEST_COOKIES "^perngr_shapgvb$" "id:301114,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^a$" "t:none,setvar:'tx.bn_create_function_r13=+8192'"
### tx.bn_base64_decode_r13 ###
SecRule REQUEST_COOKIES "^o$" "id:301201,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^nfr64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+1'"
SecRule REQUEST_COOKIES "^on$" "id:301202,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^fr64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+2'"
SecRule REQUEST_COOKIES "^onf$" "id:301203,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^r64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+4'"
SecRule REQUEST_COOKIES "^onfr$" "id:301204,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+8'"
SecRule REQUEST_COOKIES "^onfr6$" "id:301205,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^4_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+16'"
SecRule REQUEST_COOKIES "^onfr64$" "id:301206,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+32'"
SecRule REQUEST_COOKIES "^onfr64_$" "id:301207,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+64'"
SecRule REQUEST_COOKIES "^onfr64_q$" "id:301208,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^rpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+128'"
SecRule REQUEST_COOKIES "^onfr64_qr$" "id:301209,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^pbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+256'"
SecRule REQUEST_COOKIES "^onfr64_qrp$" "id:301210,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^bqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+512'"
SecRule REQUEST_COOKIES "^onfr64_qrpb$" "id:301211,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^qr$" "t:none,setvar:'tx.bn_base64_decode_r13=+1024'"
SecRule REQUEST_COOKIES "^onfr64_qrpbq$" "id:301212,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^r$" "t:none,setvar:'tx.bn_base64_decode_r13=+2048'"
### tx.bn_base64_decode ###
SecRule REQUEST_COOKIES "^b$" "id:301301,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^ase64_decode$" "t:none,setvar:'tx.bn_base64_decode=+1'"
SecRule REQUEST_COOKIES "^ba$" "id:301302,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^se64_decode$" "t:none,setvar:'tx.bn_base64_decode=+2'"
SecRule REQUEST_COOKIES "^bas$" "id:301303,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^e64_decode$" "t:none,setvar:'tx.bn_base64_decode=+4'"
SecRule REQUEST_COOKIES "^base$" "id:301304,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^64_decode$" "t:none,setvar:'tx.bn_base64_decode=+8'"
SecRule REQUEST_COOKIES "^base6$" "id:301305,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^4_decode$" "t:none,setvar:'tx.bn_base64_decode=+16'"
SecRule REQUEST_COOKIES "^base64$" "id:301306,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^_decode$" "t:none,setvar:'tx.bn_base64_decode=+32'"
SecRule REQUEST_COOKIES "^base64_$" "id:301307,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^decode$" "t:none,setvar:'tx.bn_base64_decode=+64'"
SecRule REQUEST_COOKIES "^base64_d$" "id:301308,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^ecode$" "t:none,setvar:'tx.bn_base64_decode=+128'"
SecRule REQUEST_COOKIES "^base64_de$" "id:301309,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^code$" "t:none,setvar:'tx.bn_base64_decode=+256'"
SecRule REQUEST_COOKIES "^base64_dec$" "id:301310,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^ode$" "t:none,setvar:'tx.bn_base64_decode=+512'"
SecRule REQUEST_COOKIES "^base64_deco$" "id:301311,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^de$" "t:none,setvar:'tx.bn_base64_decode=+1024'"
SecRule REQUEST_COOKIES "^base64_decod$" "id:301312,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "^e$" "t:none,setvar:'tx.bn_base64_decode=+2048'"
### tx.bn_base64_decode_b64 ###
SecRule REQUEST_COOKIES "^Y$" "id:301401,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith mFzZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+1'"
SecRule REQUEST_COOKIES "^Ym$" "id:301402,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith FzZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+2'"
SecRule REQUEST_COOKIES "^YmF$" "id:301403,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith zZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+4'"
SecRule REQUEST_COOKIES "^YmFz$" "id:301404,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith ZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+8'"
SecRule REQUEST_COOKIES "^YmFzZ$" "id:301405,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith TY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+16'"
SecRule REQUEST_COOKIES "^YmFzZT$" "id:301406,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith Y0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+32'"
SecRule REQUEST_COOKIES "^YmFzZTY$" "id:301407,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith 0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+64'"
SecRule REQUEST_COOKIES "^YmFzZTY0$" "id:301408,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+128'"
SecRule REQUEST_COOKIES "^YmFzZTY0X$" "id:301409,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith 2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+256'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2$" "id:301410,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+512'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2R$" "id:301411,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith lY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+1024'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2Rl$" "id:301412,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith Y29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+2048'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY$" "id:301413,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith 29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+4096'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY2$" "id:301414,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith 9kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+8192'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY29$" "id:301415,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+16384'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY29k$" "id:301416,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith ZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+32768'"
SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY29kZ$" "id:301417,chain,nolog,phase:2,rev:'1',severity:info,t:none"
SecRule REQUEST_COOKIES "@beginsWith Q" "t:none,setvar:'tx.bn_base64_decode_b64=+65536'"
SecRule tx:bn_str_rot13 "@gt 0" \
"id:409003,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
logdata:'Rule against PHP RCE malware (6294b0aa7ab29948f772b8a8) |%{tx.bn_str_rot13}|%{tx.bn_create_function_r13}|%{tx.bn_base64_decode_r13}|',\
msg:'Rule against PHP RCE malware (6294b0aa7ab29948f772b8a8) |%{tx.bn_str_rot13}|%{tx.bn_create_function_r13}|%{tx.bn_base64_decode_r13}|'"
SecRule tx:bn_create_function_r13 "@gt 0" "chain,t:none"
SecRule tx:bn_base64_decode_r13 "@gt 0" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule tx:bn_base64_decode "@gt 0" \
"id:409004,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
logdata:'Rule against PHP RCE malware (63b301bc5205bf358a4caa0c) |%{tx.bn_base64_decode}|%{tx.bn_base64_decode_b64}|',\
msg:'Rule against PHP RCE malware (63b301bc5205bf358a4caa0c) |%{tx.bn_base64_decode}|%{tx.bn_base64_decode_b64}|'"
SecRule tx:bn_base64_decode_b64 "@gt 0" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS_POST_NAMES "^fuckyou4321$" \
"id:409005,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against PHP RCE malware (63048c774603e53b7a7f78b5)',\
msg:'Rule against PHP RCE malware (63048c774603e53b7a7f78b5)'"
SecRule REQUEST_HEADERS "^create_function$" \
"id:409006,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
logdata:'Rule against PHP RCE malware (6284da8fef85056b327414fc)',\
msg:'Rule against PHP RCE malware (6284da8fef85056b327414fc)'"
SecRule REQUEST_HEADERS "^base64_decode$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule &ARGS_POST "@eq 1" \
"id:409007,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
logdata:'Rule against PHP RCE malware (644b8c53ff5eec21f06b36d2)',\
msg:'Rule against PHP RCE malware (644b8c53ff5eec21f06b36d2)'"
SecRule ARGS_POST:request_option "@ge 1000" "chain,t:length"
