????

Your IP : 216.73.216.152

Current Path : /etc/apache2/conf.d/modsec2/
Upload File :
Current File : //etc/apache2/conf.d/modsec2/lw_virtual_patches.conf

##generic recursion signatures
# This signature protects several vulnerabiliteis in various outdated wordpress plugins. It's not advisable to disable it globally.
SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule REQUEST_URI "/\.\./" "t:urldecode"

# xmlrpc with both no UA and no referrer. Also bogus. This can be whitelisted but it will remove some DoS protections. 
# It's Better to have the customer POST to xmlrpc with a referrer or user agent. 
# Even dummy characters in one of those HTTP headers will get them past this rule. 
SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000228,chain,msg:'xmlrpc DoS or brute force attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule &HTTP_User-Agent "@eq 0"

#flashchat vulnerability
SecRule REQUEST_URI "\.php\?dir\[inc\]=http\:/" "id:5000204,msg:'flashchat vuln. patch',tag:'lw_custom',severity:WARNING"

#Joomla rules
SecRule REQUEST_URI "controller=" "chain,id:5000205,msg:'Joomla plugin exploit attempt'tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_URI "(/tmp|/proc|/dev)"

#Eval code in HTTP user agent or referring URL
SecRule HTTP_REFERER "eval\(base64.*" "id:5000206,t:lowercase,msg:'eval(base64 code in HTTP Referer',tag:'lw_custom',severity:CRITICAL"
SecRule HTTP_User-Agent "eval\(base64.*" "id:5000207,t:lowercase,msg:'eval(base64 code in user agent field',tag:'lw_custom',severity:CRITICAL"

#Timthumb!
SecRule REQUEST_URI "/(timthumb|thumb|_tbs)\.php\?src=.*(flickr|staticflickr|picasa|img\.youtube|upload\.wikimedia|photobucket|imgur|imageshack|tinypic)\.(com|org|us)\..*\.(com|ca|com\.au|org|net|jp|gov|info|us|co\.uk)/.*\.(txt|php|php3|php4|php5)" "id:5000200,t:lowercase,msg:'Timthumb Exlpoit Attempt Detected',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"

#Symlinks
SecRule REQUEST_URI "/sym/(root|.*txt)" "id:5000201,msg:'Symlink Exlpoit Attempt Detected',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_URI "/sym/.*/home/" "id:5000202,msg:'Symlink Exlpoit Attempt Detected',tag:'lw_custom',severity:CRITICAL"

#zencart
SecRule REQUEST_URI "/admin/record_company.php/password_forgotten.php\?action=insert.*" "id:5000203,msg:'Zencart Exlpoit Attempt Detected',tag:'lw_custom',severity:CRITICAL"

# Fix duo sec WP logins
SecRule REQUEST_BODY "duo_wordpress|sig_response" "t:lowercase,id:5100214,pass,phase:2,skip:2"

# Fix onelogin.com WP logins
SecRule REQUEST_HEADERS:Referer "onelogin.com" "t:lowercase,id:5200214,pass,phase:2,skip:1"

# Reject WP logins when wp-submit and action are both null.
SecRule REQUEST_FILENAME "wp-login\.php" "phase:2,deny,log,status:402,t:lowercase,chain,id:5000214,msg:'wordpress login missing action and or wp-submit arguments.'tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule REQUEST_METHOD "^post$" chain,t:lowercase
SecRule &ARGS:wp-submit "@eq 0" chain,t:urlDecodeUni,t:lowercase
SecRule &ARGS:action "@eq 0" t:urlDecodeUni,t:lowercase

#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>

<IfModule !ruid2_module>
<IfModule !mpm_itk_module>
# Put DBM rules here (ones that use initcol/collections and setvar/counter functions).
# Wordpress Brute Force detection
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
# Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule REQUEST_METHOD "POST" "chain"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>
</IfModule>
</IfModule>
# End DBM rules

#Block WP theme edits with no referring URL
<Locationmatch "/theme-editor.php">
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000140,chain,msg:'No UA, No referer',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule &HTTP_User-Agent "@eq 0"
</Locationmatch>

<Locationmatch "/plugin-editor.php">
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000141,chain,msg:'No UA, No referer',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule &HTTP_User-Agent "@eq 0"
</Locationmatch>

#Joomla malicous code execution. Dvmessages should not have a c_id parameter. 
<Locationmatch "/dvmessages.php">
SecRule QUERY_STRING "c_id" "deny,status:500,id:5000217,msg:'dvmessages code exec',tag:'joomla',tag:'lw_custom',severity:CRITICAL"
</Locationmatch>

#Joomla com_jce exploit
SecRule HTTP_User-Agent "BOT for JCE" "deny,status:500,id:5000218,msg:'Joomla com_jce code exec',tag:'joomla',tag:'lw_custom',severity:CRITICAL"

