File Manager
Upload
Current Directory: /home/lartcid/public_html/journal.lartc.id
[Back]
..
[Open]
Hapus
Rename
.htaccess
[Edit]
Hapus
Rename
.well-known
[Open]
Hapus
Rename
README.md
[Edit]
Hapus
Rename
api
[Open]
Hapus
Rename
cache
[Open]
Hapus
Rename
cgi-bin
[Open]
Hapus
Rename
classes
[Open]
Hapus
Rename
config.TEMPLATE.inc.php
[Edit]
Hapus
Rename
config.inc.php
[Edit]
Hapus
Rename
controllers
[Open]
Hapus
Rename
cypress.json
[Edit]
Hapus
Rename
dbscripts
[Open]
Hapus
Rename
docs
[Open]
Hapus
Rename
error_log
[Edit]
Hapus
Rename
favicon.ico
[Edit]
Hapus
Rename
index.php
[Edit]
Hapus
Rename
js
[Open]
Hapus
Rename
lib
[Open]
Hapus
Rename
locale
[Open]
Hapus
Rename
mini.php
[Edit]
Hapus
Rename
pages
[Open]
Hapus
Rename
php.ini
[Edit]
Hapus
Rename
plugins
[Open]
Hapus
Rename
public
[Open]
Hapus
Rename
registry
[Open]
Hapus
Rename
scheduledTaskLogs
[Open]
Hapus
Rename
schemas
[Open]
Hapus
Rename
styles
[Open]
Hapus
Rename
templates
[Open]
Hapus
Rename
tools
[Open]
Hapus
Rename
Edit File
# --------------------------------------------------------------- # Imunify360 ModSecurity Rules # Copyright (C) 2021 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # Please see the enclosed IM360-LICENSE.txt file for full details. # --------------------------------------------------------------- # Imunify360 ModSecurity Custom Ruleset SecRule REQUEST_URI "!@rx (\/wp-admin\/|\/wp-content\/|\/forum\/|\/bitrix\/|\/wp-json\/|\/index\.php\/apps\/dashboard\/)" "id:77140730,chain,phase:2,log,deny,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Drupalgeddon test||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'drupal_core'" SecRule REQUEST_COOKIES_NAMES|ARGS_NAMES "(\[[^\w]{0,99}[\"'`]?#[^\]]{0,99}\])|(#\[)" "t:none" SecRule REQUEST_URI "!@rx (/wp-admin/|/wp-content/|/forum/)" "id:77140731,chain,phase:2,deny,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Drupal CVE-2018-7600/02 RCE attempt||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'drupal_core'" SecRule ARGS|ARGS_NAMES "(q\[%23type\])|(q\[%23markup\])|(\[%23\]\[\])|(\[#\]\[\])|(\[%2523\]\[\])" "t:none" SecRule REQUEST_COOKIES:X-XSRF-TOKEN "(\S{41,})" "id:77140733,phase:1,deny,log,severity:2,t:urlDecodeUni,msg:'IM360 WAF: Exploitation attempt (CVE-2018-15133)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # https://www.exploit-db.com/raw/45108/ SecRule REQUEST_URI "@rx \/db\-password:[^\.]{0,108}\.request\.[^\|]{0,108}\|" "id:77140734,phase:1,deny,log,severity:2,t:urlDecode,t:lowercase,msg:'IM360 WAF: Exploitation attempt (CVE-2018-14716)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" # DEFA-2112 # Heuristic: WebShellAccess SecRule REQUEST_URI "!@rx (?:\/(wp-spamfree|com_breezingforms|midway\/framework\/assets|wp-defender\/index\.php))" "id:77140735,chain,phase:1,pass,log,severity:5,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Suspicious access attempt (webshell)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360custom',tag:'service_rbl_infectors',tag:'noshow'" SecRule REQUEST_URI "@rx (\/(images|img(s)?|pictures|upload(s)?)\/[^\.]{0,108}\.(pht|phtml|php\d?$))" "t:none,t:urlDecodeUni,t:normalizePath" # Heuristic: MaliciousAccess SecRule REQUEST_URI "@pm /media/media.php /mother.php /yt.php /wp-logos.php /temp.php /yt2.php /indes.php" "id:77140743,chain,phase:2,deny,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block malicious scripts access||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_rbl_infectors'" SecRule TX:MISS_UA|TX:SQL_INJECT|TX:PHP_INJECT "@gt 0" "t:none" # Heuristic: BlockPHPInjection SecRule REQUEST_URI "!@rx (/wp-admin/post.php|/wp-admin/admin-ajax.php)" "id:77140745,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block php injections||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS "@rx (set_magic_quotes_runtime\(0\))" "t:none,chain" SecRule TX:MISS_UA "@gt 0" "t:none" # SA-CORE-2018-006 mail() RCE SecRule ARGS "@rx (\s-oQ/|\s-be\s\${run)" "id:77140746,phase:2,deny,log,severity:2,t:urlDecode,msg:'IM360 WAF: SA-CORE-2018-006 mail() RCE||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'drupal_core'" # RCE IFS anti-bypass SecRule ARGS "@rx (\$IFS\$|\$\{IFS\})" "id:77140751,phase:2,deny,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: RCE IFS anti-bypass||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # CVE-2018-20062 SecRule ARGS:s "@streq index/\\think\\Request/input" "id:77140753,chain,phase:1,deny,log,severity:2,t:urlDecode,msg:'IM360 WAF: RCE in NoneCMS (CVE-2018-20062)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule &ARGS:filter "@ge 1" "t:none" # CVE-2019-6339 tracking rule SecRule ARGS "@rx (\.phar$|^phar:\/\/)" "id:77140754,phase:1,pass,log,severity:5,t:urlDecode,msg:'IM360 WAF: RCE in Drupal tracking rule (CVE-2019-6339)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'drupal_core',tag:'noshow'" # CVE-2019-6340 SecRule REQUEST_METHOD "^GET$" "id:77140755,chain,phase:1,deny,log,severity:2,setvar:TX.body_length=%{REQUEST_BODY_LENGTH},t:urlDecode,msg:'IM360 WAF: RCE in Drupal (CVE-2019-6340)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'drupal_core',tag:'im360_req_get'" SecRule ARGS:_format "@streq hal_json" "t:none,chain" SecRule TX:body_length "@ge 500" "t:none" # SQL Injection vulnerability in Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1. PRODSECBUG-2198 DEFA-1031 DEFA-1032 SecRule REQUEST_URI "@contains product_frontend_action/synchronize" "id:77140760,chain,phase:2,deny,log,severity:2,t:none,t:normalizePath,t:urlDecodeUni,msg:'IM360 WAF: SQL Injection vulnerability in Magento (PRODSECBUG-2198)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule ARGS:type_id "@streq recently_products" "t:none,t:urlDecodeUni,chain" SecRule ARGS:ids[0][product_id][from] "@rx \?" "t:none,t:urlDecodeUni,chain" SecRule ARGS:ids[0][product_id][to] "@rx \)\)\)" "t:none,t:lowercase" # DEFA-1055 Tracking rule for WSO checker SecRule REQUEST_URI "@contains /wp-content/uploads/" "id:77140761,chain,phase:2,deny,log,severity:2,t:normalizePath,msg:'IM360 WAF: Blocking filenames collected with WSO checker||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_BASENAME "@rx (blackhat|wp-console|ask|idx|aul|wawa|content-post)\.php" "t:none" # DEFA-1650 FP on Bitrix installations # DEFA-1073 Blocking variable zzz in URI SecRule REQUEST_BASENAME "@endsWith .php" "id:77140762,chain,block,severity:2,phase:2,log,msg:'IM360 WAF: Blocking variable zzz in URI||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_FILENAME "!@rx \/admin\/1c_exchange\.php$" "chain,t:none,t:urlDecodeUni" SecRule ARGS_NAMES "@rx ^zzz$" "t:none" # DEFA-1159 Suspicious user-agent SecRule REQUEST_HEADERS:User-Agent "@rx ^Mozilla\/5\.0 \(3\.1\.final\)" "id:77140770,phase:2,pass,log,severity:5,t:none,t:urlDecodeUni,msg:'IM360 WAF: Suspicious User-Agent detected||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # Block shells found via IP record SecRule ARGS:cp "@streq download" "id:77140804,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:url "@contains http" "t:none" SecRule ARGS:url "@contains pastebin.com" "id:77140805,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:path "!@rx ^$" "t:none" SecRule ARGS:a "@streq Php" "id:77140806,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_rbl_infectors'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "id:77140807,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_rbl_infectors'" SecRule ARGS:pass "@contains -wso-sell" SecRule ARGS:info|ARGS:x|ARGS:yt "@contains die(pi()" "id:77140808,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule ARGS "@contains POST[z0]" "id:77140809,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule ARGS "@contains 'T'}[z0]" "id:77140810,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule ARGS "@contains eval(@base64_decode(" "id:77140811,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule ARGS "@contains eval(get_magic_quotes_gpc()" "id:77140812,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule ARGS:shall|ARGS:catch|ARGS:yt|ARGS:except|ARGS:user|ARGS:system|ARGS:not|ARGS:accept|ARGS:session|ARGS:pass|ARGS:internal "@contains eval(rawurldecode" "id:77140813,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule ARGS:q4995c4|ARGS:q2adc32 "@contains eval" "id:77140814,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/)" "t:none" SecRule ARGS:pwd "@contains c600e7179c3db8140360ecec6592183a" "id:77140815,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/|/wp-includes/)" "t:none" SecRule ARGS:ylxqjqbcn "@contains YmF" "id:77140816,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/|/wp-includes/)" "t:none" SecRule ARGS:mtime|ARGS:itongtong "@contains die(" "id:77140817,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/|/wp-includes/)" "t:none" SecRule ARGS:pass|ARGS:passwd "@rx (zgFJ_2017_toptu|ce1ce81cd77b04282da88cea6d4a77a9|indexshell)" "id:77140818,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@rx (/wp-admin/|/wp-content/|/wp-includes/)" "t:none" SecRule ARGS:a "@contains RC" "id:77140820,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_URI "@contains AdvanceImage5" "t:none" SecRule ARGS:source "@contains d7.2_x2.0" "id:77140822,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: Block known shells||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # https://www.exploit-db.com/exploits/46150 SecRule ARGS:_method "@contains __construct" "id:77140824,chain,phase:2,block,log,severity:2,t:urlDecode,t:removeWhitespace,msg:'IM360 WAF: ThinkPHP 5.x RCE||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:filter[] "@rx (system|assert)" "t:none" # DEFA-1682 SecRule REQUEST_METHOD "@streq POST" "id:77140834,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: RCE vulnerability in vBulletin v5.x (CVE-2019-16759)||Code:%{ARGS}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_URI|ARGS:routestring "@contains ajax/render/widget_php" "chain,t:lowercase" SecRule ARGS:widgetConfig[code] "!@rx ^$" "t:none" # DEFA-1727 SecRule REQUEST_METHOD "@streq POST" "id:77140837,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: RCE vulnerability in vBulletin <= 5.5.4 (CVE-2019-17132)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule ARGS:routestring "@streq ajax/api/user/updateAvatar" "chain,t:urlDecodeUni" SecRule ARGS:data[extension] "@rx (pht|phtml|php\d?$)" "t:none" # Tracking SQL-dorks queries SecRule REQUEST_FILENAME "@rx (product|item|product-list|productlist|product_info|product-display|item_book|product_detail|pages|producto)\.php$" "id:77140852,chain,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: SQL Dorks collection for SQL Injection||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:product_id|ARGS:pid|ARGS:productid|ARGS:gubun|ARGS:pr|ARGS:page_code|ARGS:id|ARGS:tid|ARGS:sku|ARGS:shopprodid|ARGS:products_id|ARGS:fid|ARGS:cat|ARGS:act "@rx \'" "t:none,t:urlDecodeUni" # DEFA-1808 SecRule &ARGS:jweyc "@eq 1" "id:77140861,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Encrypted malicious code detected||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_rbl_infectors'" SecRule &ARGS:callbrhy "@eq 1" "t:none" # DEFA-1808 SecRule ARGS:a "@streq RC" "id:77140863,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Malicious code detected||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule &ARGS:/^[a-z]+$/ "@ge 4" "t:none" # DEFA-1809 SecRule ARGS "@rx ^die\((?:pi\(\)\*\d+|@?md5\(\w+\)|[=.!\x27\x5c]+|)" "id:77140864,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Remote code execution fingerprint attempt||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'service_rbl_infectors'" # DEFA-1794 SecRule ARGS:a "@contains /bin/sh -c 'which which'" "id:77140874,phase:2,block,log,severity:2,t:none,t:urlDecode,msg:'IM360 WAF: Sensor for PHuiP-FPizdaM exploit request (CVE-2019-11043)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom'" # DEFA-1784 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140919,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: ThinkPHP 5.X - Remote Command Execution Vulnerability (CVE-2019-9082)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath" SecRule ARGS:function "@streq call_user_func_array" "chain,t:none" SecRule ARGS:s "@rx ^(index|Index|Home)\/\\\\think" "chain,t:none,t:urlDecodeUni" SecRule ARGS:/^vars\[/ "!@rx ^$" "t:none" # DEFA-1784 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140920,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: ThinkPHP 5.X - Remote Command Execution Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath" SecRule ARGS:s "@streq .|think\config/get" "chain,t:none,t:urlDecodeUni" SecRule ARGS:name "!@rx ^$" "t:none" # DEFA-1784 SecRule REQUEST_METHOD "@rx ^GET$" "id:77140921,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: ThinkPHP 5.X SQLi Vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath" SecRule ARGS:s "@rx ^\/home\/(?:article\/view_recent|shopcart\/getprice|user\/cut|service\/index|pay\/\w{0,20}\/orderid|order\/\w{0,20}\/id)\/" "chain,t:none,t:urlDecodeUni" SecRule MATCHED_VAR "@contains '" "t:none" # DEFA-1927 SecRule REQUEST_METHOD "@rx ^POST$" "id:77140936,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Webmin 1.920 Unauthenticated RCE vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'other_apps',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith password_change.cgi" "chain,t:none,t:normalizePath" SecRule &ARGS:user "@gt 0" "chain,t:none" SecRule &ARGS:expired "@gt 0" "chain,t:none" SecRule ARGS:old "@pm | & ; $ `" "t:none,t:urlDecodeUni" # DEFA-1955 SecRule ARGS:destination "@streq node" "id:77140940,chain,phase:2,block,log,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Drupal 7 SQL Injection vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'drupal_core'" SecRule ARGS:form_id "@streq user_login_block" "chain,t:none,t:lowercase" SecRule ARGS_NAMES "^name\[[\w\s]*[;'\)]" "t:none,t:urlDecodeUni" # DEFA-1956 SecRule REQUEST_FILENAME "@endsWith install/install.php" "id:77140941,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: OsCommerce 2.3.4.1 Remote Code Execution vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule ARGS:step "@streq 4" "chain,t:none" SecRule &ARGS:DIR_FS_DOCUMENT_ROOT "@gt 0" "chain,t:none" SecRule ARGS:DB_DATABASE "@rx \);" "t:none,t:urlDecodeUni" # DEFA-1978 SecRule REQUEST_FILENAME "@endsWith lib/redactor/file_upload.php" "id:77140943,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop Lib module Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1979 SecRule REQUEST_FILENAME "@endsWith psmodthemeoptionpanel/psmodthemeoptionpanel_ajax.php" "id:77140944,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop ModTheme Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1981 SecRule REQUEST_FILENAME "@endsWith nvn_export_orders/upload.php" "id:77140945,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop nvn_export_orders Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1982 SecRule REQUEST_FILENAME "@endsWith pk_flexmenu/ajax/upload.php" "id:77140946,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop FlexMenu Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1983 SecRule REQUEST_FILENAME "@endsWith wdoptionpanel/wdoptionpanel_ajax.php" "id:77140947,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop wdoptionpanel Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule ARGS:data "@streq bajatax" "chain,t:none,t:lowercase" SecRule ARGS:type "@streq image_upload" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-1984 SecRule REQUEST_FILENAME "@endsWith fieldvmegamenu/ajax/upload.php" "id:77140948,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop Fieldvmegamenu Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-1992 SecRule REQUEST_FILENAME "@endsWith wg24themeadministration/wg24_ajax.php" "id:77140950,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop wg24themeadministration Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule ARGS:data "@streq bajatax" "chain,t:none,t:lowercase" SecRule ARGS:type "@streq pattern_upload" "chain,t:none,t:lowercase" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-1994 SecRule REQUEST_FILENAME "@rx cartabandonmentpro(Old)?/upload\.php" "id:77140952,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop cartabandonmentpro Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2002 SecRule REQUEST_FILENAME "@rx 1?attributewizardpro(_x|\.OLD)?/file_upload\.php" "id:77140954,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop attributewizardpro Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2003 SecRule REQUEST_FILENAME "@rx (jro_)?homepageadvertise2?/uploadimage\.php" "id:77140955,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop homepageadvertise Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # DEFA-2006 SecRule REQUEST_FILENAME "@rx (productpageadverts|simpleslideshow|vtermslideshow|soopabanners|soopamobile|columnadverts)/uploadimage\.php" "id:77140956,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop productpageadverts, simpleslideshow, vtermslideshow, soopabanners, soopamobile and columnadverts Arbitrary File Upload vulnerability||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'other_apps'" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:none,t:lowercase,t:urlDecodeUni,t:removeWhitespace" # ICO infection malware activity SecRule REQUEST_FILENAME "@rx [0-9a-z]{4,15}\.php\d?$" "id:77140958,chain,phase:2,block,log,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Malware (.ico) interaction interface request blocked||MVN:%{MATCHED_VAR_NAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360custom'" SecRule &ARGS "@eq 1" "t:none,chain" SecRule ARGS "@rx ^[0-9a-h]{10000,16384}" "t:none" # DEFA-2071 SecRule REQUEST_FILENAME "@rx eval-stdin\.php" "id:77140967,chain,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: PrestaShop PHPUnit Arbitrary Code Execution vulnerability (CVE-2017-9841)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360custom'" SecRule REQUEST_URI "@rx \/vendor" "t:none,t:lowercase" SecRule REQUEST_METHOD "@rx ^POST$" "id:77140992,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Suspicious access attempt (WP folders)!||SC:%{SCRIPT_FILENAME}||REQUEST_URI:%{REQUEST_URI}||T:APACHE||',tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_URI "@rx wp-(?:includes|content|admin)" "chain,t:none" SecRule REQUEST_FILENAME "@rx (\.htaccess|\.(pht|phtml|php\d?)$)" "chain,t:none" SecRule REQUEST_FILENAME "!@pmFromFile path_excludes" "t:none" # DEFA-2189 Malicious files execution in solid_best_corp plugin SecRule REQUEST_URI "@rx wp-content\/plugins\/solid_best_corp\/" "id:77140997,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Malicious plugin Solid Best Corp||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'" # DEFA-2243 SecRule REQUEST_URI "@rx \/statis-{1,20}\d{1,5}\'" "id:77141005,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:removeWhitespace,msg:'IM360 WAF: Remote SQL Injection Vulnerability in Lokomedia CMS||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'" # DEFA-2290 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" "id:77141006,chain,msg:'IM360 WAF: ThemeGrill Demo Importer Auth Bypass & Database Wipe||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,severity:2,tag:'service_i360custom'" SecRule &ARGS:do_reset_wordpress "!@eq 0" "t:none" # DEFA-2357 SecRule REQUEST_METHOD "@streq POST" "id:77141038,chain,phase:2,block,severity:2,log,t:none,msg:'IM360 WAF: Arbitrary file upload in class.upload.php (CVE-2019–19576)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_HEADERS:Content-Disposition "@rx \.(jpg|jpeg|jpe|gif|webp|png|bmp|flif)\.(pht|phar)" "t:none,t:lowercase,t:urlDecodeUni" # DEFA-3951 SecRule ARGS|FILES "@rx \/home\/[\w\.\/]{1,128}\/(?:\.contactemail|(?:cpanel\/)?\.?contactinfo)$" "id:77141050,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: Creating and modification of cPanel contacts||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQUEST_FILENAME "@endsWith dompdf.php" "id:77141054,chain,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,msg:'IM360 WAF: LFI vlnerability in dompdf||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:input_file "@beginsWith php://" "t:none,t:urlDecode" # DEFA-2351 SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "id:77141064,chain,phase:2,pass,log,t:none,severity:5,t:urlDecodeUni,msg:'IM360 WAF: CMS Recon Bot detected||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||RM:%{REQUEST_METHOD}',tag:'service_i360custom',tag:'noshow',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" # DEFA-2656 SecRule ARGS|REQUEST_COOKIES "@pmFromFile bl_uri" "id:77142102,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:'IM360 WAF: Block URI containing malicious URLs||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'" # DEFA-2679 SecRule REQUEST_FILENAME "@endsWith /install/index.php.bak" "id:77142111,chain,msg:'IM360 WAF: Dedecms variable coverage leads to getshell (CVE-2015-4553)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:lowercase,severity:2,tag:'other_apps'" SecRule ARGS:install_demo_name "@streq ../data/admin/config_update.php" "t:none,t:lowercase" # DEFA-2746 SecRule REQUEST_METHOD "@rx ^POST$" "id:77142146,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Multiple path traversal Vulnerabilities||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360',tag:'im360_req_post'" SecRule FILES "!@rx ^$" "chain,t:none,t:normalizePath" SecRule ARGS:jpath "@rx \.\.\/" "t:urlDecodeUni,t:removeWhitespace,t:normalizePath" # DEFA-2772 SecRule ARGS|REQUEST_COOKIES "@pmFromFile bl_uri" "id:77142167,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,t:base64Decode,msg:'IM360 WAF: Block URI containing malicious URLs||T:APACHE||MVN:%{MATCHED_VAR_NAME}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom'" # DEFA-2862 SecRule REQUEST_BASENAME "@rx (\.swp|~)$" "id:77142201,pass,phase:2,severity:5,log,msg:'IM360 WAF: Possible enumeration of sensitive data (dirb)||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-2875 SecRule REQUEST_URI "@contains /whmcs/password/reset" "id:77142203,severity:5,phase:2,log,pass,t:removeWhitespace,msg:'IM360 WAF: WHMCS Password Reset Attempt||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-2875 SecRule REQUEST_URI "@contains clientarea.php?backupcode=1" "id:77142204,severity:5,phase:2,log,pass,t:urlDecodeUni,t:removeWhitespace,msg:'IM360 WAF: WHMCS 2FA possible abuse||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-2835 SecRule REQUEST_FILENAME "@contains gponform/diag_form" "chain,id:77142207,severity:2,phase:2,deny,log,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: GPON Routers - Authentication Bypass / Command Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:diag_action "@streq ping" "chain,t:none" SecRule ARGS:dest_host "@rx [^\da-zA-Z\-_\:\.]" "t:none" # DEFA-2985 SecRule REQUEST_FILENAME "@contains wp-admin" "chain,id:77142222,phase:2,severity:5,pass,log,t:none,t:normalizePath,msg:'IM360 WAF: Letsmakeparty3 campaign - malware redirection (ebor framework v1)||T:APACHE||ARGS.%{MATCHED_VAR_NAME}:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'noshow'" SecRule ARGS:rectangle_name|ARGS:rectangle_opacity "@contains <script" "t:none,t:lowercase" # DEFA-3002 SecRule ARGS|REQUEST_URI "@rx -ddisable_functions=null" "chain,id:77142242,block,log,phase:2,severity:2,t:none,t:lowercase,t:removeWhitespace,t:htmlEntityDecode,multimatch,msg:'IM360 WAF: PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||PREPEND_FILE:%{TX.1}||',tag:'service_i360custom'" SecRule MATCHED_VAR "@rx -dsafe_mode=off" "chain,t:none,t:lowercase,t:removeWhitespace,t:htmlEntityDecode,multimatch" SecRule MATCHED_VAR "@rx -dallow_url_include=on" "chain,t:none,t:lowercase,t:removeWhitespace,t:htmlEntityDecode,multimatch" SecRule MATCHED_VAR "@rx -dauto_prepend_file=([^$])" "t:none,t:lowercase,t:removeWhitespace,t:urlDecodeUni,t:htmlEntityDecode,multimatch" # DEFA-3011 SecRule ARGS:pass|ARGS:pw "@endsWith salakala123" "id:77142244,phase:2,severity:2,deny,log,t:none,t:normalizePath,msg:'IM360 WAF: Malware interaction detected (SMW-INJ-15429)||T:APACHE||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom'" # DEFA-3005 SecRule REQUEST_URI "@contains seomatic/meta-container" "chain,id:77142245,phase:2,block,log,severity:2,msg:'IM360 WAF: RCE on SEOmatic < 3.3.0 (CVE-2020-9757)||ARGS.uri:%{ARGS.uri}||T:APACHE||',tag:'service_i360custom'" SecRule &ARGS:uri "@gt 0" "t:none" # DEFA-2972 SecRule REQUEST_FILENAME "@endsWith /bamegamenu/ajax_phpcode.php" "chain,id:77142251,phase:2,severity:2,deny,log,t:none,t:normalizePath,msg:'IM360 WAF: PrestaShop Responsive Mega Menu module < 1.7.2.5 arbitrary code execution (CVE-2018-8823)||T:APACHE||ARGS.code:%{ARGS.code}||',tag:'service_i360custom'" SecRule ARGS:code "@rx ^system" "t:none" # DEFA-3090 SecRule REQUEST_URI "@contains ajax/render/widget" "chain,id:77142252,block,log,phase:2,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: vBulletin RCE bypass (CVE-2019-16759)||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}',tag:'service_i360custom'" SecRule ARGS:/^subWidgets/ "@rx [\x28\x29\x3b]" "t:none" # DEFA-3101 SecRule REQUEST_FILENAME "@endsWith /cgi-bin/kerbynet" "id:77142257,chain,phase:2,block,log,severity:2,msg:'IM360 WAF: Zeroshell RCE||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_gen'" SecRule &ARGS:type|&ARGS:x509type|&ARGS:user "@gt 0" "t:none,t:lowercase" # DEFA-3027 SecRule ARGS:a "@pm fetch display" "id:77316724,chain,phase:2,block,log,severity:2,msg:'IM360 WAF: File Upload/RCE in ThinkCMF||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule &ARGS:templateFile "@gt 0" "chain,t:none" SecRule ARGS:prefix "@contains '" "chain,t:none,t:htmlEntityDecode" SecRule ARGS:content "@contains <?php" "t:none,t:htmlEntityDecode" # DEFA-3100 SecRule REQUEST_FILENAME "@endsWith /setup.cgi" "id:77316728,chain,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Netgear unauthenticated RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REMOTE_ADDR "!