# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.1.5 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # The trojan access detection rules detects access to known Trojans already # installed on a server. Uploading of Trojans is part of the Anti-Virus rules # and uses external Anti Virus program when uploading files. # # Detection of Trojans access is especially important in a hosting environment # where the actual Trojan upload may be done through valid methods and not # through hacking. # -- # # NOTE Trojans detection is based on checking elements controlled by the client. # A determined attacked can bypass those checks. We are working on # enchaining the checks so it would require a major change in the Trojan # to overcome. # # NOTE We found out that Trojan horses are not detected easily by Anti-Virus # software when uploading as the signature set of AV software is not tuned # for this purpose. We are working on adding signature tuned to detect # Trojans upload to file uploading inspection. # SecDefaultAction "log,pass,phase:2,t:lowercase,status:404" SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',severity:'2'" SecRule REQUEST_FILENAME "root\.exe" \ "t:urlDecodeUni,t:htmlEntityDecode,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',severity:'2'" SecRule RESPONSE_BODY "(?: