D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
opt
/
bitninja-waf
/
etc
/
BitNinja
/
Filename :
409-ANTIMALWARE-PROTECTION-BN.conf
back
Copy
SecRule REQUEST_COOKIES "@contains perngr_shapgvba" \ "id:409001,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Rule against PHP RCE malware (63bd2f7a8302fd1dfe373344)',\ msg:'Rule against PHP RCE malware (63bd2f7a8302fd1dfe373344)'" SecRule REQUEST_COOKIES "@contains str_r" "chain,t:none" SecRule REQUEST_COOKIES "@contains ot13" "chain,t:none" SecRule REQUEST_COOKIES "@rx array[\d]" "t:none,setvar:'tx.bn_inbound_found=+1'" ### init ### SecAction "id:300000, phase:1,\ nolog,\ pass,\ severity:info,\ t:none,\ setvar:tx.bn_str_rot13=0,\ setvar:tx.bn_base64_decode=0,\ setvar:tx.bn_base64_decode_b64=0,\ setvar:tx.bn_create_function_r13=0,\ setvar:tx.bn_base64_decode_r13=0" ### tx.bn_str_rot13 ### SecRule REQUEST_COOKIES "^s$" "id:301001,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^tr_rot13$" "t:none,setvar:'tx.bn_str_rot13=+1'" SecRule REQUEST_COOKIES "^st$" "id:301002,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^r_rot13$" "t:none,setvar:'tx.bn_str_rot13=+2'" SecRule REQUEST_COOKIES "^str$" "id:301003,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^_rot13$" "t:none,setvar:'tx.bn_str_rot13=+4'" SecRule REQUEST_COOKIES "^str_$" "id:301004,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^rot13$" "t:none,setvar:'tx.bn_str_rot13=+8'" SecRule REQUEST_COOKIES "^str_r$" "id:301005,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^ot13$" "t:none,setvar:'tx.bn_str_rot13=+16'" SecRule REQUEST_COOKIES "^str_ro$" "id:301006,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^t13$" "t:none,setvar:'tx.bn_str_rot13=+32'" SecRule REQUEST_COOKIES "^str_rot$" "id:301007,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^13$" "t:none,setvar:'tx.bn_str_rot13=+64'" SecRule REQUEST_COOKIES "^str_rot1$" "id:301008,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^3$" "t:none,setvar:'tx.bn_str_rot13=+128'" ### tx.bn_create_function_r13 ### SecRule REQUEST_COOKIES "^p$" "id:301101,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^erngr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+1'" SecRule REQUEST_COOKIES "^pe$" "id:301102,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^rngr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+2'" SecRule REQUEST_COOKIES "^per$" "id:301103,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^ngr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+4'" SecRule REQUEST_COOKIES "^pern$" "id:301104,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^gr_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+8'" SecRule REQUEST_COOKIES "^perng$" "id:301105,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^r_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+16'" SecRule REQUEST_COOKIES "^perngr$" "id:301106,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^_shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+32'" SecRule REQUEST_COOKIES "^perngr_$" "id:301107,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^shapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+64'" SecRule REQUEST_COOKIES "^perngr_s$" "id:301108,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^hapgvba$" "t:none,setvar:'tx.bn_create_function_r13=+128'" SecRule REQUEST_COOKIES "^perngr_sh$" "id:301109,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^apgvba$" "t:none,setvar:'tx.bn_create_function_r13=+256'" SecRule REQUEST_COOKIES "^perngr_sha$" "id:301110,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^pgvba$" "t:none,setvar:'tx.bn_create_function_r13=+512'" SecRule REQUEST_COOKIES "^perngr_shap$" "id:301111,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^gvba$" "t:none,setvar:'tx.bn_create_function_r13=+1024'" SecRule REQUEST_COOKIES "^perngr_shapg$" "id:301112,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^vba$" "t:none,setvar:'tx.bn_create_function_r13=+2048'" SecRule REQUEST_COOKIES "^perngr_shapgv$" "id:301113,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^ba$" "t:none,setvar:'tx.bn_create_function_r13=+4096'" SecRule REQUEST_COOKIES "^perngr_shapgvb$" "id:301114,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^a$" "t:none,setvar:'tx.bn_create_function_r13=+8192'" ### tx.bn_base64_decode_r13 ### SecRule REQUEST_COOKIES "^o$" "id:301201,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^nfr64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+1'" SecRule REQUEST_COOKIES "^on$" "id:301202,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^fr64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+2'" SecRule REQUEST_COOKIES "^onf$" "id:301203,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^r64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+4'" SecRule REQUEST_COOKIES "^onfr$" "id:301204,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^64_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+8'" SecRule REQUEST_COOKIES "^onfr6$" "id:301205,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^4_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+16'" SecRule REQUEST_COOKIES "^onfr64$" "id:301206,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^_qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+32'" SecRule REQUEST_COOKIES "^onfr64_$" "id:301207,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^qrpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+64'" SecRule REQUEST_COOKIES "^onfr64_q$" "id:301208,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^rpbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+128'" SecRule REQUEST_COOKIES "^onfr64_qr$" "id:301209,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^pbqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+256'" SecRule REQUEST_COOKIES "^onfr64_qrp$" "id:301210,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^bqr$" "t:none,setvar:'tx.bn_base64_decode_r13=+512'" SecRule REQUEST_COOKIES "^onfr64_qrpb$" "id:301211,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^qr$" "t:none,setvar:'tx.bn_base64_decode_r13=+1024'" SecRule REQUEST_COOKIES "^onfr64_qrpbq$" "id:301212,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^r$" "t:none,setvar:'tx.bn_base64_decode_r13=+2048'" ### tx.bn_base64_decode ### SecRule REQUEST_COOKIES "^b$" "id:301301,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^ase64_decode$" "t:none,setvar:'tx.bn_base64_decode=+1'" SecRule REQUEST_COOKIES "^ba$" "id:301302,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^se64_decode$" "t:none,setvar:'tx.bn_base64_decode=+2'" SecRule REQUEST_COOKIES "^bas$" "id:301303,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^e64_decode$" "t:none,setvar:'tx.bn_base64_decode=+4'" SecRule REQUEST_COOKIES "^base$" "id:301304,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^64_decode$" "t:none,setvar:'tx.bn_base64_decode=+8'" SecRule REQUEST_COOKIES "^base6$" "id:301305,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^4_decode$" "t:none,setvar:'tx.bn_base64_decode=+16'" SecRule REQUEST_COOKIES "^base64$" "id:301306,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^_decode$" "t:none,setvar:'tx.bn_base64_decode=+32'" SecRule REQUEST_COOKIES "^base64_$" "id:301307,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^decode$" "t:none,setvar:'tx.bn_base64_decode=+64'" SecRule REQUEST_COOKIES "^base64_d$" "id:301308,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^ecode$" "t:none,setvar:'tx.bn_base64_decode=+128'" SecRule REQUEST_COOKIES "^base64_de$" "id:301309,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^code$" "t:none,setvar:'tx.bn_base64_decode=+256'" SecRule REQUEST_COOKIES "^base64_dec$" "id:301310,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^ode$" "t:none,setvar:'tx.bn_base64_decode=+512'" SecRule REQUEST_COOKIES "^base64_deco$" "id:301311,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^de$" "t:none,setvar:'tx.bn_base64_decode=+1024'" SecRule REQUEST_COOKIES "^base64_decod$" "id:301312,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "^e$" "t:none,setvar:'tx.bn_base64_decode=+2048'" ### tx.bn_base64_decode_b64 ### SecRule REQUEST_COOKIES "^Y$" "id:301401,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith mFzZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+1'" SecRule REQUEST_COOKIES "^Ym$" "id:301402,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith FzZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+2'" SecRule REQUEST_COOKIES "^YmF$" "id:301403,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith zZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+4'" SecRule REQUEST_COOKIES "^YmFz$" "id:301404,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith ZTY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+8'" SecRule REQUEST_COOKIES "^YmFzZ$" "id:301405,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith TY0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+16'" SecRule REQUEST_COOKIES "^YmFzZT$" "id:301406,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith Y0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+32'" SecRule REQUEST_COOKIES "^YmFzZTY$" "id:301407,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith 0X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+64'" SecRule REQUEST_COOKIES "^YmFzZTY0$" "id:301408,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith X2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+128'" SecRule REQUEST_COOKIES "^YmFzZTY0X$" "id:301409,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith 2RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+256'" SecRule REQUEST_COOKIES "^YmFzZTY0X2$" "id:301410,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith RlY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+512'" SecRule REQUEST_COOKIES "^YmFzZTY0X2R$" "id:301411,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith lY29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+1024'" SecRule REQUEST_COOKIES "^YmFzZTY0X2Rl$" "id:301412,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith Y29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+2048'" SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY$" "id:301413,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith 29kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+4096'" SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY2$" "id:301414,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith 9kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+8192'" SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY29$" "id:301415,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith kZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+16384'" SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY29k$" "id:301416,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith ZQ" "t:none,setvar:'tx.bn_base64_decode_b64=+32768'" SecRule REQUEST_COOKIES "^YmFzZTY0X2RlY29kZ$" "id:301417,chain,nolog,phase:2,rev:'1',severity:info,t:none" SecRule REQUEST_COOKIES "@beginsWith Q" "t:none,setvar:'tx.bn_base64_decode_b64=+65536'" SecRule tx:bn_str_rot13 "@gt 0" \ "id:409003,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Rule against PHP RCE malware (6294b0aa7ab29948f772b8a8) |%{tx.bn_str_rot13}|%{tx.bn_create_function_r13}|%{tx.bn_base64_decode_r13}|',\ msg:'Rule against PHP RCE malware (6294b0aa7ab29948f772b8a8) |%{tx.bn_str_rot13}|%{tx.bn_create_function_r13}|%{tx.bn_base64_decode_r13}|'" SecRule tx:bn_create_function_r13 "@gt 0" "chain,t:none" SecRule tx:bn_base64_decode_r13 "@gt 0" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule tx:bn_base64_decode "@gt 0" \ "id:409004,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Rule against PHP RCE malware (63b301bc5205bf358a4caa0c) |%{tx.bn_base64_decode}|%{tx.bn_base64_decode_b64}|',\ msg:'Rule against PHP RCE malware (63b301bc5205bf358a4caa0c) |%{tx.bn_base64_decode}|%{tx.bn_base64_decode_b64}|'" SecRule tx:bn_base64_decode_b64 "@gt 0" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS_POST_NAMES "^fuckyou4321$" \ "id:409005,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule against PHP RCE malware (63048c774603e53b7a7f78b5)',\ msg:'Rule against PHP RCE malware (63048c774603e53b7a7f78b5)'" SecRule REQUEST_HEADERS "^create_function$" \ "id:409006,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Rule against PHP RCE malware (6284da8fef85056b327414fc)',\ msg:'Rule against PHP RCE malware (6284da8fef85056b327414fc)'" SecRule REQUEST_HEADERS "^base64_decode$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule &ARGS_POST "@eq 1" \ "id:409007,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Rule against PHP RCE malware (644b8c53ff5eec21f06b36d2)',\ msg:'Rule against PHP RCE malware (644b8c53ff5eec21f06b36d2)'" SecRule ARGS_POST:request_option "@ge 1000" "chain,t:length" SecRule &ARGS_GET "@eq 0" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS_GET_NAMES "^pd$" \ "id:409008,\ phase:2,\ chain,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Rule against PHP RCE malware (644b680f1173f831663f5255)',\ msg:'Rule against PHP RCE malware (644b680f1173f831663f5255)'" SecRule ARGS_GET_NAMES "^mapname$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS_POST:ne "^(fayl_oxu|sistem_kom|fayl_redakte|fayl_yukle|fayl_sil|fayl_yarat|papka_yarat|fayl_sifirla|papka_sil|fayl_ad_deyish|ziple|skl_d_t|fayl_upl)$" \ "id:409009,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule against PHP WebShell malware (64632ac5ff5eec21f06b3768)',\ msg:'Rule against PHP WebShell malware (64632ac5ff5eec21f06b3768)'" SecRule ARGS:pd "@streq smyedit" \ "id:409010,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule 02 against PHP RCE malware (644b680f1173f831663f5255)',\ msg:'Rule 02 against PHP RCE malware (644b680f1173f831663f5255)'" SecRule &ARGS_GET "@eq 1" \ "id:409011,\ chain,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,\ logdata:'Rule against PHP RCE malware (60e3365f6dca960e3365f6dc)',\ msg:'Rule against PHP RCE malware (60e3365f6dca960e3365f6dc)'" SecRule ARGS_GET_NAMES "^varname$" "chain,t:none" SecRule ARGS_GET:varname "@contains ." "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS_NAMES "^wp_ajx_(reinstall_)?request$" \ "id:409012,\ phase:2,\ rev:'1',\ severity:critical,\ t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule against PHP RCE malware (wp_ajx)',\ msg:'Rule against PHP RCE malware (wp_ajx)'" SecRule ARGS:zzz "@streq xcWD23" \ "id:409013,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule against PHP Uploader malware (653fa43c57a1e128c70a9c87)',\ msg:'Rule against PHP Uploader malware (653fa43c57a1e128c70a9c87)'" SecRule ARGS_POST_NAMES "^cdshell$" \ "id:409014,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule against PHP RCE malware (cdshell)',\ msg:'Rule against PHP RCE malware (cdshell)'" SecRule ARGS_GET_NAMES "^actmet[12]$" \ "id:409015,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule against PHP malware (6548af1f7eef18d697055726)',\ msg:'Rule against PHP malware (6548af1f7eef18d697055726)'" SecRule ARGS_GET_NAMES "^solevisible$" \ "id:409016,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ setvar:'tx.bn_inbound_found=+1',\ logdata:'Rule against ALFA TEaM Shell load',\ msg:'Rule against ALFA TEaM Shell load'" SecRule REQUEST_COOKIES_NAMES "^AlfaUser$" \ "id:409017,\ chain,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ logdata:'Rule against ALFA TEaM Shell cookie',\ msg:'Rule against ALFA TEaM Shell cookie'" SecRule REQUEST_COOKIES_NAMES "^AlfaPass$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS:login "@streq cmd" \ "id:409018,\ chain,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ logdata:'Rule against PHP RCE malware (coco,login,cmd)',\ msg:'Rule against PHP RCE malware (coco,login,cmd)'" SecRule ARGS_POST_NAMES "^coco$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS_POST_NAMES "^song2$" \ "id:409019,\ chain,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ logdata:'Rule against PHP malware (65f0096eade8f3274b0a8427)',\ msg:'Rule against PHP malware (65f0096eade8f3274b0a8427)'" SecRule ARGS_POST_NAMES "^stars1$" "chain,t:none" SecRule ARGS_POST_NAMES "^stars2$" "t:none,setvar:'tx.bn_inbound_found=+1'" SecRule ARGS_POST_NAMES "^thumb_key$" \ "id:409020,\ chain,\ phase:2,\ rev:'1',\ log,\ auditlog,\ t:none,t:urlDecodeUni,\ severity:critical,\ logdata:'Rule against PHP malware (663863d403a9690a37098357, 663863da03a9690a370983a5)',\ msg:'Rule against PHP malware (663863d403a9690a37098357, 663863da03a9690a370983a5)'" SecRule ARGS_POST_NAMES "^code$" "t:none,setvar:'tx.bn_inbound_found=+1'"