@ipMatch 192.168.1.1" "chain,t:none" SecRule ARGS:next_file "@streq netgear.cfg" "chain,t:none" SecRule ARGS:todo "@streq syscmd" "chain,t:none" SecRule &ARGS:currentsetting.htm "@ge 1" "chain,t:none" SecRule ARGS:cmd "@rx \/tmp[^;]{0,128};\s?wget[+\s]{1,12}https?:\/\/[^;]{4,512};" "t:none,t:compressWhitespace,t:htmlEntityDecode" # DEFA-3100 SecRule REQUEST_FILENAME "@endsWith login.cgi" "id:77142258,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:cli "@rx [\s\+]?wget\shttps?:\/\/([^\s\+])" "t:none,t:compressWhitespace,t:htmlEntityDecode" # DEFA-3100 SecRule REQUEST_URI "@rx \/boaform\/admin\/form(?:Ping|Tracert)" "id:77142260,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:target_addr "@rx [\s\+]?wget\shttps?:\/\/([^\s\+])" "t:none,t:compressWhitespace,t:htmlEntityDecode" # DEFA-3100 SecRule REQUEST_FILENAME "@endsWith ping.cgi" "id:77142261,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule &ARGS:sessionKey "@gt 0" "chain,t:none" SecRule ARGS:pingIpAddress "@rx [\s\+]?wget\shttps?:\/\/([^\s\+])" "t:none,t:compressWhitespace,t:htmlEntityDecode" # DEFA-3100 SecRule ARGS|REQUEST_URI|XML:/* "@rx ;[\s\+]?wget\shttps?:\/\/([^\s\+])" "id:77142262,phase:2,pass,log,severity:2,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3100 SecRule ARGS|REQUEST_URI|XML:/* "@rx ;[\s\+]?sh[\s\+]\/tmp\/([^\s\+])" "id:77142264,phase:2,block,log,severity:2,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3100 SecRule ARGS|REQUEST_URI|XML:/* "@rx ;[\s\+]?rm[\s\+]-rf[\s\+]\*" "id:77142265,phase:2,block,log,severity:2,t:none,t:normalizePath,t:compressWhitespace,t:lowercase,msg:'IM360 WAF: IOT unauthenticated file upload and RCE||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule REQBODY_ERROR "@eq 1" "id:77316736,phase:2,pass,log,severity:5,msg:'IM360 WAF: Request body parsing error||T:APACHE||',tag:'service_i360custom'" # DEFA-3272 SecRule REQUEST_FILENAME "@endsWith /ajax-index.php" "id:77316739,chain,block,log,t:none,t:normalizePath,t:lowercase,severity:2,msg:'IM360 WAF: Block interaction with backdoor||ARGS.url:%{ARGS.url}||T:APACHE||',tag:'service_i360custom'" SecRule &ARGS:url "@gt 0" "chain,t:none,t:lowercase" SecRule &ARGS "@eq 1" "t:none" # DEFA-3348 SecRule REQUEST_URI "@rx system\s?\(\s?[\x22\x27]" "id:77316741,phase:2,log,block,severity:2,t:urlDecode,t:lowercase,t:htmlEntityDecode,t:hexDecode,multiMatch,msg:'IM360 WAF: Perl command injection attempt||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3351 SecRule ARGS "@rx ^[\.,\d]{0,10}[\x22\x27]\x3e\x3c" "id:77316742,phase:2,log,block,severity:2,t:htmlEntityDecode,t:hexDecode,multiMatch,msg:'IM360 WAF: Generic XSS exploitation attempt||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3348 SecRule ARGS|REQUEST_LINE "@rx (?:rm -rf \.\.\/\.\.\/\.\.\/)|(?:cat \/tmp\/[^\s]{1,100}\s\x3c)" "id:77316743,phase:2,log,block,severity:2,t:urlDecode,t:lowercase,t:htmlEntityDecode,t:hexDecode,multimatch,msg:'IM360 WAF: Command injection attempt||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3348 SecRule ARGS|REQUEST_LINE "@rx (?:wget https?\:\/\/pastebin\.com\/raw\/)" "id:77316745,phase:2,log,block,severity:2,t:urlDecode,t:lowercase,t:htmlEntityDecode,t:hexDecode,multimatch,msg:'IM360 WAF: Suspicious url download attempt||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-3435 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316749,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Magento Webforms Arbitrary File Upload||SC:%{SCRIPT_FILENAME}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_URI "@endsWith /js/webforms/upload/index.php" # DEFA-3441 SecRule REQUEST_URI "@endsWith /ui/js/3rd/plupload/examples/upload.php" "id:77316750,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Yeager CMS Arbitrary File Upload (CVE-2015-7571)||SC:%{SCRIPT_FILENAME}||T:APACHE||REQUEST_URI:%{REQUEST_URI}||',tag:'service_i360custom'" # DEFA-3450 SecRule REQUEST_URI "/\/(?:tim)?thumb\d?\.php/" "id:77316751,pass,log,t:none,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: Vulnerable TimThumb script requested||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom'" # DEFA-3485 SecRule REQUEST_FILENAME "@rx \/wpnull.{1,200}\.(?:php|html)" "id:77316756,pass,log,phase:2,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Suspicious files access||T:APACHE||QS:%{QUERY_STRING}',tag:'service_i360custom',tag:'service_i360',tag:'noshow'" # DEFA-3512 SecRule REQUEST_FILENAME "@endsWith /.env" "id:77316757,pass,log,phase:2,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Laravel env file access||T:APACHE||QS:%{QUERY_STRING}',tag:'service_i360custom',tag:'service_i360',tag:'noshow'" # DEFA-3512 SecRule REQUEST_FILENAME "@pmFromFile bl_web_files" "id:77316758,pass,log,phase:2,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Private file access||T:APACHE||QS:%{QUERY_STRING}',tag:'service_i360custom',tag:'service_i360',tag:'noshow'" # DEFA-3501 SecRule REQUEST_FILENAME "@rx \.(phar|php|pl|py|cgi|asp|js|html|htm|phtml)\.(txt|jpeg|jpg|gif|png)$" "id:77316760,pass,log,t:none,t:normalizePath,t:lowercase,severity:5,msg:'IM360 WAF: CMS Drupal CVE-2020-13671 - double extention found||T:APACHE||User:%{SCRIPT_USERNAME}||MV:%{MATCHED_VAR}||',tag:'drupal_core',tag:'noshow'" # DEFA-3521 SecRule REQUEST_URI "@rx \/wp-content\/plugins\/(ubh|api-wp)\/" "id:77316761,block,log,severity:2,phase:2,t:none,t:lowercase,msg:'IM360 WAF: Block interaction with malicious plugin||T:APACHE||SC:%{SCRIPT_FILENAME}||REQUEST_URI:%{REQUEST_URI}||',tag:'service_i360custom'" # DEFA-3523 SecRule REQUEST_URI "@contains clientarea.php?incorrect=true" "id:77316762,phase:2,pass,log,severity:5,t:urlDecodeUni,t:removeWhitespace,msg:'IM360 WAF: WHMCS failed authorization||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||',tag:'service_i360custom'" # DEFA-3485 SecRule REQUEST_FILENAME "@pm /.class-wp-cache.php" "id:77316766,pass,log,phase:2,severity:5,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: Suspicious files access||T:APACHE||QS:%{QUERY_STRING}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom',tag:'service_i360',tag:'noshow'" # DEFA-3547 SecRule ARGS:q "!@rx ^$" "id:77316769,chain,pass,log,phase:2,severity:2,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Drupal CMS root empty password attempt||T:APACHE||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:form_build_id "@beginsWith form-" "chain,t:none,t:urlDecode" SecRule ARGS:name "@rx ^root$" "chain,t:none,t:urlDecode" SecRule ARGS:pass "@rx ^$" "t:none,t:urlDecode" # DEFA-3620 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316775,chain,block,log,t:none,severity:2,msg:'IM360 WAF: RCE vulnerability in Laravel < 8.4.2 ignition module (CVE-2021-3129)||T:APACHE||MV:%{ARGS.viewFile}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_URI "@endsWith ignition/execute-solution" "chain,t:none,t:normalizePath" SecRule ARGS:viewFile "!@endsWith .blade.php" "chain,t:none" SecRule ARGS:viewFile "!@rx ^(\/|\.\/)" "t:none" # DEFA-3652 SecRule REQUEST_METHOD "@streq GET" "id:77316781,chain,msg:'IM360 WAF: QSnatch malware test attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,severity:2,tag:'service_i360custom',tag:'im360_req_get'" SecRule REQUEST_FILENAME "@endsWith /qnap_firmware.xml" "chain,t:none,t:normalizePath" SecRule ARGS:t "@rx \d{10}" "t:none,t:urlDecodeUni" # DEFA-3651 #DEFA-4530 SecRule &REQUEST_COOKIES "@eq 8" "id:77316784,chain,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Intercept access to file infected with SMW-INJ-19271-php||T:APACHE||',tag:'noshow'" SecRule REQUEST_FILENAME "@pm /nodeps/nodeps.php /wp-includes/data.php /wp-admin/service.php /cgi-bin/core.php /cgi-bin/class.php /cgi-bin/include.php /plugins/wp-light/wp-light.php /core/service.php /service.php /library/index.php /inc/index.php /wp-content/core.php" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRuleScript trap_cookie.lua "chain,t:none" SecRule &ARGS "@ge 0" "t:none" # ^ Do not delete this line, fix for systems without LUA SecRule TX:cookie_trapped "@eq 1" "id:77316792,phase:5,pass,nolog,auditlog,severity:7,t:none,msg:'Tracked:%{TX.cook_info}||T:APACHE||',tag:'service_i360',tag:'noshow'" # DEFA-3651 #DEFA-4530 SecRule &REQUEST_COOKIES "@eq 8" "id:77316794,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Block request to known infected file||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||Tracked:%{TX.cook_info}||',tag:'service_i360custom'" SecRule REQUEST_COOKIES:/^\d\d?$/ "@rx ^(str_ro|tr_rot13|str_r|ot13|rot13|t13|perngr|shapgvba|onfr6)$" "t:none" # DEFA-3673 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316791,chain,pass,log,severity:5,t:none,msg:'IM360 WAF: Possible Magento carding attack||T:APACHE||',tag:'other_apps',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx guest-carts\/[a-z0-9]{32}\/payment-information$" "chain,t:none,t:normalizePath,t:lowercase" SecRule &REQUEST_COOKIES:form_key|&REQUEST_COOKIES:paypal-billing-agreement|&REQUEST_COOKIES:mage-cache-storage-section-invalidation "@eq 0" # DEFA-3398 SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:ArcherGhost8|banana|ArcherGhost|ArcherGhostNotify)$" "id:77316798,block,log,t:none,severity:2,msg:'IM360 WAF: Found User-Agent KashmirBlack||User-Agent:%{REQUEST_HEADERS.User-Agent}||T:APACHE||',tag:'service_i360custom'" # DEFA-3709 SecRule REQUEST_METHOD "^POST$" "id:77316801,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Magento Webforms Upload Vulnerability||Request-URI:%{REQUEST_URI}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_URI "@contains /js/webforms/upload/" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule FILES "@rx (\.htaccess|.+\.(pht|phtml|php\d?)$)" "t:urlDecodeUni,t:removeWhitespace" # DEFA-3724 SecRule REQUEST_METHOD "^POST$" "id:77316803,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Unauthenticated Arbitrary File Upload in WooCommerce Upload Files (CVE-2021-24171)||File:%{ARGS.wcuf_file_name}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule ARGS:wcuf_file_name "!@rx \.[bcdefgijlmnopstvx]{3,4}$" "t:none" # DEFA-3915 SecRule REQUEST_METHOD "@rx POST" "id:77316824,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Blind SQLi via request headers detected||User-Agent:%{REQUEST_HEADERS.User-Agent}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith .php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:User-Agent "@rx ^'\s?(?:and|or|if|\x7c|&)[\s\x28]" "t:none,t:urlDecode,t:lowercase" # DEFA-3915 SecRule REQUEST_METHOD "@rx POST" "id:77316825,chain,phase:2,deny,log,severity:2,t:none,msg:'IM360 WAF: Blind SQLi via request headers detected||User-Agent:%{REQUEST_HEADERS.User-Agent}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith .php" "chain,t:none,t:normalizePath" SecRule REQUEST_HEADERS:User-Agent "@rx (benchmark|sleep)\s?\x28\d" "t:none,t:urlDecode,t:lowercase" # DEFA-4006 SecRule REQUEST_HEADERS:'/^(?:X-DNS-Prefetch-Control|Feature-Policy|Clear-Site-Data|Large-Allocation|Server-Timing$)/' "!@rx ^$" "id:77316896,phase:1,pass,log,severity:5,t:none,msg:'IM360 WAF: Request header interception||Header:%{MATCHED_VAR_NAME}||Data:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'noshow',tag:'service_i360custom',setvar:TX.header_int=0" SecRule &REQUEST_HEADERS:X-DNS-Prefetch-Control "@gt 0" "id:77316889,phase:1,pass,log,severity:5,t:none,msg:'IM360 WAF: Request header interception||T:APACHE||',tag:'noshow',tag:'service_i360custom',setvar:TX.header_int=+1" SecRule &REQUEST_HEADERS:Feature-Policy "@gt 0" "id:77316890,phase:1,pass,log,severity:5,t:none,msg:'IM360 WAF: Request header interception||T:APACHE||',tag:'noshow',tag:'service_i360custom',setvar:TX.header_int=+1" SecRule &REQUEST_HEADERS:Clear-Site-Data "@gt 0" "id:77316891,phase:1,pass,log,severity:5,t:none,msg:'IM360 WAF: Request header interception||T:APACHE||',tag:'noshow',tag:'service_i360custom',setvar:TX.header_int=+1" SecRule &REQUEST_HEADERS:Large-Allocation "@gt 0" "id:77316892,phase:1,pass,log,severity:5,t:none,msg:'IM360 WAF: Request header interception||T:APACHE||',tag:'noshow',tag:'service_i360custom',setvar:TX.header_int=+1" SecRule &REQUEST_HEADERS:Server-Timing "@gt 0" "id:77316893,phase:1,pass,log,severity:5,t:none,msg:'IM360 WAF: Request header interception||T:APACHE||',tag:'noshow',tag:'service_i360custom',setvar:TX.header_int=+1" SecRule TX:header_int "@gt 1" "id:77316895,phase:1,block,log,severity:2,t:none,msg:'IM360 WAF: Suspicious Request header block||T:APACHE||',tag:'service_i360custom'" # DEFA-4169 SecRule REQUEST_URI "@pm wpindex.php xmlrp.php th3_err0r.php larva.php" "id:77316897,phase:1,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Malicious file name in the URI||T:APACHE||',tag:'service_i360custom'" # DEFA-4156 SecRule REQUEST_METHOD "@streq POST" "id:77316859,chain,phase:1,pass,severity:5,t:none,msg:'IM360 WAF: HTTP/1.1 POST request missing Content-Length Header||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "chain" SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" "chain" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "chain" SecRule REQUEST_FILENAME "!@pm /wp-cron.php /wp-login.php /contact /index.php" "t:none,t:lowercase" # DEFA-4353 SecRule ARGS:0x[]|ARGS:0x%5B%5D "@rx ^(androxgh0st|janc0xsec)$" "id:77317941,phase:2,severity:2,block,log,t:none,t:normalizePath,msg:'IM360 WAF: Laravel Apps Leaking Secrets exploit attempt||T:APACHE||',tag:'service_i360custom'" # DEFA-4365 SecRule &RESPONSE_HEADERS:Access-Control-Allow-Origin "@gt 1" "id:77317944,phase:3,t:none,pass,severity:5,auditlog,msg:'IM360 WAF: Multiple access-control-allow-origin header detected||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-4345 SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:77317945,chain,msg:'IM360 WAF: Really Simple Discovery to xmlrpc||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'service_i360custom',tag:'noshow'" SecRule &ARGS:rsd "@gt 0" # DEFA-4345 SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:77317950,chain,msg:'IM360 WAF: XML all method list||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'service_i360custom',tag:'noshow'" SecRule XML://methodName/text() "@contains system.listmethods" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:77317951,chain,msg:'IM360 WAF: XML pingback attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'service_i360custom',tag:'noshow'" SecRule XML://methodName/text() "@contains pingback.ping" "t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:77317980,chain,msg:'IM360 WAF: XML Brute-Force Amplification||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule REQUEST_BODY "@contains system.multicall" "chain,t:none" SecRule REQUEST_BODY "@contains .getUsersBlogs" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:77317981,chain,msg:'IM360 WAF: XML Brute-Force Amplification||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule REQUEST_BODY "@contains system.multicall" "chain,t:none" SecRule REQUEST_BODY "@contains .getCategories" # DEFA-3989 SecRule REQUEST_URI|FILES "@pm =<php> <?php @eval($_POST" "id:77316845,phase:2,pass,log,severity:5,t:none,t:removeWhitespace,msg:'IM360 WAF: Suspicious input||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom'" # DEFA-4020 SecRule REQUEST_URI|FILES "@contains config.bak.php" "id:77316846,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Malicious input||File:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom'" # DEFA-4006 SecRule REQUEST_HEADERS:'/^(?:x-dns-prefetch-control|feature-policy|clear-site-data|large-allocation|server-timing|age|clear-site-data|expires|last-modified|vary|set-cookie|set-cookie2|access-control-allow-origin|access-control-allow-credentials|access-control-allow-headers|access-control-allow-methods|access-control-expose-headers|access-control-max-age|timing-allow-origin|location|allow|server|cross-origin-embedder-policy|cross-origin-opener-policy|cross-origin-resource-policy|content-security-policy|content-security-policy-report-only|expect-ct|strict-transport-security|x-content-type-options|x-powered-by|x-xss-protection|public-key-pins|public-key-pins-report-only|retry-after|server-timing|x-robots-tag|sourcemap|x-sourcemap|sec-websocket-accept)$/' "!