#Joomla com_jce exploit
SecRule REQUEST_URI "/images/stories/.+\.php" "deny,status:500,id:5000219,msg:'Joomla com_jce code exec',tag:'joomla',tag:'lw_custom',severity:WARNING"

#http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html
SecRule REQUEST_URI "/images_(comingsoon|lncthumbs|optbuttons)/.+\.php" "deny,status:500,id:5000220,msg:'optimizepress vuln',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"

#Fix for Joomla com_jnews, http://www.securityfocus.com/bid/37314/exploit
SecRule REQUEST_URI "ofc_upload_image.php" "id:5000221,chain,msg:'Joomla com_jnews exploit attempt detected',tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule QUERY_STRING "name=.*\.php" "t:lowercase"

#Deny POST to / with no referrer, safe for cust use. OK to whitelist if needed, but whitelisting this will remove certain DoS protections.
#Revised to allow PayPal IPN user agent.
SecRule REQUEST_URI "^\/$" "deny,status:401,id:5000222,chain,msg:'POST request with no file path was blocked due to no HTTP referer',tag:'lw_custom',severity:WARNING"
SecRule REQUEST_METHOD "POST"  "chain"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule HTTP_User-Agent "!paypal ipn" "t:lowercase"

# Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,chain,msg:'Joomla admin access blocked due to No UA and No referer',tag:'joomla',tag:'lw_custom',severity:WARNING"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule &HTTP_User-Agent "@eq 0"

# Block Joomla logins with no referring URL
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,chain,msg:'Joomla login request blocked, no referer',tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"

# Fake Joomla Plugin, stop scans / DoS attacks
SecRule REQUEST_URI "mod_araticlhess" "deny,id:5000225,t:lowercase,msg:'Access to fake plugin, if this plugin actually exists the site is hacked.',tag:'joomla',tag:'lw_custom',severity:CRITICAL"

# JOOMLA Virtual patch for:
# trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/
SecRule QUERY_STRING "com_contenthistory" "t:lowercase,t:urldecode,deny,status:406,id:5001225,chain,msg:'Joomla SQL injection attempt',tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule QUERY_STRING "(select.+from|list.select)" "t:lowercase,t:urldecode"

# Additional Joomla patch based on https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
SecRule REQUEST_BODY "com_contenthistory" "chain,t:lowercase,deny,status:406,id:5001226,msg:'Joomla SQL injection attempt',tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_BODY "(select.+from|list.select)" "t:lowercase"

# CGI-BIN PHP code exec scans
SecRule QUERY_STRING "safe_mode=off" "deny,id:5000226,t:urldecode,msg:'blocked generic PHP code exec scans',tag:'lw_custom',severity:WARNING"

# Bogus UA for xmlrpc
SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000227,chain,msg:'xmlrpc DoS attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"
SecRule HTTP_User-Agent "WinHttp.WinHttpRequest.5"

# Fix for wysija newsletters (Mail Poet). 
# Please inform akwiecinski immediately and verbosely if there are any false positives with this rule. 
SecRule REQUEST_URI "wp-admin/admin-post\.php\?page=wysija_campaigns&action=themes" "deny,id:5000229,msg:'mailpoet WP exploit attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"

# Stop-gap Fix for custom-contact-forms hacks
# Please inform akwiecinski immediately and verbosely if there are any false positives with this rule. 
SecRule REQUEST_URI "custom-contact-forms/import/.*\.sql\.php" "deny,t:lowercase,t:normalisePath,id:5000230,msg:'WP custom contact forms exploit attempt blocked',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"

# Fix for revslider http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
SecRule QUERY_STRING "revslider_show_image.*&img=.*(\.php|\.my.cnf|\.bash|wp-config)" "deny,t:lowercase,id:5000231,msg:'revslider WP plugin hack attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_URI "noid-mailpolet\.php" "deny,id:5001000,msg:'revslider WP plugin hack attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule REQUEST_URI "resvlide.php" "deny,id:5001001,msg:'revslider WP plugin hack attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"

# RevSlider rules for new shell upload vuln. This will still allow the inital malware uploads into 
# wp-content/plugins/revslider/temp/update_extract/revslider/ but will deny access to the malicious files
# this should stop actual compromise of the site, rendering the uploaded malware useless to code inject the site
# Please inform secteam if this stops any legitimate updates, as it should not inhibit them. 
SecRule REQUEST_URI "/temp/update_extract/revslider/.+\.php" "deny,t:lowercase,id:5000232,msg:'RevSlider shell upload attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_URI "/revslider/temp/update_extract/.+\.php" "deny,t:lowercase,id:5001232,msg:'RevSlider shell upload attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"

# Fix for Gravity Forms shell upload.
SecRule REQUEST_URI "wp-content" "chain,deny,id:5001002,msg:'gravity forms shell upload attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule REQUEST_URI "_input_.*p(hp|html)" "t:lowercase"

# Fix for https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html
SecRule REQUEST_URI "genericons/example.html" "deny,id:5001003,msg:'jetpack XSS fix',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"