SecRule &ARGS_GET "@eq 0" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS_GET_NAMES "^pd$" \
"id:409008,\
phase:2,\
chain,\
rev:'1',\
severity:critical,\
t:none,\
logdata:'Rule against PHP RCE malware (644b680f1173f831663f5255)',\
msg:'Rule against PHP RCE malware (644b680f1173f831663f5255)'"
SecRule ARGS_GET_NAMES "^mapname$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS_POST:ne "^(fayl_oxu|sistem_kom|fayl_redakte|fayl_yukle|fayl_sil|fayl_yarat|papka_yarat|fayl_sifirla|papka_sil|fayl_ad_deyish|ziple|skl_d_t|fayl_upl)$" \
"id:409009,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against PHP WebShell malware (64632ac5ff5eec21f06b3768)',\
msg:'Rule against PHP WebShell malware (64632ac5ff5eec21f06b3768)'"
SecRule ARGS:pd "@streq smyedit" \
"id:409010,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule 02 against PHP RCE malware (644b680f1173f831663f5255)',\
msg:'Rule 02 against PHP RCE malware (644b680f1173f831663f5255)'"
SecRule &ARGS_GET "@eq 1" \
"id:409011,\
chain,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
logdata:'Rule against PHP RCE malware (60e3365f6dca960e3365f6dc)',\
msg:'Rule against PHP RCE malware (60e3365f6dca960e3365f6dc)'"
SecRule ARGS_GET_NAMES "^varname$" "chain,t:none"
SecRule ARGS_GET:varname "@contains ." "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS_NAMES "^wp_ajx_(reinstall_)?request$" \
"id:409012,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against PHP RCE malware (wp_ajx)',\
msg:'Rule against PHP RCE malware (wp_ajx)'"
SecRule ARGS:zzz "@streq xcWD23" \
"id:409013,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against PHP Uploader malware (653fa43c57a1e128c70a9c87)',\
msg:'Rule against PHP Uploader malware (653fa43c57a1e128c70a9c87)'"
SecRule ARGS_POST_NAMES "^cdshell$" \
"id:409014,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against PHP RCE malware (cdshell)',\
msg:'Rule against PHP RCE malware (cdshell)'"
SecRule ARGS_GET_NAMES "^actmet[12]$" \
"id:409015,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against PHP malware (6548af1f7eef18d697055726)',\
msg:'Rule against PHP malware (6548af1f7eef18d697055726)'"
SecRule ARGS_GET_NAMES "^solevisible$" \
"id:409016,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against ALFA TEaM Shell load',\
msg:'Rule against ALFA TEaM Shell load'"
SecRule REQUEST_COOKIES_NAMES "^AlfaUser$" \
"id:409017,\
chain,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
logdata:'Rule against ALFA TEaM Shell cookie',\
msg:'Rule against ALFA TEaM Shell cookie'"
SecRule REQUEST_COOKIES_NAMES "^AlfaPass$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS:login "@streq cmd" \
"id:409018,\
chain,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
logdata:'Rule against PHP RCE malware (coco,login,cmd)',\
msg:'Rule against PHP RCE malware (coco,login,cmd)'"
SecRule ARGS_POST_NAMES "^coco$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS_POST_NAMES "^song2$" \
"id:409019,\
chain,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
logdata:'Rule against PHP malware (65f0096eade8f3274b0a8427)',\
msg:'Rule against PHP malware (65f0096eade8f3274b0a8427)'"
SecRule ARGS_POST_NAMES "^stars1$" "chain,t:none"
SecRule ARGS_POST_NAMES "^stars2$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS_POST_NAMES "^thumb_key$" \
"id:409020,\
chain,\
phase:2,\
rev:'1',\
log,\
auditlog,\
t:none,t:urlDecodeUni,\
severity:critical,\
logdata:'Rule against PHP malware (663863d403a9690a37098357, 663863da03a9690a370983a5)',\
msg:'Rule against PHP malware (663863d403a9690a37098357, 663863da03a9690a370983a5)'"
SecRule ARGS_POST_NAMES "^code$" "t:none,setvar:'tx.bn_inbound_found=+1'"
SecRule REQUEST_FILENAME "@pmFromFile malware-endpoints.data" \
"id:409021,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against suspicious endpoints',\
msg:'Rule against suspicious endpoints'"
SecRule REQUEST_FILENAME "(\.well-known|acme-challenge|pki-validation)\/.*\.php" \
"id:409022,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
setvar:'tx.bn_inbound_found=+1',\
logdata:'Rule against suspicious endpoints in validation directories',\
msg:'Rule against suspicious endpoints in validation directories'"