@rx ^$" "id:77316852,phase:1,pass,log,severity:5,t:none,msg:'IM360 WAF: Request header interception||Header:%{MATCHED_VAR_NAME}||Data:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'noshow',tag:'service_i360custom'" SecRule REQUEST_METHOD "@streq GET" "id:77317987,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Backdoor external interaction||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'im360_req_get'" SecRule ARGS:ARRAY "@contains 5o3939313633373430323231302p" "t:none" SecRule REQUEST_URI "@rx (\/\.security\/|\/\.quarantine\/|\/quarantine_clamavconnector\/|\/\.trash\/)" "id:77317988,block,log,severity:2,t:none,t:normalizePath,t:urlDecodeUni,t:lowercase,msg:'IM360 WAF: Block access to quarantined files||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-4526 # WPT-62 SecRule ARGS|REQUEST_COOKIES "@rx <[^\/]+[\/](\w+)=\x22?\w+\([^\)]?\)[\x22>]" "chain,id:77317989,phase:2,pass,log,severity:5,t:none,t:urlDecode,t:removeWhitespace,capture,msg:'IM360 WAF: Suspicious XSS input||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||tx1:%{TX.1}||T:APACHE||',tag:'service_i360custom',tag:'noshow'" SecRule TX:1 "@pmFromFile bl_xss_input" "t:none,t:lowercase" # DEFA-4547 SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx \$\{jndi:(ldaps?|rmi|dns|iiop|https?|nis|nds|corba|\$\{(?:lower|upper)):" "id:77317992,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:urlDecode,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx \$\{jndi:(ldaps?|rmi|dns|iiop|https?|nis|nds|corba|\$\{(?:lower|upper)):" "id:77317993,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@pm /Basic/Command/Base64/ /Basic/ReverseShell/ /Basic/TomcatMemshell /Basic/JettyMemshell /Basic/WeblogicMemshell /Basic/JBossMemshell /Basic/WebsphereMemshell /Basic/SpringMemshell /Deserialization/URLDNS/ /Deserialization/CommonsCollections1/Dnslog/ /Deserialization/CommonsCollections2/Command/Base64/ /Deserialization/CommonsBeanutils1/ReverseShell/ /Deserialization/Jre8u20/TomcatMemshell /TomcatBypass/Dnslog/ /TomcatBypass/Command/ /TomcatBypass/ReverseShell/ /TomcatBypass/TomcatMemshell /TomcatBypass/SpringMemshell /GroovyBypass/Command/ /WebsphereBypass/Upload/" "id:77317994,chain,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule MATCHED_VAR "@rx (ldap|ldaps|rmi|dns|iiop|https?|nis|nds|corba):\/\/" "t:none,t:normalizePath" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@pm /Basic/Command/Base64/ /Basic/ReverseShell/ /Basic/TomcatMemshell /Basic/JettyMemshell /Basic/WeblogicMemshell /Basic/JBossMemshell /Basic/WebsphereMemshell /Basic/SpringMemshell /Deserialization/URLDNS/ /Deserialization/CommonsCollections1/Dnslog/ /Deserialization/CommonsCollections2/Command/Base64/ /Deserialization/CommonsBeanutils1/ReverseShell/ /Deserialization/Jre8u20/TomcatMemshell /TomcatBypass/Dnslog/ /TomcatBypass/Command/ /TomcatBypass/ReverseShell/ /TomcatBypass/TomcatMemshell /TomcatBypass/SpringMemshell /GroovyBypass/Command/ /WebsphereBypass/Upload/" "id:77317995,chain,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule MATCHED_VAR "@rx (ldap|ldaps|rmi|dns|iiop|https?|nis|nds|corba):\/\/" "t:none,t:normalizePath,t:Base64Decode" SecRule ARGS|REQUEST_HEADERS|REQUEST_COOKIES|QUERY_STRING|REQUEST_URI "@rx \$\{::-\w\}\$|\$\{\$\{(?:lower|upper):[\$\w]" "id:77317996,chain,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule MATCHED_VAR "@rx :\/\/" "t:none,t:normalizePath" SecRule ARGS|REQUEST_HEADERS|REQUEST_COOKIES|QUERY_STRING|REQUEST_URI "@rx \$\{::-\w\}\$|\$\{\$\{(?:lower|upper):[\$\w]" "id:77318012,chain,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,tag:'other_apps'" SecRule MATCHED_VAR "@rx :\/\/" "t:none,t:normalizePath,t:Base64Decode" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx \$\{env:" "chain,id:77318002,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule MATCHED_VAR "\{(?:j|\$\{env:[^:]+:-j\})(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:i|\$\{env:[^:]+:-i\})(?::|\$\{env:[^:]+:-:\})(?:(?:l|\$\{env:[^:]+:-l\})(?:d|\$\{env:[^:]+:-d\})(?:a|\$\{env:[^:]+:-a\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:r|\$\{env:[^:]+:-r\})(?:m|\$\{env:[^:]+:-m\})(?:i|\$\{env:[^:]+:-i\})|(?:d|\$\{env:[^:]+:-d\})(?:n|\$\{env:[^:]+:-n\})(?:s|\$\{env:[^:]+:-s\})|(?:i|\$\{env:[^:]+:-i\})(?:i|\$\{env:[^:]+:-i\})(?:o|\$\{env:[^:]+:-o\})(?:p|\$\{env:[^:]+:-p\})|(?:h|\$\{env:[^:]+:-h\})(?:t|\$\{env:[^:]+:-t\})(?:t|\$\{env:[^:]+:-t\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:n|\$\{env:[^:]+:-n\})(?:i|\$\{env:[^:]+:-i\})(?:s|\$\{env:[^:]+:-s\})|(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:s|\$\{env:[^:]+:-s\})|(?:c|\$\{env:[^:]+:-c\})(?:o|\$\{env:[^:]+:-o\})(?:r|\$\{env:[^:]+:-r\})(?:b|\$\{env:[^:]+:-b\})(?:a|\$\{env:[^:]+:-a\}))(?::|\$\{env:[^:]+:-:\})" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx \$\{env:" "chain,id:77318008,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:base64Decode,tag:'other_apps'" SecRule MATCHED_VAR "\{(?:j|\$\{env:[^:]+:-j\})(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:i|\$\{env:[^:]+:-i\})(?::|\$\{env:[^:]+:-:\})(?:(?:l|\$\{env:[^:]+:-l\})(?:d|\$\{env:[^:]+:-d\})(?:a|\$\{env:[^:]+:-a\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:r|\$\{env:[^:]+:-r\})(?:m|\$\{env:[^:]+:-m\})(?:i|\$\{env:[^:]+:-i\})|(?:d|\$\{env:[^:]+:-d\})(?:n|\$\{env:[^:]+:-n\})(?:s|\$\{env:[^:]+:-s\})|(?:i|\$\{env:[^:]+:-i\})(?:i|\$\{env:[^:]+:-i\})(?:o|\$\{env:[^:]+:-o\})(?:p|\$\{env:[^:]+:-p\})|(?:h|\$\{env:[^:]+:-h\})(?:t|\$\{env:[^:]+:-t\})(?:t|\$\{env:[^:]+:-t\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:n|\$\{env:[^:]+:-n\})(?:i|\$\{env:[^:]+:-i\})(?:s|\$\{env:[^:]+:-s\})|(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:s|\$\{env:[^:]+:-s\})|(?:c|\$\{env:[^:]+:-c\})(?:o|\$\{env:[^:]+:-o\})(?:r|\$\{env:[^:]+:-r\})(?:b|\$\{env:[^:]+:-b\})(?:a|\$\{env:[^:]+:-a\}))(?::|\$\{env:[^:]+:-:\})" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:base64Decode" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx ${(sys|ctx):[^\}]+\}" "id:77318003,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-45046)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx ${(sys|ctx):[^\}]+\}" "id:77318013,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-45046)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:base64Decode,tag:'other_apps'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx \$\{env:" "id:77318004,msg:'IM360 WAF: Suspicious input like Log4j RCE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,severity:5,t:none,t:lowercase,t:urlDecode,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps',tag:'noshow'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@rx \$\{env:" "id:77318009,msg:'IM360 WAF: Suspicious input like Log4j RCE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,severity:5,t:none,t:lowercase,t:urlDecode,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:base64Decode,tag:'other_apps',tag:'noshow'" # DEFA-4547 SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@rx \$\{jndi:(ldaps?|rmi|dns|iiop|https?|nis|nds|corba|\$\{(?:lower|upper)):" "id:77317997,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@rx \$\{jndi:(ldaps?|rmi|dns|iiop|https?|nis|nds|corba|\$\{(?:lower|upper)):" "id:77317998,block,log,severity:2t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@pm /Basic/Command/Base64/ /Basic/ReverseShell/ /Basic/TomcatMemshell /Basic/JettyMemshell /Basic/WeblogicMemshell /Basic/JBossMemshell /Basic/WebsphereMemshell /Basic/SpringMemshell /Deserialization/URLDNS/ /Deserialization/CommonsCollections1/Dnslog/ /Deserialization/CommonsCollections2/Command/Base64/ /Deserialization/CommonsBeanutils1/ReverseShell/ /Deserialization/Jre8u20/TomcatMemshell /TomcatBypass/Dnslog/ /TomcatBypass/Command/ /TomcatBypass/ReverseShell/ /TomcatBypass/TomcatMemshell /TomcatBypass/SpringMemshell /GroovyBypass/Command/ /WebsphereBypass/Upload/" "id:77317999,chain,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule MATCHED_VAR "@rx (ldap|ldaps|rmi|dns|iiop|https?