# Fix for https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html
SecRule ARGS:action "grunion-contact-form" "t:urldecode,t:lowercase,id:5001004,deny,status:411,chain,msg:'jetpack XSS fix',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule ARGS "\/\*\*\/|\&\#" "t:urldecode"

# Fixes for script kiddy Drupal injections
# Please inform secteam of any false positives.
SecRule REQUEST_URI "/user/login/" "deny,t:lowercase,id:5000233,chain,msg:'drupal exploit attempt',tag:'drupal',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode"

SecRule QUERY_STRING "q=node" "deny,t:lowercase,t:urldecode,id:5000234,chain,msg:'drupal exploit attempt',tag:'drupal',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode"

# Block malicious CN user agent
SecRule HTTP_User-Agent "Mozilla/5\.0 \(Windows; U; Windows NT 5\.1; zh-CN; rv:1\.7\.6\)" "deny,id:5000235,msg:'malicious user-agent',tag:'lw_custom',severity:WARNING"

# Block HEAD requests from Typhoeus
SecRule REQUEST_METHOD "HEAD" "id:5000236,chain,msg:'Blocking bad Typhoeus UA',tag:'lw_custom',severity:CRITICAL"
SecRule HTTP_User-Agent "Typhoeus"

# Ongoing fixes for bash issue, CVE-2014-6271. Please inform akwiecinski of any suspected false positives.
# Request Header values:
SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:5000300,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack',tag:'shellshock_bash_vuln',tag:'lw_custom',severity:WARNING"

# SERVER_PROTOCOL values:
SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:5000301,status:400,log,msg:'CVE-2014-6271 - Bash Attack',tag:'shellshock_bash_vuln',tag:'lw_custom',severity:WARNING"

# GET/POST values:
SecRule ARGS "^\(\) {" "phase:2,deny,id:5000303,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack',tag:'shellshock_bash_vuln',tag:'lw_custom',severity:WARNING"

# Botnet posing as Googlebot Nov 18 2015
SecRule QUERY_STRING "cookie=1" "deny,t:lowercase,id:5000305,chain,msg:'base64 encoded eval statement from fake googlebot',tag:'lw_custom',severity:CRITICAL"
SecRule HTTP_User-Agent "googlebot" "t:lowercase,chain"
SecRule ARGS "eval\(" "t:none,t:base64Decode"

# Joomla 0day Dec 14 https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html
SecRule HTTP_User-Agent "jdatabasedrivermysql" "t:lowercase,t:urldecode,id:5000306,msg:'Joomla RCE patch',tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule HTTP_User-Agent "{s:" "t:urldecode,id:5000307,msg:'Joomla RCE patch',tag:'joomla',tag:'lw_custom',severity:CRITICAL"

# New LFI WP protection
SecRule REQUEST_BODY "mysite_download_skin" "t:lowercase,id:5000308,chain,msg:'WP LFI protection',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING"
SecRule REQUEST_BODY "wp-config\.php"

# Protections for JOOMLA CVE-2016-8870 and CVE-2016-8869
SecRule ARGS:name "\.pht$" "deny,id:5000309,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.',tag:'joomla',tag:'lw_custom',severity:WARNING"
SecRule ARGS:filename "\.pht$" "deny,id:5000310,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.',tag:'joomla',tag:'lw_custom',severity:WARNING"
SecRule FILES "\.pht$" "deny,id:5000311,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.',tag:'joomla',tag:'lw_custom',severity:WARNING"

# Protections for wp-mobile-detector
# See https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html
SecRule REQUEST_URI "wp-mobile-detector/cache/.+\.php" "deny,id:5000312,t:lowercase,msg:'wp-mobile-detector vulnerability',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_URI "wp-mobile-detector/resize.php" "deny,chain,id:5000313,msg:'wp-mobile-detector vulnerability',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_BODY "src=.+\.php" "t:urldecode,t:lowercase"

# Protections for 'realstatistics' hack
# See https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromising-joomla-sites.html
SecRule QUERY_STRING "option=com_tags" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000314,tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_BODY "(JDatabaseDriverMysql|base64_decode)"

SecRule REQUEST_URI "/modules/cache\.uniq.+\.php" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000315,tag:'joomla',tag:'lw_custom',severity:CRITICAL"
SecRule REQUEST_METHOD "POST"

# Detection for https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html

SecRule REQUEST_URI "wp-content/uploads/ultimatemember/temp/.+\.php" "deny,id:5000316,msg:'ultimatemember plugin attack',t:lowercase"

# Mitigate vBulletin 5.x command injection. See:
# SOS-1344
# https://seclists.org/fulldisclosure/2019/Sep/31
# https://securityaffairs.co/wordpress/91689/hacking/unpatched-critical-0-day-vbulletin.html
SecRule ARGS:routestring "ajax/render/widget_php" "phase:2,id:4044036,t:none,auditlog,deny,chain"
SecRule ARGS_NAMES "widgetConfig\[code\]"