|nis|nds|corba):\/\/" "t:none,t:normalizePath" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@pm /Basic/Command/Base64/ /Basic/ReverseShell/ /Basic/TomcatMemshell /Basic/JettyMemshell /Basic/WeblogicMemshell /Basic/JBossMemshell /Basic/WebsphereMemshell /Basic/SpringMemshell /Deserialization/URLDNS/ /Deserialization/CommonsCollections1/Dnslog/ /Deserialization/CommonsCollections2/Command/Base64/ /Deserialization/CommonsBeanutils1/ReverseShell/ /Deserialization/Jre8u20/TomcatMemshell /TomcatBypass/Dnslog/ /TomcatBypass/Command/ /TomcatBypass/ReverseShell/ /TomcatBypass/TomcatMemshell /TomcatBypass/SpringMemshell /GroovyBypass/Command/ /WebsphereBypass/Upload/" "id:77318000,chain,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,phase:2,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'" SecRule MATCHED_VAR "@rx (ldap|ldaps|rmi|dns|iiop|https?|nis|nds|corba):\/\/" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@rx \$\{::-\w\}\$|\$\{\$\{(?:lower|upper):[\$\w]" "id:77318001,chain,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule MATCHED_VAR "@rx :\/\/" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@rx \$\{::-\w\}\$|\$\{\$\{(?:lower|upper):[\$\w]" "id:77318014,chain,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,tag:'other_apps'" SecRule MATCHED_VAR "@rx :\/\/" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES|ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_BODY "@contains ${env:" "chain,id:77318018,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule MATCHED_VAR "\$\{j\$\{[^:]+:[^:]+:-nd\}i\$\{" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@contains ${env:" "chain,id:77318005,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule MATCHED_VAR "\{(?:j|\$\{env:[^:]+:-j\})(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:i|\$\{env:[^:]+:-i\})(?::|\$\{env:[^:]+:-:\})(?:(?:l|\$\{env:[^:]+:-l\})(?:d|\$\{env:[^:]+:-d\})(?:a|\$\{env:[^:]+:-a\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:r|\$\{env:[^:]+:-r\})(?:m|\$\{env:[^:]+:-m\})(?:i|\$\{env:[^:]+:-i\})|(?:d|\$\{env:[^:]+:-d\})(?:n|\$\{env:[^:]+:-n\})(?:s|\$\{env:[^:]+:-s\})|(?:i|\$\{env:[^:]+:-i\})(?:i|\$\{env:[^:]+:-i\})(?:o|\$\{env:[^:]+:-o\})(?:p|\$\{env:[^:]+:-p\})|(?:h|\$\{env:[^:]+:-h\})(?:t|\$\{env:[^:]+:-t\})(?:t|\$\{env:[^:]+:-t\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:n|\$\{env:[^:]+:-n\})(?:i|\$\{env:[^:]+:-i\})(?:s|\$\{env:[^:]+:-s\})|(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:s|\$\{env:[^:]+:-s\})|(?:c|\$\{env:[^:]+:-c\})(?:o|\$\{env:[^:]+:-o\})(?:r|\$\{env:[^:]+:-r\})(?:b|\$\{env:[^:]+:-b\})(?:a|\$\{env:[^:]+:-a\}))(?::|\$\{env:[^:]+:-:\})" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@contains ${env:" "chain,id:77318007,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-44228)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:base64Decode,tag:'other_apps'" SecRule MATCHED_VAR "\{(?:j|\$\{env:[^:]+:-j\})(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:i|\$\{env:[^:]+:-i\})(?::|\$\{env:[^:]+:-:\})(?:(?:l|\$\{env:[^:]+:-l\})(?:d|\$\{env:[^:]+:-d\})(?:a|\$\{env:[^:]+:-a\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:r|\$\{env:[^:]+:-r\})(?:m|\$\{env:[^:]+:-m\})(?:i|\$\{env:[^:]+:-i\})|(?:d|\$\{env:[^:]+:-d\})(?:n|\$\{env:[^:]+:-n\})(?:s|\$\{env:[^:]+:-s\})|(?:i|\$\{env:[^:]+:-i\})(?:i|\$\{env:[^:]+:-i\})(?:o|\$\{env:[^:]+:-o\})(?:p|\$\{env:[^:]+:-p\})|(?:h|\$\{env:[^:]+:-h\})(?:t|\$\{env:[^:]+:-t\})(?:t|\$\{env:[^:]+:-t\})(?:p|\$\{env:[^:]+:-p\})(?:s|\$\{env:[^:]+:-s\})?|(?:n|\$\{env:[^:]+:-n\})(?:i|\$\{env:[^:]+:-i\})(?:s|\$\{env:[^:]+:-s\})|(?:n|\$\{env:[^:]+:-n\})(?:d|\$\{env:[^:]+:-d\})(?:s|\$\{env:[^:]+:-s\})|(?:c|\$\{env:[^:]+:-c\})(?:o|\$\{env:[^:]+:-o\})(?:r|\$\{env:[^:]+:-r\})(?:b|\$\{env:[^:]+:-b\})(?:a|\$\{env:[^:]+:-a\}))(?::|\$\{env:[^:]+:-:\})" "t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:base64Decode" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@rx ${(sys|ctx):[^\}]+\}" "id:77318006,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-45046)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@rx ${(sys|ctx):[^\}]+\}" "id:77318011,msg:'IM360 WAF: Remote code execution vulnerability in Apache Log4j (CVE-2021-45046)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,tag:'other_apps'" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@contains ${env:" "id:77318015,msg:'IM360 WAF: Suspicious input like Log4j RCE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,severity:5,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps',tag:'noshow'" SecRule ARGS_NAMES|REQUEST_HEADERS_NAMES|REQUEST_COOKIES_NAMES|FILES_NAMES "@contains ${env:" "id:77318010,msg:'IM360 WAF: Suspicious input like Log4j RCE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,severity:5,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:Base64Decode,tag:'other_apps',tag:'noshow'" # DEFA-4576 SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES "@rx \$\{\${::-\$\{::-\$\${::-\w{1,4}\}\}\}\}" "id:77318016,msg:'IM360 WAF: DOS in Log4j (CVE-2021-45105)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,tag:'other_apps'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS|REQUEST_COOKIES "@rx \$\{\${::-\$\{::-\$\${::-\w{1,4}\}\}\}\}" "id:77318017,msg:'IM360 WAF: DOS in Log4j (CVE-2021-45105)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:base64Decode,tag:'other_apps'" # DEFA-4623 SecRule ARGS|REQUEST_COOKIES "@rx [\x27\x22]\x20union\x20select\x20char\([^\)]+\),char\(" "id:77318024,msg:'IM360 WAF: Suspicious input like SQLi||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,tag:'other_apps'" SecRule ARGS|REQUEST_COOKIES "@rx \(select\*from\(select%20name_const\(" "id:77318025,msg:'IM360 WAF: Suspicious input like SQLi||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,tag:'other_apps'" SecRule ARGS|REQUEST_COOKIES "@rx \/\*\*\/(?:and|or|group)\/\*\*\/" "id:77318026,msg:'IM360 WAF: Suspicious input like SQLi||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,severity:2,t:none,t:lowercase,t:removeWhitespace,tag:'other_apps'" # DEFA-4632 SecRule ARGS:f "@rx \/(nmrtjoujadutreqj\/scrjkuhlebpzmtyo|bmluxzleairiek7s\/umvusxn4hvg3bzrf)\.txt" "id:77318027,phase:2,severity:2,deny,log,t:none,t:normalizePath,t:urlDecode,t:lowercase,msg:'IM360 WAF: Malware interaction detected||T:APACHE||SC:%{SCRIPT_FILENAME}',tag:'service_i360custom'" # DEFA-4561 SecRule RESPONSE_HEADERS:Protected-By "@rx W3LLSTORE" "id:77318028,phase:3,pass,log,severity:5,t:none,msg:'IM360 WAF: Track by suspicious header||args:%{ARGS}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360custom'" # DEFA-4560 SecRule ARGS:/vf* "@rx ^online\d+$" "id:77318029,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: Track by suspicious argument||args:%{ARGS}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360custom'" #DEFA-4653 SecRule REQUEST_URI "@contains /.git/" "id:77318034,phase:request,pass,log,severity:5,t:urlDecode,t:normalizePath,t:removeWhitespace,t:lowercase,msg:'IM360 WAF: Blocked access to git folder||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" # DEFA-4667 SecRule ARGS_GET:looping "@rx ^\d{1,3}$" "id:77318036,phase:5,pass,log,severity:5,t:none,t:removeNulls,t:removeWhitespace,msg:'IM360 WAF: Track by suspicious argument||Args:%{ARGS}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360custom'" # DEFA-4717 SecRule REQUEST_URI "@contains /wp-content/plugins/core-engine/" "id:77350006,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: SQLi in Adobe Commerce and Magento Open Source before 2.4.3-p1||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360'" SecRule REQUEST_URI "@rx '|\x22|\(" "t:none" # DEFA-4742 SecRule REQUEST_URI "@pm /checkout/cart/add/uenc/ /review/product/post/id/ /catalogsearch/result/ /gifts/devotional/ /mageworx_searchsuiteautocomplete/ajax/index/ /catalogsearch/searchTermsLog/save/ /search/ajax/suggest/" "id:77350010,chain,phase:2,pass,log,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Inproper input validation in Adobe Commerce and Magento Open Source before 2.4.3||MVN:%{MATCHED_VAR_NAME}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360'" SecRule ARGS "@rx '|\x22|\)|\\win|\.\.\/|\:|\}" "t:none,t:htmlEntityDecode" # DEFA-4815 SecRule REQUEST_METHOD "^POST$" "id:77350025,chain,block,log,severity:2,t:none,msg:'IM360 WAF: RCE in Spring WebFlux via data binding (CVE-2022-22965)||T:APACHE||MV:%{MATCHED_VAR}||directory:%{tx.directory}',tag:'other_apps',tag:'im360_req_post'" SecRule ARGS:class.module.classLoader.resources.context.parent.pipeline.first.suffix "@rx \.jsp" "chain,t:none,t:lowercase" SecRule &ARGS:class.module.classLoader.resources.context.parent.pipeline.first.prefix "@gt 0" "chain,t:none" SecRule ARGS:class.module.classLoader.resources.context.parent.pipeline.first.directory "!@rx ^$" "chain,t:none,capture,setvar:tx.directory=%{MATCHED_VAR}" SecRule ARGS:class.module.classLoader.resources.context.parent.pipeline.first.pattern "@rx if\(\x22[^\x22]+\x22\.equals\(request\.getParameter\(\x22[^\x22]+\x22\)\)\)?\s?{\s?java\.io\.inputstream\s?in\s?=[^\.]+\.getruntime\(\)\.exec\(request.getparameter\(\x22[^\x22]+\x22\)\)\.getinputstream\(\);\s?int[^;]+;\s?byte[^;]+;\s?while\(\([^=]+=in\.read\([^\)]+\)\)!=-1\){out\.println\(new\s?string\([^\)]+\)\);}}" "t:none,t:lowercase,t:htmlEntityDecode" SecRule REQUEST_METHOD "^POST$" "id:77350026,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Track suspiciious Spring Framework requests||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'other_apps',tag:'im360_req_post'" SecRule ARGS:/class.* "!@rx ^$" "t:none" # WP THEME INJECTION BLOCK # Block by infection SecRule REQUEST_METHOD "@rx ^POST$" "id:77316874,chain,block,log,t:none,severity:2,msg:'IM360 WAF: WordPress theme edit. Block by infection||File:%{ARGS.file}||MVN:%{MATCHED_VAR_NAME}||Action:%{ARGS.action}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx (?:\/wp-admin\/(?:admin-ajax|theme-editor)\.php|\/administrator\/index\.php)" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS "@rx \|amads['\x22]\.split\(['\x22]\|['\x22]\)[\h,]+\d+[\h,]+\{\}[\s\)]+" "t:none,t:htmlEntityDecode" # Block by infection SecRule REQUEST_METHOD "@rx ^POST$" "id:77316928,chain,block,log,t:none,severity:2,msg:'IM360 WAF: WordPress theme edit. Block by infection||File:%{ARGS.file}||MVN:%{MATCHED_VAR_NAME}||Action:%{ARGS.action}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx (?:\/wp-admin\/(?:admin-ajax|theme-editor)\.php|\/administrator\/index\.php)" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS "@rx \|amads['\x22]\.split\(['\x22]\|['\x22]\)[\h,]+\d+[\h,]+\{\}[\s\)]+" "t:none,t:base64Decode,t:htmlEntityDecode" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316901,chain,block,log,t:none,severity:2,msg:'IM360 WAF: WordPress theme edit 2. Block by infection||File:%{ARGS.file}||Action:%{ARGS.action}||MVN:%{MATCHED_VAR_NAME}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@rx (?:\/wp-admin\/(?:admin-ajax|theme-editor)\.php|\/administrator\/index\.php)" "chain,t:none,t:urlDecodeUni,t:normalizePath" SecRule ARGS "@contains |amads'.split('" "t:none,t:htmlEntityDecode" SecRule ARGS "@contains amads'.split" "id:77316902,pass,log,t:none,t:htmlEntityDecode,severity:7,msg:'IM360 WAF: WordPress theme edit 2. Track by malsig||File:%{ARGS.file}||MVN:%{MATCHED_VAR_NAME}||Action:%{ARGS.action}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule ARGS "@contains amads'.split" "id:77316927,pass,log,t:none,t:base64Decode,t:htmlEntityDecode,severity:7,msg:'IM360 WAF: WordPress theme edit 2. Track by malsig||File:%{ARGS.file}||MVN:%{MATCHED_VAR_NAME}||Action:%{ARGS.action}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule ARGS "@rx \|amads['\x22]\.split\(" "id:77316930,pass,log,t:none,t:htmlEntityDecode,t:removeWhitespace,severity:7,msg:'IM360 WAF: WordPress theme edit 2. Track by malsig||File:%{ARGS.file}||MVN:%{MATCHED_VAR_NAME}||Action:%{ARGS.action}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'noshow'" SecRule ARGS "@rx \|amads['\x22]\.split\(" "id:77316929,pass,log,t:none,t:base64Decode,t:htmlEntityDecode,t:removeWhitespace,severity:7,msg:'IM360 WAF: WordPress theme edit 2. Track by malsig||File:%{ARGS.file}||MVN:%{MATCHED_VAR_NAME}||Action:%{ARGS.action}||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'wp_core',tag:'noshow'" # DEFA-4866 SecRule REQUEST_METHOD "@rx ^POST$" "id:77350029,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Unrestricted File Upload vulnerability WSO2 (CVE-2022-29464)||T:APACHE||MV:%{MATCHED_VAR}||Files:%{FILES}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule REQUEST_URI "@pm /api/content/ /fileupload/ /upload" "chain,t:none,t:normalizePath" SecRule FILES "@rx \.\.\/\.\.\/" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350030,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Unrestricted File Upload vulnerability WSO2 (CVE-2022-29464)||T:APACHE||MV:%{MATCHED_VAR}||Files:%{FILES}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule FILES "@rx \.\.\/\.\.\/" "chain,t:none" SecRule FILES "@contains /webapps/" "t:none,t:normalizePath" SecRule REQUEST_METHOD "@rx ^POST$" "id:77350031,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Generic path traversal attempt||T:APACHE||MV:%{MATCHED_VAR}||Files:%{FILES}||',tag:'service_i360custom',tag:'im360_req_post'" SecRule FILES "@rx \.\.\/\.\.\/" "t:none" # DEFA-4870 SecRule ARGS:s "@contains index/think/" "id:77350032,chain,block,log,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Detected malicious code injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule ARGS:vars[1][]|ARGS:content "@rx <\?php \x40eval\($_(?:GET|POST)\[" "t:none" SecRule ARGS "@contains fwrite(fopen(" "id:77350033,chain,block,log,t:none,severity:2,msg:'IM360 WAF: Detected malicious code injection||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_i360custom'" SecRule MATCHED_VAR "@rx <\?php \x40eval\($_(?:GET|POST)\[" "t:none" # DEFA-4892 SecRule REQUEST_METHOD "^GET$" "id:77350038,chain,pass,log,severity:5,phase:2,t:none,msg:'IM360 WAF: Monitoring WordPress 5.3 User Enumeration attempts||T:APACHE||',tag:'wp_core',tag:'noshow',tag:'im360_req_get'" SecRule REQUEST_URI "@contains wp-json/wp/v2/users" "chain,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" # DEFA-4911 SecRule ARGS_NAMES "^pwd163$" "chain,id:77350040,block,severity:2,t:none,msg:'IM360 WAF: Attempt to drop malware via existing backdoor||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'wp_core'" SecRule ARGS_NAMES "^zzz$" "t:none" # DEFA-4817 SecRule ARGS:action "@streq e6f21493034445f67394e2f2a72607e2972647d2a7c62776" "id:77350083,block,log,t:none,severity:2,msg:'IM360 WAF: Detected malicious argument||T:APACHE||',tag:'service_i360custom'" # DEFA-5013 SecRule ARGS:lt "@rx 503c138bd956ccbe9a63967ef1f22dac" "id:77350088,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Block malware communication||T:APACHE||',tag:'service_i360'" SecRule ARGS:a "@rx ZWNobyA0MDk3MjMqMjA7" "t:none" # DEFA-5254 SecRule ARGS|REQUEST_HEADERS "@pm ${script:javascript:java.lang.Runtime. ${dns:address| ${file:UTF-8:/" "id:77350132,phase:2,block,log,severity:2,t:none,t:lowercase,t:normalizePath,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,msg:'IM360 WAF: Text4Shell vulnerability exploit attempt (CVE-2022-42889)||T:APACHE||',tag:'service_i360'" # DEFA-5310 SecRule REQUEST_METHOD "@rx POST" "id:77350136,chain,block,log,severity:2,t:none,phase:2,msg:'IM360 WAF: Block suspicious file upload||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@contains /admin_panel.php" "chain,t:none" SecRule ARGS:cms "@contains editalbum" "chain,t:none" SecRule FILES "@rx \.(?:p(?:[ly]|h(?:p[2-7s]?|t(?:ml)?)|if)|c(?:o(?:nf|m)|gi|md|nf|pl)|ht(?:access|passwd|ml?)|m(?:ht(?:ml)?|si)|j(?:html|sb?)|s(?:html|cr)|v(?:bs|xd)|xht(?:ml)?|i(?:ni|v)|bat|dll|exe|key|aspx?|sh|rb|js)$" SecRule REQUEST_FILENAME "@rx \/router[^\.]*\.php" "id:77350137,chain,block,log,severity:2,t:none,phase:2,msg:'IM360 WAF: Block malware iteraction||T:APACHE||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||',tag:'service_i360'" SecRule &ARGS:version "@gt 0" "chain,t:none" SecRule ARGS "@rx ^\x22ip\x22:\x22[^,]+,\x22time\x22:\d+,\x22hh\x22:\x22[0-9a-f]+\x22,\x22ext\x22:\x22zip\x22,\x22host\x22:\x22[^,]+,\x22filename\x22:\x22.+\x22$" "t:none,t:base64Decode" # DEFA-5440 SecRule &ARGS:cid "@gt 0" "id:77350147,chain,block,log,severity:2,t:none,phase:2,msg:'IM360 WAF: Block SocGholish malware iteraction||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'service_i360'" SecRule REQUEST_URI "@rx \/s_code.js" "chain,t:none" SecRule ARGS:r|ARGS:v "!@rx ^$" "t:none" SecRule REQUEST_URI "@rx \/report" "id:77350148,chain,pass,log,severity:5,t:none,phase:2,msg:'IM360 WAF: Track SocGholish malware iteraction||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',tag:'service_i360'" SecRule ARGS:r|ARGS:v "!@rx ^$" "t:none"
Simpan